Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1466182
MD5:	e3e6cf9bb53c398d2f75398923f91c11
SHA1:	9af3600fd9befae3aa830e80d9fb2f513c100ab4
SHA256:	eb55557a69adf16683fbc5f5fd822d8c3e338298a98e0769bdec8a7c5787a75d
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E3E6CF9BB53C398D2F75398923F91C11)

RegAsm.exe (PID: 6188 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "93851f7e951a018e4f54b8ea574c0810"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6132	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6132	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 6132	Molerats_Jul17_Sample_5	Detects Molerats sample - July 2017	Florian Roth	0x6cdd:$x1: powershell.exe -nop -c "iex 0x6d04:$a1: Net.WebClient).DownloadString 0x7203:$a1: Net.WebClient).DownloadString
Process Memory Space: RegAsm.exe PID: 6188	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6188	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: RegAsm.exe PID: 6188	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.48ab00.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.48ab00.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.3f0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://49.13.159.121:9000/vcruntime140.dllh/Q	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/MW	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dlltQ	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/(	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dll7	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/0	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/B	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/D	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/KD	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll0.15;	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/sqlt.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dllets	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/nss3.dlloft	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dll2	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/soft	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199707802586	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/softokn3.dllL	Avira URL Cloud: Label: malware
Source: https://t.me/g067n	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/l	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dll~	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/msvcp140.dllEdge	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/freebl3.dllAppData	Avira URL Cloud: Label: malware
Source: https://49.13.159.121:9000/ss3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "93851f7e951a018e4f54b8ea574c0810"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: I8S%
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: usernameField
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: a GX Stable
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: uctName
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: layVersion
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: sktop\
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: F783D5D3EF8C*
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: T=@?VDX;W:R1J )M$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: #5EG P%:{
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ystemInfo
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: 304FDQ8L\h$
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: %hu/%hu
Source: 1.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: ero\wallet.k9ys

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	1_2_0040AB80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor	URLs: https://t.me/g067n

Source: global traffic

TCP traffic: 192.168.2.5:49726 -> 49.13.159.121:9000

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121
Source: unknown	TCP traffic detected without corresponding DNS query: 49.13.159.121

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004058C4 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_004058C4

Source: global traffic

HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: t.me

Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121/
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/(
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/0
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/B
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/D
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/KD
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/MW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dll7
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/freebl3.dllAppData
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/l
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mW
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/mozglue.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll0.15;
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/msvcp140.dll~
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/nss3.dlloft
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/soft
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dll2
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllEdge
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/softokn3.dllL
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/sqlt.dll
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/ss3.dll
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dll
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllets
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllh/Q
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE
Source: RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000/vcruntime140.dlltQ
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:900024
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35rosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000a4f35txtft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000al
Source: RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000alMicrosoft
Source: RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://49.13.159.121:9000ming
Source: GIIIEC.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GIIIEC.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIIIEC.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067n4G
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nNG
Source: file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: GIIIEC.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIIIEC.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00413160 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00413160

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046A00C	0_2_0046A00C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E184	0_2_0043E184
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045C2FF	0_2_0045C2FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C2A6	0_2_0043C2A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C5EE	0_2_0043C5EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00452595	0_2_00452595
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E5A5	0_2_0043E5A5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C945	0_2_0043C945
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E9D5	0_2_0043E9D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A9E4	0_2_0045A9E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044C98E	0_2_0044C98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EC10	0_2_0041EC10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00468CE3	0_2_00468CE3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CC8D	0_2_0043CC8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D01B	0_2_0043D01B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D3B8	0_2_0043D3B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044D461	0_2_0044D461
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044F4E0	0_2_0044F4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401550	0_2_00401550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D746	0_2_0043D746
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_003F3770	0_2_003F3770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004778F0	0_2_004778F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FA10	0_2_0044FA10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DAAB	0_2_0043DAAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044FE50	0_2_0044FE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043DE1F	0_2_0043DE1F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00423FD4	0_2_00423FD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ECEC	1_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041E919	1_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041EEC1	1_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041F6CF	1_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64CF0	1_2_1FC64CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC512A8	1_2_1FC512A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52AA9	1_2_1FC52AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9CC0	1_2_1FDB9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5292D	1_2_1FC5292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC81C50	1_2_1FC81C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52018	1_2_1FC52018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD79A20	1_2_1FD79A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD05940	1_2_1FD05940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51C9E	1_2_1FC51C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D6D0	1_2_1FD0D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF9690	1_2_1FCF9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5D4C0	1_2_1FC5D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FDB9430	1_2_1FDB9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53580	1_2_1FC53580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE53B0	1_2_1FCE53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2D209	1_2_1FE2D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD75040	1_2_1FD75040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC69000	1_2_1FC69000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC8CE10	1_2_1FC8CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78D2A	1_2_1FC78D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD54A60	1_2_1FD54A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5C800	1_2_1FC5C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51EF1	1_2_1FC51EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78763	1_2_1FC78763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB4760	1_2_1FCB4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE8760	1_2_1FCE8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD90480	1_2_1FD90480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53AB2	1_2_1FC53AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD8120	1_2_1FCD8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD0090	1_2_1FCD0090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD78030	1_2_1FD78030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5290A	1_2_1FC5290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7BAB0	1_2_1FC7BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5251D	1_2_1FC5251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC83370	1_2_1FC83370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5F160	1_2_1FC5F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5174E	1_2_1FC5174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCB2EE0	1_2_1FCB2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC96E80	1_2_1FC96E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FE2AEBE	1_2_1FE2AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC519DD	1_2_1FC519DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5EA80	1_2_1FC5EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5AA40	1_2_1FC5AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD369C0	1_2_1FD369C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A940	1_2_1FD4A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD6A900	1_2_1FD6A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5481D	1_2_1FC5481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC53E3B	1_2_1FC53E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD8E800	1_2_1FD8E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD4A590	1_2_1FD4A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7A560	1_2_1FC7A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC547AF	1_2_1FC547AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC5209F	1_2_1FC5209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCDA0B0	1_2_1FCDA0B0

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00458C74 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C798 appears 117 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00446D18 appears 32 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041D150 appears 67 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041C7CB appears 76 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC53AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FE306B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC51C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 1FC5415B appears 173 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/13@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041246A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_0041246A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004129BF CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

1_2_004129BF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\F53RW6MZ.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6132

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a27284b7-27eb-4a5d-b9da-f4aa1a349191

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: CAEHJE.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT name, value FROM autofill;

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\labzvp8d\output.pdb source: file.exe
Source:	Binary string: C:\labzvp8d\output.pdb' source: file.exe
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, sqlt[1].dll.1.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_0041B050 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0041B050

Source: sqlt[1].dll.1.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C766 push ecx; ret	0_2_0041C779
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1A0 push ecx; ret	0_2_0041D1B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421EF5 push ecx; ret	1_2_00421F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC51BF9 push ecx; ret	1_2_1FDF4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC510C8 push ecx; ret	1_2_1FE53552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00462D95 FindFirstFileExW,	0_2_00462D95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046317F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_0046317F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	1_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	1_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	1_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	1_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_0041738D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,

1_2_004169EC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411F21 GetSystemInfo,wsprintfA,

1_2_00411F21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: KEGCBK.1.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: KEGCBK.1.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 00000001.00000002.3367264206.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: KEGCBK.1.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: KEGCBK.1.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: KEGCBK.1.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: KEGCBK.1.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: KEGCBK.1.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: KEGCBK.1.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: KEGCBK.1.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: KEGCBK.1.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: KEGCBK.1.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: KEGCBK.1.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: KEGCBK.1.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: KEGCBK.1.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: KEGCBK.1.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: KEGCBK.1.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_1-91501

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462799 IsDebuggerPresent,

0_2_00462799

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_0041B050

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A686 mov eax, dword ptr fs:[00000030h]	0_2_0045A686
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A4DF mov eax, dword ptr fs:[00000030h]	0_2_0045A4DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A565 mov eax, dword ptr fs:[00000030h]	0_2_0045A565
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A522 mov eax, dword ptr fs:[00000030h]	0_2_0045A522
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A6CA mov eax, dword ptr fs:[00000030h]	0_2_0045A6CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A70E mov eax, dword ptr fs:[00000030h]	0_2_0045A70E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045A73F mov eax, dword ptr fs:[00000030h]	0_2_0045A73F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004557D9 mov ecx, dword ptr fs:[00000030h]	0_2_004557D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0041ACF3 mov eax, dword ptr fs:[00000030h]	1_2_0041ACF3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

1_2_004058C4

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004469C1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004469C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041CEEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041CEEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D07F SetUnhandledExceptionFilter,	0_2_0041D07F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041D1B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041D1B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00421C0B memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00421C0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00423DCD SetUnhandledExceptionFilter,	1_2_00423DCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0042224F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0042224F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC542AF SetUnhandledExceptionFilter,	1_2_1FC542AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC52C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_1FC52C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FF018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00FF018D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004138BA CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,FindCloseChangeNotification,		1_2_004138BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004137BD CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		1_2_004137BD

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 425000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 643000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D42008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CBB5 cpuid

0_2_0041CBB5

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458672
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00458803
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_003FE9AF
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00466F54
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0046714F
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0045912E
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004671F6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0046725F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004672FA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00467385
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004675D8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00467701
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00467807
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,	0_2_0041B80D
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004678D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00411D31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	1_2_1FC52112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	1_2_1FE2FF17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_1FC5298C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041CDC4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0041CDC4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_00411BEC GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00411BEC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00462067 GetTimeZoneInformation,

0_2_00462067

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.48ab00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.48ab00.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6188, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDFC0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_mprintf,sqlite3_bind_text,sqlite3_step,sqlite3_reset,	1_2_1FCCDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCD1FE0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCD1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC65C70 sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC65C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCDB10 sqlite3_initialize,sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FCCDB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D9E0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF5910 sqlite3_mprintf,sqlite3_bind_int64,	1_2_1FCF5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD2D610 sqlite3_free,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD2D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF55B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF55B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD714D0 sqlite3_bind_int64,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD714D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD7D4F0 sqlite3_bind_value,sqlite3_log,sqlite3_log,sqlite3_log,	1_2_1FD7D4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD0D3B0 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD0D3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCF51D0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCF51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCE9090 sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_errmsg,sqlite3_mprintf,	1_2_1FCE9090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC80FB0 sqlite3_result_int64,sqlite3_result_double,sqlite3_result_int,sqlite3_prepare_v3,sqlite3_bind_int64,sqlite3_step,sqlite3_column_value,sqlite3_result_value,sqlite3_reset,	1_2_1FC80FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34D40 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	1_2_1FD34D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88CB0 sqlite3_bind_zeroblob,	1_2_1FC88CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88970 sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_1FC88970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC64820 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,sqlite3_initialize,	1_2_1FC64820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA06E0 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FCA06E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC78680 sqlite3_mprintf,sqlite3_mprintf,sqlite3_initialize,sqlite3_finalize,sqlite3_free,sqlite3_mprintf,sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_int64,	1_2_1FC78680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCA8550 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_reset,	1_2_1FCA8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC88430 sqlite3_bind_int64,	1_2_1FC88430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCC8200 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	1_2_1FCC8200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD34140 sqlite3_bind_int64,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_initialize,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	1_2_1FD34140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC87810 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC87810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD337E0 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD337E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FD13770 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FD13770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC7B400 sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,sqlite3_reset,sqlite3_step,sqlite3_reset,sqlite3_column_int64,	1_2_1FC7B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCAEF30 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	1_2_1FCAEF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FC666C0 sqlite3_mprintf,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_bind_value,sqlite3_free,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FC666C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCA6F0 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_bind_value,	1_2_1FCCA6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE200 sqlite3_initialize,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	1_2_1FCBE200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCCE170 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	1_2_1FCCE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_1FCBE090 sqlite3_bind_int64,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	1_2_1FCBE090

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	511 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	511 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	ByteCode-MSIL.Infostealer.Kysler
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://web.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://49.13.159.121:9000a4f35rosoft	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/vcruntime140.dllh/Q	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllEdge	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/MW	100%	Avira URL Cloud	malware
https://t.me/	0%	Avira URL Cloud	safe
https://49.13.159.121:900024	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/vcruntime140.dlltQ	100%	Avira URL Cloud	malware
https://49.13.159.121:9000alMicrosoft	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/(	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/freebl3.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000	100%	Avira URL Cloud	malware
https://t.me/g067n4G	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/freebl3.dll7	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/0	100%	Avira URL Cloud	malware
https://t.me/g067nry1neMozilla/5.0	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/mozglue.dll	100%	Avira URL Cloud	malware
https://49.13.159.121/	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/B	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/D	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/KD	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/nss3.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/msvcp140.dll0.15;	100%	Avira URL Cloud	malware
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/sqlt.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/vcruntime140.dllets	100%	Avira URL Cloud	malware
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/msvcp140.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000a4f35txtft	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/nss3.dlloft	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dll2	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/soft	100%	Avira URL Cloud	malware
https://steamcommunity.com/profiles/76561199707802586	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/softokn3.dllL	100%	Avira URL Cloud	malware
https://t.me/g067n	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/l	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/msvcp140.dll~	100%	Avira URL Cloud	malware
https://49.13.159.121:9000ming	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/msvcp140.dllEdge	100%	Avira URL Cloud	malware
https://49.13.159.121:9000al	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/vcruntime140.dll	100%	Avira URL Cloud	malware
https://49.13.159.121:9000/freebl3.dllAppData	100%	Avira URL Cloud	malware
https://t.me/g067nNG	0%	Avira URL Cloud	safe
https://49.13.159.121:9000/ss3.dll	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199707802586	true	Avira URL Cloud: malware	unknown
https://t.me/g067n	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	GIIIEC.1.dr	false	Avira URL Cloud: safe	unknown
https://t.me/	RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000a4f35rosoft	RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	GIIIEC.1.dr	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll	file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/MW	RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:900024	RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/vcruntime140.dllh/Q	RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dllEdge	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dlltQ	RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	GIIIEC.1.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/softokn3.dll	RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/g067n4G	RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000alMicrosoft	RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/(	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dllrsaenh.dllE	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/freebl3.dll	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/freebl3.dll7	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	GIIIEC.1.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/0	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121/	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/mozglue.dll	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/g067nry1neMozilla/5.0	file.exe, 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/KD	RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.sqlite.org/copyright.html.	RegAsm.exe, 00000001.00000002.3370980408.0000000019EFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.1.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/B	RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/D	RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/msvcp140.dll0.15;	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/nss3.dll	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	GIIIEC.1.dr	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/sqlt.dll	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dllets	RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dll2	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	GIIIEC.1.dr	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/msvcp140.dll	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000a4f35txtft	RegAsm.exe, 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	GIIIEC.1.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/nss3.dlloft	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/soft	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	GIIIEC.1.dr	false	URL Reputation: safe	unknown
https://49.13.159.121:9000/	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/softokn3.dllL	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/mW	RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://49.13.159.121:9000/l	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/msvcp140.dll~	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000ming	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/msvcp140.dllEdge	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/vcruntime140.dll	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3367482660.00000000010F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000al	RegAsm.exe, 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://49.13.159.121:9000/ss3.dll	RegAsm.exe, 00000001.00000002.3367456921.00000000010D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://49.13.159.121:9000/freebl3.dllAppData	RegAsm.exe, 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	GIIIEC.1.dr	false	URL Reputation: safe	unknown
https://t.me/g067nNG	RegAsm.exe, 00000001.00000002.3367264206.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
49.13.159.121	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466182
Start date and time:	2024-07-02 16:39:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/13@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 71 Number of non-executed functions: 241
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:40:08	API Interceptor	1x Sleep call for process: WerFault.exe modified
10:40:16	API Interceptor	1x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
49.13.159.121	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34	Get hash	malicious	Unknown	Browse	149.154.167.99
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	149.154.167.99
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://clicktime.cloud.postoffice.net/clicktime.php?U=https%3A%2F%2Ftelegra.ph%2FDavis-Insurance-Agency-LLC-06-28&E=kgarber%40woodlandsbank.com&X=XID311CFbwQP1837Xd1&T=WDLP&HV=U,E,X,T&H=3a14786ee7a8dd2b0305ef5dd961d4108cbfaf34	Get hash	malicious	Unknown	Browse	149.154.167.99
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse	149.154.167.99
	Kh7W85ONS7.exe	Get hash	malicious	AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
HETZNER-ASDE	hkLFB22XxS.exe	Get hash	malicious	FormBook	Browse	135.181.212.206
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	49.13.159.121
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	49.13.159.121
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	195.201.57.90
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse	49.13.159.121
	http://www.midoregon.com	Get hash	malicious	Unknown	Browse	188.40.16.190
	lQC7IiMNX1.elf	Get hash	malicious	Mirai	Browse	46.4.110.33
	MT103-7543324334.exe	Get hash	malicious	Remcos	Browse	138.201.150.244
	file.exe	Get hash	malicious	FormBook	Browse	135.181.212.206

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	FmQx1Fw3VA.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	149.154.167.99
	config.lnk.mal.lnk	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	149.154.167.99
	invoicepast.pdf.lnk.mal.lnk	Get hash	malicious	ScreenConnect Tool	Browse	149.154.167.99
	Invoice-UPS-218931.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	149.154.167.99
	IF10339.pdf.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	149.154.167.99
	Video%20HD%20%281080p%29.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	1Bj6BoXV3z.exe	Get hash	malicious	CobaltStrike	Browse	149.154.167.99
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	Revised Invoice 7389293.vbs	Get hash	malicious	GuLoader, Remcos	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	2E7ZdlxkOL.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	S8co1ACRdn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	M9dfZzH3qn.exe	Get hash	malicious	CryptOne, Vidar	Browse
	5IRIk4f1PO.exe	Get hash	malicious	CryptOne, Vidar	Browse

Created / dropped Files

C:\ProgramData\GIIIECBGDHJJ\CAEHJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\EBKEHJ

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\GHDHJE

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\GIIIEC

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\IJKKEH

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\JJJKFB

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIIIECBGDHJJ\KEGCBK

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_50842b9be826d8ed7939945d23cf3e974f7f0c4_56460358_2c7f8a6a-34e8-4b3b-a34b-55f9ed7afc39\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7034535032856252
Encrypted:	false
SSDEEP:	192:m6hMDlvMPliBti50c20AE3jGGzuiFfZ24IO8ThB:72MNibiac20jjHzuiFfY4IO8r
MD5:	ACF27D4D1C066AEB19362C7426E7F269
SHA1:	01E8F9567523F3C36908A3816BFA2BCC406DC6F9
SHA-256:	70BD6C7A6FEBE84197E89C554F90ED3645DE536EF227E91C06118513FE880100
SHA-512:	D0CD2145774644FF85C62A6AA8CFAE5C4BA463DF7CBA5B26C08725045735E0F610F0AA02C9E7135E95F1E6E869AA38DB21FF9CA944BDB21197B8735067FF0EC7
Malicious:	true
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.0.4.8.0.6.5.0.6.9.0.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.0.4.8.0.6.9.6.0.0.2.0.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.7.f.8.a.6.a.-.3.4.e.8.-.4.b.3.b.-.a.3.4.b.-.5.5.f.9.e.d.7.a.f.c.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.8.7.4.b.6.f.-.7.d.6.3.-.4.1.a.4.-.a.a.c.3.-.5.1.9.d.a.3.c.5.0.a.d.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.4.-.0.0.0.1.-.0.0.1.4.-.9.3.4.9.-.e.4.b.a.8.d.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.f.3.6.0.0.f.d.9.b.e.f.a.e.3.a.a.8.3.0.e.8.0.d.9.f.b.2.f.5.1.3.c.1.0.0.a.b.4.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.7.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF16E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jul 2 14:40:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56628
Entropy (8bit):	1.7180446861231489
Encrypted:	false
SSDEEP:	192:VayxegrxtOjhlRRLcUWiSTqwjClFTk/L75do/DbwWd:EGeWitlRBVSTQ8oD0
MD5:	992B32F54EB63146BDBC90576EF593A0
SHA1:	E58C548A267CBB410D5DE838FEAF7C0BA63ACC49
SHA-256:	116AD52BDB2B0A22AC090F39C315B0E8A294F11753DF440DB0C885385465395D
SHA-512:	32F832A8A67D593BB865D97D426EE29AE76E36D8A7D670D7BFA4B68B5D6C631AE70454933FA07290EEB2822B241A91915162DB93082AE9B4ED264C1DD32515B5
Malicious:	false
Preview:	MDMP..a..... .......F..f........................0...............b$..........T.......8...........T...............D...........,...........................................................................................eJ..............GenuineIntel............T...........E..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8260
Entropy (8bit):	3.6880040100876146
Encrypted:	false
SSDEEP:	192:R6l7wVeJiCw6RR6YEIySU955gmfBWbizFpDy89bs/RsfbEm:R6lXJ26n6YEdSU955gmf8Wzbs/Kf9
MD5:	725829EA971D320A82445618ED5C5923
SHA1:	72CEDB71C794DE62732ECB962D20223FB5EBB9D7
SHA-256:	2D4B0DD90CDDAC2C9B5DEF76DB34C42E180E1F3D8DED892C9C7F72E02568D5E0
SHA-512:	BFB70B663AE1491668ED101C99630D904992784F52D3A9D4E0059460A5B326FB060A79D5FBA648D37289185BA9399555FE9E7CB42C7D66BA1CDD8A27484534CD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF299.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.425967680517592
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9LgWpW8VYGYm8M4JNtFxV+q8+NSfh8y5d:uIjfzI71Z7VuJdYfh95d
MD5:	18E0016373781FC08FC963AB4BE952EF
SHA1:	7E6189C0CC51AA7214C816A4ECFB57C2161E1E17
SHA-256:	4332DBCF0CE0468797A69F0C963668B3AD79018040E7EB63349CAC1ED7390D43
SHA-512:	810868773E1233D989827852C1191CA67E789299EF51E95A6B3C8CA11E23BF4C1A764B80D851F97D6F408E39355BC09C69551029378586DA168DDB3D0AEBF11E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="393462" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: pDHKarOK2v.exe, Detection: malicious, Browse Filename: 1719859269.0326595_setup.exe, Detection: malicious, Browse Filename: zyJWi2vy29.exe, Detection: malicious, Browse Filename: 56bDgH9sMQ.exe, Detection: malicious, Browse Filename: vjYcExA6ou.exe, Detection: malicious, Browse Filename: 2E7ZdlxkOL.exe, Detection: malicious, Browse Filename: S8co1ACRdn.exe, Detection: malicious, Browse Filename: M9dfZzH3qn.exe, Detection: malicious, Browse Filename: 5IRIk4f1PO.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4213212996406455
Encrypted:	false
SSDEEP:	6144:NSvfpi6ceLP/9skLmb0OT+WSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:0vloT+W+EZMM6DFy403w
MD5:	2BC1F7B211A0DCFFEBFA04B27A55B639
SHA1:	7040A99F1ECFB0F77F450562191B031674BFADE2
SHA-256:	EFA30DC27BB45F5FA25D0CB5C393FA685B13E3FF0A8149B7F340F204958231A2
SHA-512:	3600BED193785AB10A7E63389D42F2EC7DF5CA888FA1CC06848168910748DB3FE3D16B4F54FA2F0C81EFEC88901B41E4798C15A77259A657AB31AA9DFFED7C06
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN`9.................................................................................................................................................................................................................................................................................................................................................ef/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.16709868413272
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	863'744 bytes
MD5:	e3e6cf9bb53c398d2f75398923f91c11
SHA1:	9af3600fd9befae3aa830e80d9fb2f513c100ab4
SHA256:	eb55557a69adf16683fbc5f5fd822d8c3e338298a98e0769bdec8a7c5787a75d
SHA512:	75d0c835d0777d144c7cc716e468b2424568a3e281e5acf4011c292598af4b5e0f2a0569ac35f9a3819937a8c33c0119633e215f80b903fb195e878c1269a74f
SSDEEP:	24576:Cl1oXdQCg30l6InUuV5731ALRnpCNeTYeV:sDEkInUuVBkpCNcYA
TLSH:	0505AE1135C0803AD77321320AA8F6B68ABEF5741B286ADF17D85A7E9F346C15B3125F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~...-...-...-\..,...-\..,&..-\..,...-Mb.,...-Mb.,...-\..,...-...-...-Mb.,...-\|a.,...-\|a.,...-\|a.-...-\|a.,...-Rich...-.......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x42c36a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6683FC77 [Tue Jul 2 13:11:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a2b3c9bb8bf21aa189ddce7cb05111e0

Entrypoint Preview

Instruction
call 00007F3E71342677h
jmp 00007F3E713419ECh
cmp ecx, dword ptr [0049A040h]
jne 00007F3E71341BD3h
ret
jmp 00007F3E71342A2Fh
jmp 00007F3E71342D14h
push ebp
mov ebp, esp
jmp 00007F3E71341BDFh
push dword ptr [ebp+08h]
call 00007F3E7137D415h
pop ecx
test eax, eax
je 00007F3E71341BE1h
push dword ptr [ebp+08h]
call 00007F3E7136E0F5h
pop ecx
test eax, eax
je 00007F3E71341BB8h
pop ebp
ret
cmp dword ptr [ebp+08h], FFFFFFFFh
je 00007F3E71342D0Ch
jmp 00007F3E71342CE9h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F3E71342CD9h
pop ecx
pop ebp
ret
mov dword ptr [ecx], 0048A520h
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0048A520h
je 00007F3E71341BDCh
push 0000000Ch
push esi
call 00007F3E71341BA6h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F3E71341BEBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F3E71341BDCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F3E71341BDEh
add edx, 28h
cmp edx, esi
jne 00007F3E71341BBCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x98d60	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x98da8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd2000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd3000	0x4abc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92950	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x92890	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x88000	0x20c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x855e7	0x85600	c250debd6068ef1a7c921e73181cfa2e	False	0.41276834875820057	data	6.666076982015016	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.bss	0x87000	0xf7d	0x1000	f3a47c3349515baee64657bb8147a892	False	0.629638671875	data	6.3506167437003445	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x88000	0x11a10	0x11c00	14acba9e565d481335e6ba0ae41b24b3	False	0.3752475792253521	data	4.851073901041092	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9a000	0x37270	0x35a00	ffbe02982d67e696f6cbb12538bd444b	False	0.9733983464452215	data	7.976991516797524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd2000	0x1e0	0x200	d8a8736d599d5775f0aa4e84f3b1f63c	False	0.525390625	data	4.69492069540085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd3000	0x4abc	0x4c00	7d3fb59ba21a0846bc5cf4539ec02a97	False	0.7359169407894737	data	6.618161361005907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xd2060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
GDI32.dll	SetPixel
USER32.dll	GetDC, OffsetRect, ReleaseDC, GetUpdateRgn
KERNEL32.dll	CreateFileW, HeapSize, GetProcessHeap, SetStdHandle, SetEnvironmentVariableW, VirtualAlloc, WaitForSingleObject, CreateThread, FormatMessageA, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, Sleep, SwitchToThread, GetExitCodeThread, GetNativeSystemInfo, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LocalFree, GetLocaleInfoEx, MultiByteToWideChar, LCMapStringEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, QueryPerformanceFrequency, SetFileInformationByHandle, GetTempPathW, InitOnceExecuteOnce, CreateEventExW, CreateSemaphoreExW, FlushProcessWriteBuffers, GetCurrentProcessorNumber, GetSystemTimeAsFileTime, GetTickCount64, FreeLibraryWhenCallbackReturns, CreateThreadpoolTimer, SetThreadpoolTimer, WaitForThreadpoolTimerCallbacks, CloseThreadpoolTimer, CreateThreadpoolWait, SetThreadpoolWait, CloseThreadpoolWait, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, CreateSymbolicLinkW, GetStringTypeW, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, FreeEnvironmentStringsW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetCurrentThread, SetConsoleCtrlHandler, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, WriteConsoleW

Exports

Name	Ordinal	Address
AwakeSound	1	0x487d60

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 16:40:09.699599981 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:09.699632883 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:09.699707031 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:09.704210997 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:09.704241991 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.332807064 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.332902908 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.404225111 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.404253006 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.404644012 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.404704094 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.407011986 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.452496052 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.646045923 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.646075964 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.646122932 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.646157980 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.646269083 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.646269083 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.646269083 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.648762941 CEST	49725	443	192.168.2.5	149.154.167.99
Jul 2, 2024 16:40:10.648786068 CEST	443	49725	149.154.167.99	192.168.2.5
Jul 2, 2024 16:40:10.654565096 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:10.659354925 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:10.659450054 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:10.659738064 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:10.664472103 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:11.320254087 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:11.320276976 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:11.320348024 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:11.320378065 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:11.402357101 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:11.407732964 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:11.593226910 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:11.593348980 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:11.593797922 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:11.598542929 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.036896944 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.036983967 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.041028976 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.049303055 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.049463034 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.050192118 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.056561947 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.727369070 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.727544069 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.728154898 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.729974031 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:12.732912064 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:12.734755039 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:13.385672092 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:13.385745049 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.387820005 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.388223886 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.392903090 CEST	9000	49726	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:13.392976999 CEST	49726	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.393073082 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:13.393137932 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.393412113 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:13.398179054 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.038003922 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.038079977 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.038625002 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.042316914 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.043368101 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.047344923 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.697382927 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.697401047 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.697519064 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.698936939 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.699383020 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.704186916 CEST	9000	49727	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.704200029 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:14.704238892 CEST	49727	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.704302073 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.704586983 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:14.709835052 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:15.367093086 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:15.367223024 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:15.367558956 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:15.369354010 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:15.372296095 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:15.374128103 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017729998 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017749071 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017761946 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017812014 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017818928 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.017818928 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.017822981 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017837048 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.017885923 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.017885923 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.020040989 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.020719051 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.025240898 CEST	9000	49729	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.025290012 CEST	49729	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.025500059 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.025557041 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.025953054 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.030716896 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.698698997 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.698781013 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.699141979 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.701301098 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:16.703912020 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:16.708321095 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:17.347127914 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:17.347246885 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.409234047 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.409569025 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.414302111 CEST	9000	49731	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:17.414345026 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:17.414367914 CEST	49731	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.414429903 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.414830923 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:17.419944048 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.067476034 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.067554951 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.068348885 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.070466042 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.070552111 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.070552111 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.074280977 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075504065 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075514078 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075531960 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075545073 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075571060 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.075582027 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.078275919 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.078301907 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.405287027 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.405741930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.410725117 CEST	9000	49732	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.410845041 CEST	49732	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.411413908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.411493063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.411803007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:18.416594982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.791114092 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:18.791215897 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.067728996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.067856073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.068288088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.070054054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.073348045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.074776888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404460907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404524088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404536009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404567003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404578924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404638052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404638052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404691935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404717922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404742002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404748917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404748917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404756069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404768944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.404772997 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404803038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404803038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404829979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.404968023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.405021906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.409571886 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.409611940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.409658909 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.409658909 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.409687042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.409770012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.496953011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.496973038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.497138977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.502351046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.502403975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.502415895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.502454042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.502454042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.502496958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.505872965 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.505903959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.505916119 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.505935907 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.505950928 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.505965948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.512842894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.512919903 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.512931108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.512943983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.513000011 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.519639969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.519668102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.519680977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.519697905 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.519722939 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.526361942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.526453018 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.526464939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.526480913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.526494980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.526561975 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.531496048 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.533202887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.533226967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.533241987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.533287048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.533288002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.533288002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.533340931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.539999008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.540047884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.540059090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.540083885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.540083885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.540173054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.546940088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.546997070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.547008991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.547009945 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.547049046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.547049046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.553738117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.553836107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.553845882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.553878069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.553878069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.553946018 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.560760021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.560775042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.560839891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.560839891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.593645096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.593677044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.593689919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.593703032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.593729973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.593729973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.593760967 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.602375031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.602411985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.602422953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.602469921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.602469921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.615869999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.615917921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.615935087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.616025925 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.616025925 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.640351057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.640495062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.640507936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.640508890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.640561104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.640561104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.664669991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664690971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664702892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664715052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664803028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.664881945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664916992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664925098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.664925098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.664927959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.664972067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.664972067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.665572882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.665689945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.665703058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.665731907 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.665733099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.665951014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666209936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666260958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666270971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666297913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666297913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666333914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666373014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666373014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666409016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666502953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666544914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.666548014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.666548014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.667184114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667232037 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.667232037 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.667280912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667290926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667361021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667372942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667385101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667397022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.667404890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.667404890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.667999029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.668040991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.668050051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.668050051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.668055058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.668102980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.668102980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.670089006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.670121908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.670133114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.670169115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.670169115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.674829960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.674868107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.674881935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.674937963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.674937963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.679758072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.679800034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.679816961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.679867029 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.679867029 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.684937000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.684984922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.684997082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.685009003 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.685241938 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.689887047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.689943075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.689986944 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.689987898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.689996004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.690009117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.690057039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.690057993 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.695569992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.695585012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.695596933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.695607901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.695683002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.695683002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.699785948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.699815035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.699831963 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.699889898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.699889898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.704667091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.704732895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.704742908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.704754114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.704761982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.704786062 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.704786062 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.704843044 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.707783937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.707854986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.707866907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.707876921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.707892895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.707911968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.707911968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.707954884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.711570024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.711613894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.711625099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.711653948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.711653948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.711688042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.714250088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.714289904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.714303017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.714335918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.714335918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.717400074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.717420101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.717442036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.717454910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.717499018 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.718024969 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.730930090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.730969906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.730983019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.731024981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.731295109 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.755594969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755660057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755671024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755752087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.755752087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.755754948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755767107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755810022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.755903006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.755913973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.756010056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.756020069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.756061077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.756061077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.756673098 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.756730080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.756795883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.756841898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.764226913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.764288902 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.764292955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.764305115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.764338970 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.764354944 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.764396906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.765775919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.765849113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.765862942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.765894890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.765894890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.767683029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.767739058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.767739058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.767750978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.767795086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.770781994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.770852089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.770853996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.770863056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.770889044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.770900965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.770930052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.770930052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.773525953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.773571968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.773587942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.773627996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.773669004 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.773669004 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.773691893 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.773880959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.776382923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.776453972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.776464939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.776496887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.776496887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.779192924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.779244900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.779249907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.779267073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.779309034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.779309034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.782027006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.782079935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.782093048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.782107115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.782206059 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.784778118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.784830093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.784873009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.784885883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.784903049 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.784903049 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.785003901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.788945913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.789000034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.789011002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.789024115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.789068937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.789068937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.791220903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.791268110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.791279078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.791284084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.791371107 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.792519093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.792568922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.792581081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.792587042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.792627096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.795113087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.795160055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.795170069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.795205116 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.795205116 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.797547102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.797624111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.797637939 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.797646046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.797674894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.797688007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.797688007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.797756910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.800123930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.800182104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.800194025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.800195932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.800225973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.802521944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.802568913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.802581072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.802592039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.802634954 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.804599047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.804696083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.804706097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.804738998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.804738998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.806577921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.806608915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.806618929 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.806642056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.806664944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.806698084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.806698084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.808538914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.808552980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.808604002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.808617115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.808640003 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.808640003 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.808760881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.810523987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.810560942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.810575008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.810579062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.810592890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.810615063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.810615063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.810714960 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.812370062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.812417030 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.812427998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.812432051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.812465906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.812489986 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.814263105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.814277887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.814291000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.814321041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.814332008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.814332008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.814481974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.816036940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.816121101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.816133022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.816143036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.816145897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.816174030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.816214085 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.817959070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.817995071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.818011045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.818034887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.818034887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.818087101 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.819792032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.819827080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.819840908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.819863081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.819863081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.819924116 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.821573973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.821651936 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.821757078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.821769953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.821825027 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.823518991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.823550940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.823563099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.823571920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.823642015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.825110912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.825154066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.825165033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.825220108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.825237989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.826895952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.826940060 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.826947927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.826951981 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.826989889 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.826989889 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.828773022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.828828096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.828831911 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.828839064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.828872919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.828877926 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.828877926 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.829040051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.830388069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.830452919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.830480099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.830492020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.830522060 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.832262993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.832323074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.832333088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.832351923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.832489967 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.833863974 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.833911896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.833913088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.833924055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.834009886 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.835604906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.835669994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.835679054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.835680962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.835692883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.835735083 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.835735083 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.837425947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.837472916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.837495089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.837507010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.837538958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.839257956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.839322090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.839334011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.839343071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.839376926 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.839376926 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.840960026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.841017008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.841027975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.841047049 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.841233015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.842716932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.842777014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.842778921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.842822075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846084118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846164942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846179962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846205950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846205950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846241951 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846299887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846332073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846348047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846364975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.846365929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846365929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846400976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.846400976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.847981930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.848026991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.848042011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.848059893 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.848066092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.848067045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.848095894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.848095894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.849735022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.849786997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.849805117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.849816084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.849827051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.849827051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.849858999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.849858999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.851505041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.851545095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.851597071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.851597071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.854891062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.854932070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.854960918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.854969025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.854983091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.855005980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.855005980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.855025053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.855129004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.855191946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.855318069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.856494904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.856530905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.856553078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.856600046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.856846094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.856884956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.856897116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.856904030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.856940985 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.856969118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.858597994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.858633041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.858649969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.858668089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.858697891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.858697891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.860342979 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.860393047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.860402107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.860425949 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.860426903 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.860455036 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.860629082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.860820055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.862157106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.862200022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.862210989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.862210989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.862250090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.862294912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.864314079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.864357948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.864373922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.864379883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.864418030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.864418030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.867212057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.867223978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.867238045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.867290974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.867290974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.869730949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869782925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869784117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.869793892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869843006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869847059 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.869883060 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.869911909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869923115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.869955063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875350952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875392914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875403881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875417948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875478029 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875499010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875511885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875524044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875536919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875560045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875560045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875612974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.875727892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.875885963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.881742954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881815910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881834984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.881859064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881861925 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.881906033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881922007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881930113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.881934881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.881990910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.881990910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.882004023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.882201910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.888175011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888231993 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.888238907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888251066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888319016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888333082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888335943 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.888372898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.888457060 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888469934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888487101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.888521910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.888521910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894052029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894119024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894130945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894155979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894184113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894184113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894193888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894224882 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894224882 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894378901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894406080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894422054 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894435883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.894444942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894444942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894459009 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.894474030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900363922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900425911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900439978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900499105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900506020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900512934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900541067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900635958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900649071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900651932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900660992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.900697947 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.900775909 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.904901028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.904916048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.904932022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.904997110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.905014992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.905025005 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.905026913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.905035973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.905035973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.905141115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.905179977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.905191898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.905237913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.910375118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910413980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910427094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910486937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.910486937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.910602093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910617113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910686970 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.910702944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910713911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910725117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.910753012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.910797119 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.915761948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.915779114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.915791988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.915843964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.915844917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.915846109 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.915915012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.915935040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.915981054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.915990114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.916002035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.916052103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.916052103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.916069984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.916124105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919214964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919255972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919266939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919290066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919312954 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919441938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919452906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919487953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919498920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919523001 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919523001 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919569016 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.919569969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919580936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.919703007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924433947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924503088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924520969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924539089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924588919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924626112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924638987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924674034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924701929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924719095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924763918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.924796104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.924850941 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.929802895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.929837942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.929847956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.929869890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.929897070 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.929897070 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.929943085 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.929955006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.929991007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.930077076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.930088997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.930099964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.930145025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.930145025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.936858892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.936875105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.936887026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.936949015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.936949015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.936960936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.937017918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.937020063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.937096119 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.937110901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.937120914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.937134981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.937135935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.937175035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940386057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940429926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940440893 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940448999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940470934 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940507889 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940572977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940586090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940633059 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940633059 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.940686941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940700054 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.940943003 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945278883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945337057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945349932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945353031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945377111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945399046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945446968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945462942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945506096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945506096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945537090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945575953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.945580006 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.945689917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949182987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949235916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949246883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949259043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949300051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949326038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949368000 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949414968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949425936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949461937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949474096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.949496984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949496984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.949604988 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.954761982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.954835892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.954847097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.954854012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.954874039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.954914093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.954960108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.954971075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.954998970 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.955018044 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.955066919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.955079079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.955111980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.955146074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960412025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960437059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960510015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960510015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960527897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960542917 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960577011 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960597992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960617065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960628986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960676908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960676908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960746050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960757017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.960792065 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.960809946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.965955019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.965995073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966006994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966049910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.966049910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.966074944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966087103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966099024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966145992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.966145992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.966236115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966275930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.966314077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.966314077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.984976053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.984999895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985012054 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985065937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985097885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985117912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985168934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985182047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985193014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985208035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985208035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985234022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985399961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985444069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985457897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985469103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985482931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985482931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985501051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985685110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985696077 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985707045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.985759020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.985759020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995465040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995547056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995557070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995563984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995604038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995615959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995625019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995657921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995749950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995760918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995771885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:19.995771885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995816946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:19.995816946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001137972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001180887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001188040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001194000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001234055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001234055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001334906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001348019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001415968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001466036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001502991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001514912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001522064 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001528978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001540899 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001542091 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001573086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001573086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001770973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001818895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001863003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001877069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.001919985 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001919985 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.001977921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.002038002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.006954908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007051945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007062912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007096052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007137060 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.007215023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007216930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.007226944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007252932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.007273912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.007297039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.007334948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.009967089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.009999990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010011911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010019064 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010052919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010052919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010272026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010286093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010320902 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010345936 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010354996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010368109 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.010402918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.010482073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015028954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015083075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015089989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015095949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015132904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015132904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015152931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015228033 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015234947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015286922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015296936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015304089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015309095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.015336990 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.015381098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020411015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020452976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020463943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020490885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020490885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020512104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020533085 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020601034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020642996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020642996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020687103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020699024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020709038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.020730972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.020776987 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027520895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027556896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027570009 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027574062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027614117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027614117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027793884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027837992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027849913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027867079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027880907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.027909994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027909994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.027961969 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.031734943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.031805992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.031816959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.031846046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.031846046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.031917095 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.031924009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.031979084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.031982899 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.031996012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.032035112 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.032035112 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.032088995 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.032126904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.035943985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.035970926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.035983086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.036021948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.036021948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.036077023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.036124945 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.036139965 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.036159039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.036200047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.036200047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.036230087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.036341906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.039944887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040013075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040024996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040049076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040049076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040050983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040091038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040091038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040146112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040158987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040199995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040199995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.040221930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.040281057 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.045736074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045809984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045820951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045847893 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.045847893 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.045943022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.045958996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045970917 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045984030 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.045995951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.046014071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.046014071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.046066046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053307056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053358078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053380013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053391933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053423882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053441048 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053441048 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053520918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053522110 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053534985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053566933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053622007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053643942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053664923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.053694963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.053715944 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.056545973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056596994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056608915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056624889 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.056648970 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056653023 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.056653023 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.056704998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.056941032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056956053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056968927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.056981087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.057009935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.057009935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.057045937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075310946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075335979 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075349092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075401068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075495958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075509071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075520039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075540066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075668097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075696945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075709105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075758934 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075802088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075813055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075824022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.075879097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075879097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.075989008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.076000929 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.076011896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.076054096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.076071978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.086369038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086430073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086441994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086477041 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.086477041 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.086535931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086616993 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.086656094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086668015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086709023 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.086730957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.086786032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091583967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091607094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091638088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091677904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091682911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091748953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091758013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091770887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091798067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091818094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091886044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091898918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.091948986 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.091948986 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092255116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092266083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092277050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092288971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092300892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092314005 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092344999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092344999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092350006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092453957 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092617989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092643023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.092663050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.092789888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097011089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097052097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097064972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097079992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097156048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097176075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097215891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097222090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097266912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097280025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.097286940 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097313881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.097346067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100532055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100547075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100558996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100594997 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100594997 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100645065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100656986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100668907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100689888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100754976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100855112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100886106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.100914955 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.100944996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.105635881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105665922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105696917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.105740070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105751991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105775118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.105803967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105842113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.105842113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.105882883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105895042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105923891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.105942965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.106040955 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118315935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118370056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118383884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118397951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118429899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118565083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118578911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118590117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118597031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118602991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118650913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118650913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118813038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118824005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118837118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118865967 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.118951082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118962049 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118976116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.118987083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.119004965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.119004965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.119033098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126678944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126713991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126724958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126771927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126771927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126825094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126868010 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126899958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126914024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126924992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126935959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.126949072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126987934 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.126988888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.127166033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127177000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127196074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127238035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.127238035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.127367020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127377987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127389908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.127434015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.127489090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130467892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130538940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130552053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130570889 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130601883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130601883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130635977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130649090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130702019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130702019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130753040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130814075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.130850077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.130897045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136212111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136254072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136265039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136272907 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136293888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136312962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136353970 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136367083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136388063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136404037 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136476040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136497021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136533022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136636972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.136662960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.136831045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144002914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144059896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144073009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144098997 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144098997 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144120932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144193888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144237041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144237995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144313097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144314051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144325018 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.144372940 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.144372940 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147355080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147409916 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147422075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147442102 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147453070 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147531986 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147542953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147555113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147603989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147603989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.147706032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.147717953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.148036957 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.180879116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.180901051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.180915117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.180972099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181016922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181029081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181034088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181041956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181056976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181092978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181092978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181133032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181144953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181152105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181157112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181185961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181200981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181298971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181351900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181406021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181417942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181430101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.181458950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.181510925 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182157040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182195902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182208061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182216883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182252884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182252884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182307005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182322025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182338953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182351112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182363987 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182363987 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182441950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182522058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182579994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182626009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182689905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182728052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182728052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182728052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182765961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182811022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182825089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.182871103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182871103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.182895899 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183012962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183048964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183109999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183125973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183144093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183173895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183173895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183265924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183278084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183289051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183301926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183324099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183410883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183491945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183507919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.183540106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.183573961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187531948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187555075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187597990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187614918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187614918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187674999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187675953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187690020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187730074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187730074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187771082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187788963 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.187839031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187839031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.187958002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.188014984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.191623926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191636086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191648006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191699028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.191741943 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.191750050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191765070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191776991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191801071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.191818953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.191832066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.191946030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196263075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196325064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196337938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196368933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196368933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196398973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196430922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196449995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196449995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196470976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196491003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196537971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.196543932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.196608067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.208995104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209029913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209043026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209074974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209074974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209120035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209156990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209170103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209270954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209275961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209283113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209383965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209455013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209467888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209479094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209492922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209503889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209523916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209523916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209552050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.209716082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209728956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.209769964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217273951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217318058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217329979 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217350960 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217384100 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217384100 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217462063 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217473984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217485905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217498064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217519045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217586994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217741966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217813015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217849970 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217864990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217916965 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.217932940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217946053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217957020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217969894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.217987061 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.218003035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221067905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221121073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221129894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221200943 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221242905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221261024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221296072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221317053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221357107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221374989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221407890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221431971 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.221443892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.221510887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234637976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234659910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234674931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234724998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234739065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234744072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234744072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234802961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234823942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234895945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234909058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234914064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.234960079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.234960079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235078096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235093117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235106945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235120058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235137939 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235137939 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235172033 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235172033 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235310078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235325098 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.235371113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.235371113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238020897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238074064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238109112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238114119 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238114119 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238179922 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238251925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238280058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238296032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238301039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238312960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.238342047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238342047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.238377094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277250051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277268887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277286053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277350903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277359009 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277364016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277376890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277389050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277401924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277416945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277429104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277440071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277441025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277440071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277455091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277466059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277467012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277477980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277489901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277489901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277534962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277534962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277654886 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277667046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277678967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277689934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277702093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277713060 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277718067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277718067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277725935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277762890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277795076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277818918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277831078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277842045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277853966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277867079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277879953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277887106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277898073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277899981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277911901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277937889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277941942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277941942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277951956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277966022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277978897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.277980089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277980089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.277995110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.278007984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.278053999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282269955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282294989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282306910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282332897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282358885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282397032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282449007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282500029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282511950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282526016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282541037 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282547951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282557964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282594919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282594919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282692909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282742023 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282779932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282793999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282831907 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.282921076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282933950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.282984972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.290754080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290766954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290780067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290790081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290802956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290816069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290824890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.290828943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.290858984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.290858984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.290873051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300654888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300671101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300682068 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300738096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300772905 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300803900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300811052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300823927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300837040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300868034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300868034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300894022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.300961971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.300975084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301007032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.301026106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.301151991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301165104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301207066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.301373005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301384926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301395893 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.301441908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.301441908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309135914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309150934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309163094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309218884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309268951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309281111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309289932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309294939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309326887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309344053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309623957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309636116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309647083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309657097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309669018 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309679031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309686899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309686899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309732914 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.309942007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.309986115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.310121059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.310161114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326014042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326031923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326045036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326076984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326118946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326159000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326170921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326211929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326335907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326347113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326359034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326383114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326426029 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326507092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326517105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326528072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326589108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326685905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326703072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326710939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326730967 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326806068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326850891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326867104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.326905966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.326934099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.327042103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327054977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327066898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327092886 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.327121973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.327224970 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327241898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327253103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327264071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.327286959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.327286959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.327315092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.328636885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328692913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.328716040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328728914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328811884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.328854084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328866959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328912020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.328969955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.328982115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.329034090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.361963987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362014055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362027884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362076044 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362090111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362134933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362217903 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362270117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362282038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362293005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362299919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362356901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362356901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362487078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362499952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362510920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362521887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362538099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362538099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362550020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.362581015 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.362590075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.365978003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366029024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366039038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366122961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366175890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366188049 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366198063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366198063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366245031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366245031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366271973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366333008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366358995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366375923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366444111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366456032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366468906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366494894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366537094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366693020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366704941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366715908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366728067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366739988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366750002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366753101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366765976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.366782904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.366872072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.367063999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367074966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367150068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.367191076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367235899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.367244005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367255926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367291927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.367301941 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.367301941 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.367331982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.372823954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372837067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372850895 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372868061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372906923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.372906923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.372956991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372968912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.372997999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373028040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373096943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373107910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373174906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373184919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373199940 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373210907 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373245955 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373748064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373759031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373769999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373780966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.373822927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.373843908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.375703096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.375714064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.375758886 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.377787113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.377840042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.377840996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.377855062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.377887011 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.377902031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.377983093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.377995014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.378007889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.378021002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.378046989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.378072977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.392846107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.392906904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.392923117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.392942905 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.392971992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.392971992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393022060 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393034935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393048048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393100977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393100977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393254995 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393268108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393279076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393290997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393328905 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393460035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393484116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393496990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393508911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.393553019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.393553019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.395011902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.395075083 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401513100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401575089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401590109 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401599884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401640892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401640892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401657104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401707888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401827097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401838064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401849985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401880026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.401887894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401887894 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401906967 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.401942968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.402026892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402077913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.402142048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402158976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402178049 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402196884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402206898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.402215004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.402236938 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.402267933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.402268887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.415724993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.415771961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.415786028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.415841103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.415841103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.415966034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.415977955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416029930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416045904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416047096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416059017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416145086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416145086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416251898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416264057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416276932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416286945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416300058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416305065 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416357040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416357994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416551113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416604042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416623116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416651964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416651964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416670084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416795015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416805983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416816950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416824102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.416842937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416974068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.416975975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.417025089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.419379950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419421911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419433117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419457912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.419457912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.419504881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.419584036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419595957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419606924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419627905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.419770002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452663898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452704906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452722073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452779055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452779055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452784061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452826977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452831030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452833891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452863932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452891111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.452923059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452981949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.452996016 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453085899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453092098 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453114033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453145981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453188896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453212023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453242064 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453242064 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453296900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453350067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453350067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453383923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453413010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453432083 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453476906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.453480005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.453718901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.456886053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.456938982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.456955910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.456984043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.456984043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457041025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457070112 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457076073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457117081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457117081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457205057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457216978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457231998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457276106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457276106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457462072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457473993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457485914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457498074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457518101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457525015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457528114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457528114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457530022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457629919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457839966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457859039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457885027 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.457957029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.457988977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.458048105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.458060980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.458097935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.458097935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.458161116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.458206892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463476896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463546038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463558912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463583946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463592052 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463593006 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463625908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463625908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463656902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463701963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463716984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463728905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463740110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463798046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463798046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463917971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463928938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463939905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463958025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.463994980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.463996887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.464215040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.464262962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.464277029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.464343071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.468554020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468588114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468600035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468638897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.468638897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.468740940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468753099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468764067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468775988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.468816042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.468816042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482513905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482575893 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482592106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482616901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482616901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482670069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482708931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482791901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482804060 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482812881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482847929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.482901096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482913017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482924938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.482954025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483042002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483237982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.483284950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.483293056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483392000 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483407021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.483422041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.483453035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483454943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.483491898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.483491898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489306927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489370108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489444017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489486933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489494085 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489576101 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489624977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489636898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489650011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489694118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489694118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489742041 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489753008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489824057 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.489871979 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489885092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.489988089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490000010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490037918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.490037918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.490109921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490122080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490169048 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.490190983 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.490235090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490263939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.490303040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.490303040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.506596088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506637096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506649017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506685019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.506748915 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.506753922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506767035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506805897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.506875038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506887913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506927013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.506975889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.506985903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507096052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507107019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507118940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507131100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507143021 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507143021 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507188082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507188082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507348061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507359982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507370949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507396936 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507462025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507540941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507553101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507565975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507616043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507616043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507705927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507750034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.507750988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507762909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.507813931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510097980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510170937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510173082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510185003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510214090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510251045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510251045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510298967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510313034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510355949 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.510426998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510438919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.510497093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543492079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543509960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543523073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543546915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543559074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543638945 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543694019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543706894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543719053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543737888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543749094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543801069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543801069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543824911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543874979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.543876886 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543983936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.543994904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.544004917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.544056892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.544106007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.544116974 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.544127941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.544178963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.544178963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547545910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547631979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547656059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547667027 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547718048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547729015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547739983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547751904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547760963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547760963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547782898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547871113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.547918081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.547997952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548033953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548046112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548156977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548167944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548181057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548192978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548202991 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548202991 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548274994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548415899 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548476934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548499107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548521042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548521042 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548613071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548624992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548635960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548648119 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548660040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548660040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548779011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.548815966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.548815966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554338932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554387093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554399014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554426908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554426908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554559946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554570913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554583073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554594040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554611921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554611921 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554636955 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554771900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554832935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554852962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554869890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554912090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554912090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.554955959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.554969072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.555035114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.555110931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.555123091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.555156946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.558955908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559007883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559017897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559041977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.559041977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.559063911 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.559076071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559163094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.559194088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559211016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559216976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559218884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.559242964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.559274912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573016882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573088884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573101997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573132992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573132992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573177099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573191881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573232889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573244095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573256969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573266983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573288918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573288918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573317051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573827028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573906898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573919058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.573921919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.573951006 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.574002028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.574043989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.574057102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.574069023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.574103117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.574131966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.574368954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.574429035 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.579946995 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580008984 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580025911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580037117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580087900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580116987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580127954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580140114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580152035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580182076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580182076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580226898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580338955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580388069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580404043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580454111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580487013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580499887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580512047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580532074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580574036 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580696106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580708027 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580720901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580769062 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580769062 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.580796003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.580914974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597129107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597210884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597408056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597423077 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597435951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597446918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597455025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597460032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597482920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597513914 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597513914 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597544909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597547054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597592115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597598076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597605944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597634077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597783089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597795010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597807884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597819090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.597826958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597860098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.597985983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598053932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.598099947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598112106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598160028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.598189116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598213911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598256111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.598257065 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.598342896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598355055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.598402977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.598403931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.600960016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601015091 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.601016998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601031065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601088047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.601088047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.601178885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601191044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601202011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601212978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.601233006 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.601269960 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.634448051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634478092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634491920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634689093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.634720087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634732962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634759903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634778023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634779930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.634793043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634808064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634814024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.634819031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634831905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.634880066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.634880066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.635021925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.635034084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.635046005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.635076046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.635123968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638257980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638309956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638322115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638358116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638359070 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638406038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638406038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638493061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638508081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638523102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638536930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638566971 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638566971 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638598919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638674974 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638736963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638748884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638772964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638803959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638817072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638870955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638889074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.638932943 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.638932943 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639002085 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639019966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639035940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639089108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639152050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639202118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639230967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639249086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639276981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639293909 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639370918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639388084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639406919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639417887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639425039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.639447927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639448881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.639471054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645102024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645137072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645152092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645211935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645242929 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645319939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645334959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645349979 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645427942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645427942 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645445108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645457983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645473003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645488024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645522118 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645684004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645693064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645708084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645715952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645719051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.645737886 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.645768881 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.649765015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.649813890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.649837017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.649854898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.649903059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.649930000 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.649930000 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.650013924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.650022030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.650037050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.650062084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.650079012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.650079012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.650487900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.663968086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.663989067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664001942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664041042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664107084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664119959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664133072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.664228916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.664228916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.670617104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.670660019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.670705080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.670711040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.670753956 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.670753956 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.670830011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.670870066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.670897961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.670909882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671017885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671035051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671045065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671057940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671097040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671097040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671247005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671258926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671272039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671286106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671298027 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671319962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671454906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671525955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671567917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671567917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671626091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671638012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671652079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671664953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671691895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671766996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671849966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671865940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671878099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.671917915 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.671917915 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.687808990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687841892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687855959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687935114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.687953949 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.687958956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687971115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687983036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.687995911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688033104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688050985 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688159943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688215971 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688249111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688261986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688322067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688396931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688409090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688421011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688487053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688487053 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688570976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688621044 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688653946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688666105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688721895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688721895 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688780069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688795090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688808918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688832998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688865900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.688951969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.688957930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.689023018 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.691864967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.691905022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.691915989 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.691929102 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.691982985 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.692065954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.692078114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.692089081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.692101955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.692120075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.692162991 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.724903107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.724939108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.724963903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.724982977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725001097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725001097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725059986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725071907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725110054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725110054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725148916 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725210905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725243092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725260973 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725310087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725322008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725333929 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725367069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725421906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725529909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725543022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725557089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725569010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.725584030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.725631952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.728972912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729037046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729049921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729068041 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729099989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729141951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729185104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729192019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729259968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729286909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729299068 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729312897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729358912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729358912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729512930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729523897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729537010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729547977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729566097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729609013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729758978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729769945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729780912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729793072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729824066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729844093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.729968071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729974985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.729983091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.730010986 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.730026007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.730216026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.730317116 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.730362892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.730437040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.735891104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.735923052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.735937119 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.735968113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736006021 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736104965 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736116886 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736128092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736140013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736171961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736171961 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736221075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736382961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736408949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736421108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736433029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736440897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736447096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736460924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736469030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736469030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736502886 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736537933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.736675978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.736725092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.740386009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740413904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740421057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740452051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.740494013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.740556955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740569115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740580082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740592003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740614891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.740649939 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.740741968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.740818024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.754652977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754713058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754719019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.754730940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754759073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.754777908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.754843950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754854918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754865885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754883051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.754894018 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.754925966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761451960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761497021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761507988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761538982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761538982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761559963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761612892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761640072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761698008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761698008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761775017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761790991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761802912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.761826992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.761866093 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762012005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762039900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762057066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762068987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762084007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762084007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762084007 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762100935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762113094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762113094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762130022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762192011 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762443066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762454987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762460947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762475967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762490034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762501001 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762506008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762567043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762567043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.762692928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.762749910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778491020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778523922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778536081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778551102 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778579950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778624058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778685093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778693914 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778697968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778712034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778754950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778754950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778832912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778886080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.778930902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778950930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.778983116 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779010057 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779067993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779078960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779093981 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779105902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779114008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779161930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779189110 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779330969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779341936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779356003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779367924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779397011 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779437065 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779578924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779591084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779603004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.779628038 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.779685974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.782763004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782782078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782798052 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782854080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.782854080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.782902956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782917976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782932043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.782975912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.783004999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.783061028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.783235073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.815890074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.815943003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.815958977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.815963984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.815982103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.815996885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.815996885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816023111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816034079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816044092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816044092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816050053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816071033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816092014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816103935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816121101 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816289902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816304922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816320896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816337109 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816350937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816363096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816363096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.816364050 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.816409111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.819900036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.819916964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.819940090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.819986105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.819986105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820024967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820040941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820056915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820097923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820097923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820210934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820257902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820282936 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820312977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820312977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820322037 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820327997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820343018 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820388079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820389032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820535898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820548058 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820559978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820570946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820583105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820593119 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820594072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820607901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820631981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820631981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820668936 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.820885897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820962906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820976973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.820981979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.821023941 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.821023941 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.821089029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.821135998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826683044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826719046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826745033 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826771975 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826847076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826858997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826889992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826920033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826925993 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826934099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826947927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.826987028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.826997995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827066898 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827116013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827171087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827203035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827230930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827239037 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827261925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827286959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827286959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827287912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827306032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827306032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827322006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827336073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827363014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827363014 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.827470064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.827514887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850222111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850245953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850264072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850330114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850337029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850353003 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850353956 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850369930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850385904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850395918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850395918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850402117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850420952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850439072 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850452900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850533009 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850574017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850585938 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850626945 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850671053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850692034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850701094 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850730896 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850730896 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.850841045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.850909948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.851052046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.851116896 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852143049 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852200985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852205992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852214098 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852263927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852263927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852286100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852356911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852369070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852370977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852415085 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852509975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852523088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852590084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852602959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852636099 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852662086 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852792025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852808952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852816105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852854013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852865934 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.852937937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852948904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852963924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.852992058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853013039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853065968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853097916 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853105068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853111982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853149891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853149891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853339911 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853352070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853368044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853389025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853410959 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.853456974 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.853544950 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869272947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869291067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869303942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869337082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869368076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869556904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869574070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869585991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869599104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869628906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869628906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869659901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869684935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869704962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869716883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.869724989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869745970 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.869759083 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870009899 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870023012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870034933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870049000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870078087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870078087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870121002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870162010 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870173931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870186090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870198011 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870210886 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870218992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870254040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870254040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870418072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870459080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.870503902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.870548010 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906512976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906548977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906563044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906588078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906588078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906625032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906646967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906658888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906678915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906691074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906702995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906702995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906732082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906732082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906774998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906795025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906826019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906826019 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.906963110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906975985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.906987906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907000065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907021999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907021999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907061100 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907207012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907218933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907232046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907243967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907253981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907254934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907270908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907284021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.907306910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907306910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.907367945 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.910566092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910579920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910592079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910628080 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.910648108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.910784006 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910839081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.910846949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910859108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.910888910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.910990953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911004066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911015987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911027908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911073923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911073923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911204100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911217928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911227942 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911240101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911251068 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911309958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911365986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911432981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911443949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911463022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911484957 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911557913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911571980 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911585093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911597013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911624908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911624908 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911660910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.911680937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.911740065 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917363882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917412996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917424917 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917438030 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917473078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917493105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917603016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917615891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917627096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917644024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.917650938 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917670012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.917701960 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.940778017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.940813065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.940824986 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.940856934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.940859079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.940859079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.940886974 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.940915108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.940958023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.940969944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941011906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941011906 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941104889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941118002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941129923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941142082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941150904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941200972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941385031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941395998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941406965 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941420078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941442966 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941456079 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941642046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941699982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941709042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941730976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941770077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941770077 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941839933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941874981 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941914082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941914082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.941946030 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941957951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.941982031 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942003012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942023993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.942069054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942795038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.942866087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942893982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.942907095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.942954063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942955971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.942954063 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.942969084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943012953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943025112 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943087101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943099976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943136930 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943169117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943172932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943219900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943232059 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943232059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943245888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943279982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943279982 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943362951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943428040 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943464994 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943480015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943519115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943519115 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943579912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943588972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943622112 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943662882 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943694115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943739891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943773985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943785906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943833113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943833113 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943919897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943932056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943943977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943957090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.943980932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.943980932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.944011927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960222960 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960274935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960282087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960288048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960329056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960359097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960371971 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960386038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960428953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960428953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960522890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960541964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960553885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960571051 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960602999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960602999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960664034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960675001 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960707903 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960715055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960727930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960741043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960752964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.960752964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960752964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960787058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.960835934 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.961142063 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961154938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961167097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961179018 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961190939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961191893 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.961201906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961210012 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.961215019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.961236954 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.961292028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997086048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997104883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997137070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997148991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997160912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997165918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997174978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997188091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997232914 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997251034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997323990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997370005 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997409105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997478008 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997497082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997509956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997522116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997551918 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997579098 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997636080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997689009 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997725964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997772932 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997814894 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997828007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997839928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.997878075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.997878075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.998034954 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.998047113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.998059034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.998071909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.998083115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:20.998095989 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.998111963 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:20.998140097 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001439095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001460075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001481056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001538992 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001559019 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001576900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001595974 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001616955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001635075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001635075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001696110 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001813889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001833916 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001852036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.001863003 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001898050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001898050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.001965046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002012968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002017021 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002029896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002048969 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002063036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002073050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002073050 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002091885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002130032 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002160072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002177000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002224922 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002224922 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002238035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002254963 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002274036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002290964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002300978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002300978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002310038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.002331972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002331972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.002351999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.007966995 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008037090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008039951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008060932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008081913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008107901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008107901 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008136034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008147001 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008160114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008171082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008203983 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008235931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.008795023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.008846045 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032403946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032468081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032495975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032499075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032545090 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032623053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032635927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032684088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032684088 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032737017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032748938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032759905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032772064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032784939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.032802105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032802105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.032838106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033144951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033157110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033168077 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033179045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033190966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033201933 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033216000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033224106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033224106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033227921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033241987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033255100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033263922 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033273935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.033293962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033293962 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.033341885 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.034775972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.034837961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.034848928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.034867048 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.034892082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.034910917 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.034935951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035018921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035022020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035032034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035043955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035057068 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035083055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035083055 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035111904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035304070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035315990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035326958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035340071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035351038 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035362005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035363913 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035377026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035387993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035398960 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035399914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035409927 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035438061 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035809040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035820961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035831928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035875082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035875082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.035939932 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035953045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.035986900 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050690889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050724983 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050735950 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050791025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050843000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050843954 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050862074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050894976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050932884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050935984 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050949097 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.050980091 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.050997972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051059961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051073074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051112890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051192045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051203012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051248074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051299095 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051311016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051358938 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051453114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051464081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051476002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051506996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051531076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051587105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051599026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051610947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051661968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051661968 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051809072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051820993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051831007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.051881075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.051928043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.087734938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.087795973 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.087806940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.087918997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.087924957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.087966919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088002920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088043928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088056087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088100910 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088159084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088165045 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088304043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088310957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088321924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088360071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088360071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088434935 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088476896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088490963 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088504076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088543892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088690996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088696957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088709116 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088762999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088838100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088844061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088855028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.088901043 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.088973999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.089065075 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092010975 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092019081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092031956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092082024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092113972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092164040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092171907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092204094 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092237949 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092346907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092358112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092365026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092371941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092389107 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092432022 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092602968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092611074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092617035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092623949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092710972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.092895031 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092904091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092910051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.092952013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.093007088 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.093014002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.093027115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.093034029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.093159914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.093184948 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.093231916 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122200012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122246981 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122252941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122308016 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122308016 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122356892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122364044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122409105 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122447014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122453928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122519970 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122530937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122538090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122596025 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122642040 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122735023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122742891 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122760057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122766972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122798920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122798920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.122946978 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122953892 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122967005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.122972012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123017073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.123090982 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123110056 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123123884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123131037 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123173952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.123173952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.123364925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123377085 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123383999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123395920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123403072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.123445034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.123965025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124031067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124115944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124161005 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124169111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124273062 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124330044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124396086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124402046 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124443054 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124530077 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124536991 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124548912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124560118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124588013 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124614954 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124809027 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124814987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124826908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124835968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124841928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124855042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124861002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124866962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.124871016 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.124919891 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.125191927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.125197887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.125210047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.125264883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.125302076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.125366926 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141405106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141411066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141422987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141616106 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141623020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141634941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141637087 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141688108 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141695976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141704082 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141756058 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141802073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141809940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141874075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141940117 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141968966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141976118 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141979933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.141982079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.141988993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142041922 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.142203093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142209053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142265081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.142318964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142324924 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142337084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142380953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.142380953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.142512083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142518044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142534018 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.142576933 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.142591953 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.182379961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182387114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182399035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182518005 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.182594061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182600021 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182612896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182625055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182681084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.182681084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.182816029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182822943 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182835102 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182841063 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182847977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.182893991 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.182910919 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183087111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183093071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183154106 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183470964 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183478117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183531046 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183574915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183581114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183587074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183593988 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183599949 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183656931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183656931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183847904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183917999 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183927059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183933020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183939934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.183948994 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183974028 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.183990955 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.184253931 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184261084 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184267044 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184273005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184279919 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184302092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.184391975 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.184568882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184576035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184587955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.184650898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.184650898 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.213365078 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213403940 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213414907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213542938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213550091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213562965 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213567972 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.213649988 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.213824987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213831902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213845015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213851929 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213859081 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213865042 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.213900089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.213900089 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.214107037 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214112997 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214124918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214274883 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.214459896 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214468002 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214479923 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214485884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214492083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214528084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.214540958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214548111 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214560032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214566946 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214572906 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214586020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.214591026 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.214591026 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.214627981 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.215074062 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215080023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215091944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215101004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215107918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215114117 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215127945 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215133905 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215142012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215166092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.215166092 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.215234995 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.215584993 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215591908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215604067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215610981 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215650082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.215833902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215841055 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215852976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215859890 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.215938091 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216134071 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216140032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216151953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216157913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216165066 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216170073 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216190100 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216195107 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216201067 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216207027 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216212988 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216212988 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216263056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216263056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216702938 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216710091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216722012 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216727972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.216762066 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.216805935 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232095957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232142925 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232165098 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232184887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232184887 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232247114 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232276917 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232285023 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232333899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232425928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232431889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232444048 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232502937 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232562065 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232573032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232578039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232584000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232635975 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232758999 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232799053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232805967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232819080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232861996 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.232973099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232979059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.232991934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233093977 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.233198881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233205080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233217955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233231068 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233237028 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.233270884 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.233294964 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.272922039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273021936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273027897 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273046970 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273099899 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273112059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273119926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273132086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273139000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273211956 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273401022 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273407936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273423910 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273482084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273482084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273546934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273567915 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273572922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273578882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273586035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.273621082 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.273663044 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274286985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274337053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274343014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274358034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274405956 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274506092 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274518967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274525881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274532080 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274580002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274580002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274765968 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274772882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274827957 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.274912119 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274918079 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274930000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.274998903 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.275053024 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275067091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275125980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.275274992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275291920 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275299072 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275305033 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275312901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275320053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.275336027 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.275376081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.303673029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303718090 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303725958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303767920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.303767920 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.303818941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303889990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303924084 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.303961039 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.303980112 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303987026 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.303999901 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304035902 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304225922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304231882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304244995 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304250956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304258108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304275990 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304306030 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304474115 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304528952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304544926 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304553032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304608107 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304796934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304804087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304810047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304816008 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304825068 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.304847002 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.304869890 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305039883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305047035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305058956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305064917 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305077076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305083990 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305099010 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305181980 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305358887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305416107 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305488110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305494070 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305511951 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305519104 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305531025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305537939 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305543900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305542946 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305598021 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305860043 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305903912 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.305933952 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305941105 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.305994987 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306051016 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306056976 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306065083 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306070089 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306113958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306113958 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306364059 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306370020 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306386948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306392908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306400061 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306441069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306441069 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306652069 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306658030 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306664944 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306670904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306677103 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.306713104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.306713104 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.310158014 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.310205936 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.310216904 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.310218096 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.310250998 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.310275078 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.310318947 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.310324907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.310368061 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.322913885 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.322988033 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.322988987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.322997093 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323069096 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323143005 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323148966 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323160887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323167086 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323229074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323229074 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323405027 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323410034 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323421955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323426962 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323434114 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323440075 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323451996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323457956 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323476076 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323508978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323508978 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323862076 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323923111 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.323949099 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323956013 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323962927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323967934 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323981047 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.323987007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.324012041 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.324105024 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.363698959 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363740921 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363746881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363837004 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363840103 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.363843918 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363857985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363866091 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.363923073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.363923073 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364109039 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364115953 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364121914 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364186049 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364231110 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364258051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364340067 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364406109 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364413977 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364448071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364682913 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364747047 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364773035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364778996 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364836931 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364850998 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364856958 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364948034 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.364959955 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364967108 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.364979029 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365062952 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365153074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365159035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365173101 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365231991 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365328074 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365335941 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365408897 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365500927 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365506887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365520000 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365525961 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365533113 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365537882 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365571976 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365617990 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365840912 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365848064 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365854025 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365859032 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.365928888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.365928888 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.396838903 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396929979 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.396941900 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396946907 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396962881 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396970987 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396976948 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.396982908 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397005081 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.397209883 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397217035 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397245884 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397249937 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397260904 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397268057 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397274017 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397284985 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397299051 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397310972 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397397041 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.397428036 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.397932053 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397938967 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397950888 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397957087 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397969007 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397975922 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397980928 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397986889 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.397996902 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398001909 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398010015 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398011923 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.398016930 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398025036 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398036957 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398040056 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.398044109 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398086071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.398086071 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.398694992 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.398751020 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.462852955 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.463274956 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.468131065 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.468231916 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.468410015 CEST	9000	49733	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:21.468477011 CEST	49733	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.468677044 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:21.473495007 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.126436949 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.126544952 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.126919031 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.129000902 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.129041910 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.131757021 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.133793116 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.133831978 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.549182892 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.549577951 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.554375887 CEST	9000	49734	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.554476023 CEST	49734	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.555022955 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.555104971 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.555361032 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:22.560466051 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.947280884 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:22.947441101 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.225694895 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:23.225842953 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.226556063 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.228116989 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.231333017 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:23.233007908 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:23.685802937 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.686499119 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.692195892 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:23.692298889 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.692533016 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.692648888 CEST	9000	49735	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:23.692701101 CEST	49735	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:23.697325945 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.055111885 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.055222988 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.381556988 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.381671906 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.382096052 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.383873940 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.386869907 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.388721943 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.811989069 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.812553883 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.817207098 CEST	9000	49737	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.817403078 CEST	9000	49739	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:24.817461967 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.817590952 CEST	49737	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.820055962 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:24.824829102 CEST	9000	49739	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.181345940 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.185383081 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.485050917 CEST	9000	49739	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.485117912 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.485951900 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.488663912 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.490720987 CEST	9000	49739	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.490936995 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.493782043 CEST	9000	49739	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.493839025 CEST	49739	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.495717049 CEST	9000	49741	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:25.495779991 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.496134043 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:25.500890017 CEST	9000	49741	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.149976015 CEST	9000	49741	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.150042057 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.183257103 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.184997082 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.188190937 CEST	9000	49741	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.190357924 CEST	9000	49741	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.190403938 CEST	49741	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.193078995 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.198100090 CEST	9000	49743	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.198216915 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.201241016 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.206093073 CEST	9000	49743	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.849315882 CEST	9000	49743	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.849375963 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.850034952 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.851708889 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.853408098 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.854748964 CEST	9000	49743	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.856729031 CEST	9000	49743	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.856779099 CEST	49743	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.858190060 CEST	9000	49745	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:26.858267069 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.858483076 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:26.863303900 CEST	9000	49745	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:27.523561954 CEST	9000	49745	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:27.523633003 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.524326086 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.525991917 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.528333902 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.529079914 CEST	9000	49745	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:27.531037092 CEST	9000	49745	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:27.531119108 CEST	49745	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.533123970 CEST	9000	49746	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:27.533195019 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.533684015 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:27.538454056 CEST	9000	49746	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.182903051 CEST	9000	49746	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.182981968 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.183434010 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.185298920 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.187035084 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.188122034 CEST	9000	49746	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.190275908 CEST	9000	49746	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.190327883 CEST	49746	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.191788912 CEST	9000	49747	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.191905022 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.192152023 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.196926117 CEST	9000	49747	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.863394976 CEST	9000	49747	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.865328074 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.870440960 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.875452995 CEST	9000	49747	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.907798052 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:40:28.913126945 CEST	9000	49747	49.13.159.121	192.168.2.5
Jul 2, 2024 16:40:28.913202047 CEST	49747	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:41:35.188205957 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:41:35.188263893 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:41:35.190036058 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:41:35.190084934 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:41:59.639724016 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:41:59.639760971 CEST	49738	9000	192.168.2.5	49.13.159.121
Jul 2, 2024 16:41:59.645054102 CEST	9000	49738	49.13.159.121	192.168.2.5
Jul 2, 2024 16:41:59.645144939 CEST	49738	9000	192.168.2.5	49.13.159.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 16:40:09.688724995 CEST	62923	53	192.168.2.5	1.1.1.1
Jul 2, 2024 16:40:09.695535898 CEST	53	62923	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 16:40:09.688724995 CEST	192.168.2.5	1.1.1.1	0xee81	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 16:40:09.695535898 CEST	1.1.1.1	192.168.2.5	0xee81	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49725	149.154.167.99	443	6188	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-02 14:40:10 UTC	84	OUT	GET /g067n HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-07-02 14:40:10 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 02 Jul 2024 14:40:10 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12305 Connection: close Set-Cookie: stel_ssid=2f2b44dce4018f44e5_17916549681102788446; expires=Wed, 03 Jul 2024 14:40:10 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-07-02 14:40:10 UTC	12305	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 67 30 36 37 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @g067n</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent.

Target ID:	0
Start time:	10:40:05
Start date:	02/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x3f0000
File size:	863'744 bytes
MD5 hash:	E3E6CF9BB53C398D2F75398923F91C11
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:40:06
Start date:	02/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xa10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.3367357842.0000000001011000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:40:06
Start date:	02/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 264
Imagebase:	0x570000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	74%
Signature Coverage:	18.3%
Total number of Nodes:	339
Total number of Limit Nodes:	6

Executed Functions

Function 00FF018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00FF00FF,00FF00EF), ref: 00FF02FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00FF030F
Wow64GetThreadContext.KERNEL32(00000124,00000000), ref: 00FF032D
ReadProcessMemory.KERNELBASE(00000128,?,00FF0143,00000004,00000000), ref: 00FF0351
VirtualAllocEx.KERNELBASE(00000128,?,?,00003000,00000040), ref: 00FF037C
WriteProcessMemory.KERNELBASE(00000128,00000000,?,?,00000000,?), ref: 00FF03D4
WriteProcessMemory.KERNELBASE(00000128,00400000,?,?,00000000,?,00000028), ref: 00FF041F
WriteProcessMemory.KERNELBASE(00000128,-00000008,?,00000004,00000000), ref: 00FF045D
Wow64SetThreadContext.KERNEL32(00000124,014E0000), ref: 00FF0499
ResumeThread.KERNELBASE(00000124), ref: 00FF04A8

Strings

Load, xrefs: 00FF01CB
WriteProcessMemory, xrefs: 00FF02A0
ress, xrefs: 00FF0217
aryA, xrefs: 00FF01D3
ReadProcessMemory, xrefs: 00FF027A
TerminateProcess, xrefs: 00FF038B
VirtualAllocEx, xrefs: 00FF028D
VirtualAlloc, xrefs: 00FF0254
SetThreadContext, xrefs: 00FF02B3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 00FF02FB
ResumeThread, xrefs: 00FF02C9
CreateProcessA, xrefs: 00FF0241
GetP, xrefs: 00FF020F
GetThreadContext, xrefs: 00FF0267

Memory Dump Source

Source File: 00000000.00000002.2136452812.0000000000FF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_file.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 0f6e74e6f69413b8ec6f0f8f33934fb0ee61352d25d6cd0f7fd376e89a28d772
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 89B1E77664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB352D774FA418B94

Function 004778F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 319
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003F1520: ___std_exception_copy.LIBVCRUNTIME ref: 003F155C

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00477BC8
GetUpdateRgn.USER32(00000000,00000000,00000000), ref: 00477BD9

Strings

Own head, xrefs: 00477A27
Earth, xrefs: 00477A4F

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AllocUpdateVirtual___std_exception_copy
String ID: Earth$Own head
API String ID: 3005764785-4036566267
Opcode ID: cd2d602fa5c517aed959f37e963a5355cfaa50762e7ab9edad6ae5c3ad6621d1
Instruction ID: 22867a5d9b65fd1c9aa9afa69ca78c5a1c411c6305d51e67c59fc81733e3e776
Opcode Fuzzy Hash: cd2d602fa5c517aed959f37e963a5355cfaa50762e7ab9edad6ae5c3ad6621d1
Instruction Fuzzy Hash: A7A179719043045BD710EF39DC85AEFB7A4EF85308F448A2FF95997242E738EA448799

Function 0045A686 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5002b0d70e95f86d1288d4449541de3daf84258198c15d3ce42bfe123815464a
Instruction ID: 23fc32fe04ad2038148f418481fb5c96b71a21bcdebff2541693d556ba07cf13
Opcode Fuzzy Hash: 5002b0d70e95f86d1288d4449541de3daf84258198c15d3ce42bfe123815464a
Instruction Fuzzy Hash: F6F0A071610264DFCB12DB4DC905B4973A8EB09B16F11405FE840EB252C7B4DE48C7D8

Function 00458BA9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,CC824C46,?,00458CB6,?,?,?,00000000), ref: 00458C6A

Strings

ext-ms-, xrefs: 00458C14
api-ms-, xrefs: 00458C00

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 10968b7388ad6990e9a60113057a7138be01eda5fa6f03b7f51236616197fe9d
Instruction ID: 24739658d0481db4b8e19676409cfabd35b988cdbfc0b29ce60cc8048034065e
Opcode Fuzzy Hash: 10968b7388ad6990e9a60113057a7138be01eda5fa6f03b7f51236616197fe9d
Instruction Fuzzy Hash: 48213871A02115A7CB229B20DC44A5B3368DF01366F24012EEC0AB7392EE38ED45C6EC

Function 0041C181 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___security_init_cookie.LIBCMT ref: 0041C181

Part of subcall function 0041CE11: ___get_entropy.LIBCMT ref: 0041CE2B

___scrt_release_startup_lock.LIBCMT ref: 0041C21D
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0041C231
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0041C257
___scrt_uninitialize_crt.LIBCMT ref: 0041C2A0

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
String ID:
API String ID: 2539496024-0
Opcode ID: 55c37ed9ecdf83e4e2c5e3cea6fb3ea0b561a448c7eebff6c89a2b4d56f24a1b
Instruction ID: f3e2e7ea03e0847a2b494764fbd50526c8352aed7dd3c7120ea0b8158ec7e471
Opcode Fuzzy Hash: 55c37ed9ecdf83e4e2c5e3cea6fb3ea0b561a448c7eebff6c89a2b4d56f24a1b
Instruction Fuzzy Hash: 14312432AC46419BDB207BB69C927EE33609F41769F2004AFF840BB2D3DE7D4885865D

Function 00477D70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00477DCD

Part of subcall function 003FC042: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000), ref: 003FC04E
Part of subcall function 003FC042: GetExitCodeThread.KERNEL32(?,?), ref: 003FC067
Part of subcall function 003FC042: CloseHandle.KERNEL32(?), ref: 003FC079

Strings

Success destroyed., xrefs: 00477E30, 00477E3F
jjj, xrefs: 00477DB4
Success created., xrefs: 00477D73, 00477D84

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Thread$CloseCodeCurrentExitHandleObjectSingleWait
String ID: Success created.$Success destroyed.$jjj
API String ID: 3356992203-3362827742
Opcode ID: c59a9b220aaa42066ece6e47896ac5a6f2f7427a64be0da5eb65691620e83995
Instruction ID: b98847d71470218d3921eb35424496b4633ca81e09ff52246b4656bc37fd73a1
Opcode Fuzzy Hash: c59a9b220aaa42066ece6e47896ac5a6f2f7427a64be0da5eb65691620e83995
Instruction Fuzzy Hash: 1011CB7078130A66E7223BB45D07F6B75999F50B41F608C2BF7489D2C2EBB99811836D

Function 0042AEBA Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,00000001,Function_0003AC01,00000000,?,?), ref: 0042AF03
GetLastError.KERNEL32(?,?,?,003FC117,00000000,00000000,00000001,?,00000000,?,?,?,003FBFAD,00000000,Function_0000BEFE,?), ref: 0042AF0F
__dosmaperr.LIBCMT ref: 0042AF16

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: b56f4e48e7ebeb4ec0fcc512971ae05f7aeed7d09a21b2874daaca9f2d25841d
Instruction ID: 1cb99579514780970580b8442a6ca59bb174033fe607798273de5c70f6851276
Opcode Fuzzy Hash: b56f4e48e7ebeb4ec0fcc512971ae05f7aeed7d09a21b2874daaca9f2d25841d
Instruction Fuzzy Hash: D901F572600229AFDF149FB1ED05A9F7BA4EF00324F51005AFC0192250DB78DD20EB9A

Function 00477B30 Relevance: 3.1, APIs: 2, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000004AC,00001000,00000040,?), ref: 00477BC8
GetUpdateRgn.USER32(00000000,00000000,00000000), ref: 00477BD9

Part of subcall function 004771F0: OffsetRect.USER32(00000000,00000000,00000000), ref: 004772E8

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AllocOffsetRectUpdateVirtual
String ID:
API String ID: 3922179882-0
Opcode ID: e89bcd4766194bfd74fb4e3ec20635590729bac388267cdbf672ff7413970326
Instruction ID: f97be1be9e5b0525c8335a6dea415acef2dc51ee82ef6f9756f682eed8408d63
Opcode Fuzzy Hash: e89bcd4766194bfd74fb4e3ec20635590729bac388267cdbf672ff7413970326
Instruction Fuzzy Hash: 0A312970E442086BD705EF68ED86BEDB7B1AF45304F50822EFD0467382EB74AA418799

Function 0042AC01 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00488110,0000000C), ref: 0042AC14
ExitThread.KERNEL32 ref: 0042AC1B

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: b3fb095c1857b8e208af12ec87c13e5ee5d478c6097b61ba69af61cfb2920b6f
Instruction ID: ead37007f6bf6d36b7334a6c685f1034cb81c6f0ceadc33f31a1dacd938aee4d
Opcode Fuzzy Hash: b3fb095c1857b8e208af12ec87c13e5ee5d478c6097b61ba69af61cfb2920b6f
Instruction Fuzzy Hash: 2EF0AFB0A40200AFDB00BFB1D80AA6E3B64FF05715F60455EF905972A3CF385955CB9A

Function 00458C74 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e3154ce078eaa8f7456f0a265685b3d8e5522ac69debe14bb3d0a154aafdf3
Instruction ID: 44e99025448c94d3d9e4b4b638fedeed54ebb08e99fca266c9f42a6a12c7d5b6
Opcode Fuzzy Hash: 26e3154ce078eaa8f7456f0a265685b3d8e5522ac69debe14bb3d0a154aafdf3
Instruction Fuzzy Hash: 54014937302111AFAB128E6DEC0095B3396BBC1331724802EFD02EB246DE3CC80987A9

Non-executed Functions

Function 00423FD4 Relevance: 46.7, APIs: 25, Strings: 1, Instructions: 1201COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00424022
operator+.LIBVCRUNTIME ref: 0042403C
DName::operator+.LIBCMT ref: 0042416A
DName::operator+.LIBCMT ref: 00424187

Part of subcall function 004253A0: DName::DName.LIBVCRUNTIME ref: 004253E3

DName::operator+.LIBCMT ref: 0042423B
DName::operator+.LIBCMT ref: 0042424A

Part of subcall function 00429B20: DName::operator+.LIBCMT ref: 00429B64
Part of subcall function 00429B20: DName::operator+.LIBCMT ref: 00429B70
Part of subcall function 00429B20: DName::operator+.LIBCMT ref: 00429BEB
Part of subcall function 00429B20: DName::operator+=.LIBCMT ref: 00429C2E

DName::operator+.LIBCMT ref: 004241D6

Part of subcall function 00423D92: DName::operator=.LIBVCRUNTIME ref: 00423DB3

Part of subcall function 00423D3A: shared_ptr.LIBCMT ref: 00423D56

Part of subcall function 00425A9C: shared_ptr.LIBCMT ref: 00425B42

DName::operator+.LIBCMT ref: 004247B4
DName::operator+.LIBCMT ref: 004247D0
DName::operator+.LIBCMT ref: 00424A6F

Part of subcall function 00423C29: DName::operator+.LIBCMT ref: 00423C4A

Strings

/, xrefs: 00424918

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::shared_ptr$Name::operator+=Name::operator=operator+
String ID: /
API String ID: 848932493-2043925204
Opcode ID: ff22ebef9e3755f9ffabba5495e43c344daef2e9c00d036edf9b7db0b00a83e7
Instruction ID: b8e2e157c209b56fee61f7df09856f007e268873e8e3e564f5eda867986b78f2
Opcode Fuzzy Hash: ff22ebef9e3755f9ffabba5495e43c344daef2e9c00d036edf9b7db0b00a83e7
Instruction Fuzzy Hash: 20929272F205299ADB14DEA9EC95BEE77B4EB44304F84413EE512E7280DB7CD908CB18

Function 004678D6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 004679E2
IsValidCodePage.KERNEL32(00000000), ref: 00467A2B
IsValidLocale.KERNEL32(?,00000001), ref: 00467A3A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00467A82
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00467AA1

Strings

0G, xrefs: 0046798F

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: 0G
API String ID: 415426439-2664342302
Opcode ID: dd4f8d775d4ace9d8804d40a566d63fcab2a68465792712fba5e9f2b51716444
Instruction ID: 75d0200f6c7b78f6c8edf5c6085e23a551d68588925a779a4578e529d5c519f5
Opcode Fuzzy Hash: dd4f8d775d4ace9d8804d40a566d63fcab2a68465792712fba5e9f2b51716444
Instruction Fuzzy Hash: C55194B1904205ABEF10DFA5CC45AAF77F8FF08708F14456AE904E7251FB789944CB6A

Function 0046A00C Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0046A1F0

Strings

1#SNAN, xrefs: 0046A118
1#IND, xrefs: 0046A111
1#QNAN, xrefs: 0046A11F
1#INF, xrefs: 0046A142

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e89a0196ce638787ad9c432dd6ae22b1a5b31c6c4fb847b99fcbf050f28ce1fe
Instruction ID: 061ac9ba7f441c45408cbdc2c7b431fe13a5e85614e2d7f6eacd0f16b152b2c5
Opcode Fuzzy Hash: e89a0196ce638787ad9c432dd6ae22b1a5b31c6c4fb847b99fcbf050f28ce1fe
Instruction Fuzzy Hash: 6FD23C71E086288FDB65CE28DD407EAB7B5EB45305F1441EBD40DE7240EB78AE858F86

Function 00466F54 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetACP.KERNEL32(?,?,?,?,?,?,004568CB,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00467015
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004568CB,?,?,?,00000055,?,-00000050,?,?), ref: 00467040
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004671A3

Strings

utf8, xrefs: 00467112
0G, xrefs: 00466FCB

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: 0G$utf8
API String ID: 607553120-304224658
Opcode ID: 6fdfe68272d48abc163ec8587c82545b265efc8326ec77ff07e0203f11ce6e90
Instruction ID: f2d0f04cc5a9eb130106e068793921d4236d5caebadbce17d102752e73ebdcbb
Opcode Fuzzy Hash: 6fdfe68272d48abc163ec8587c82545b265efc8326ec77ff07e0203f11ce6e90
Instruction Fuzzy Hash: CE711771604606AADB24AB36CC46FA773A8EF05718F14442FF905D7281FA7CED41C7AA

Function 00467701 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00467A1F,00000002,00000000,?,?,?,00467A1F,?,00000000), ref: 0046779A
GetLocaleInfoW.KERNEL32(?,20001004,00467A1F,00000002,00000000,?,?,?,00467A1F,?,00000000), ref: 004677C3
GetACP.KERNEL32(?,?,00467A1F,?,00000000), ref: 004677D8

Strings

ACP, xrefs: 0046771F
OCP, xrefs: 00467755

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 806c69bcc762702408ac48ce50980fe9c6cb13b6c0ca833749f87ca428a9c678
Instruction ID: 380400eebcfa833d2f3d3eba706d0315b752ea695b09494f77df8ea0e105eb74
Opcode Fuzzy Hash: 806c69bcc762702408ac48ce50980fe9c6cb13b6c0ca833749f87ca428a9c678
Instruction Fuzzy Hash: CB21D835608104A6D7318F24C900A9773A6EB54B5EB568037E909D7304F73AFD41C35A

Function 0045A9E4 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0045AA71

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: da1da04466b900b41095eb494a391f24e2040cb7ba2ea0d27411f8f0d746fb28
Instruction ID: 6a739e96e061cb17ea7a891450d31e0cfcad13582d80d780832e25556fd54ad8
Opcode Fuzzy Hash: da1da04466b900b41095eb494a391f24e2040cb7ba2ea0d27411f8f0d746fb28
Instruction Fuzzy Hash: 74B16B329042459FDB16CF58C8817EEBBE5EF05305F14826BED05AB343D2389D19C7AA

Function 0046317F Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046321A
FindNextFileW.KERNEL32(00000000,?), ref: 00463295
FindClose.KERNEL32(00000000), ref: 004632B7
FindClose.KERNEL32(00000000), ref: 004632DA

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 57b45028f3b0f5c67c00c9cd6a308a03913d6f393da3a7c34936dfaefec17b54
Instruction ID: 9c1a762cc1ca8a1245afe0969df32f6278266ee20edb2cf776108bc8c122e513
Opcode Fuzzy Hash: 57b45028f3b0f5c67c00c9cd6a308a03913d6f393da3a7c34936dfaefec17b54
Instruction Fuzzy Hash: 9941E971A00659AFDB20DF64CC99ABBB778EF85305F1041DBE405D3140FA389F848B6A

Function 0041CEEF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0041CEFB
IsDebuggerPresent.KERNEL32 ref: 0041CFC7
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041CFE0
UnhandledExceptionFilter.KERNEL32(?), ref: 0041CFEA

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: b0b39a284d49e88871e3a514f073af57dd9b07fefc0a4845180200849941e7e1
Instruction ID: 12e907ab44ce974fff965ac7b79e2ef66c279821a0ce06221507f563a903bbfb
Opcode Fuzzy Hash: b0b39a284d49e88871e3a514f073af57dd9b07fefc0a4845180200849941e7e1
Instruction Fuzzy Hash: 983107B5D012289BDB20DF65DD897CDBBB8AF08304F1041AAE50DAB250EB759AC58F49

Function 003FE9AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002), ref: 003FE9C3
FormatMessageA.KERNEL32(00001300,00000000,?,?,?,00000000,00000000), ref: 003FE9EA

Strings

!x-sys-default-locale, xrefs: 003FE9BE

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: aacb4982d70af1027d1981f74270937e1f7a026110575e566911f329c2127c5d
Instruction ID: b3cd55215e911a07756c9fa5cd5f1ec933d4920445c0aef653d42d28402e358f
Opcode Fuzzy Hash: aacb4982d70af1027d1981f74270937e1f7a026110575e566911f329c2127c5d
Instruction Fuzzy Hash: AEF030B5610118FFEB159BD5DD0ADFB77ACEB08751F10402AB64AD6060E6F0AE449770

Function 00467385 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004673D9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00467423
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004674E9

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 9c806a7300d81096874484c604d58aa03d511c5433145768f90f71dbcafdd56c
Instruction ID: 65e1f576b47800ff455fbac98f6b173d32cfdab4d6f35c16edcc4049b6645d57
Opcode Fuzzy Hash: 9c806a7300d81096874484c604d58aa03d511c5433145768f90f71dbcafdd56c
Instruction Fuzzy Hash: E1615271504207ABDB249F25CC86BBA77A8EF04708F1441BAE906C6685FB3CDD51CB5A

Function 004469C1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000010), ref: 00446AB9
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000010), ref: 00446AC3
UnhandledExceptionFilter.KERNEL32(00487EE8,?,?,?,?,?,00000010), ref: 00446AD0

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ccd897d0ce0a089baa55247e654a08fd775c3d8f622f7cdfc40f78edf9529180
Instruction ID: 26d224c02e80d976b223787caad4abf3f9c9b4d4422a3e329ce4f5d383490204
Opcode Fuzzy Hash: ccd897d0ce0a089baa55247e654a08fd775c3d8f622f7cdfc40f78edf9529180
Instruction Fuzzy Hash: 6531F4749412289BCB21DF25DC887CDBBB8BF08314F5041EAE40CA6290EB749F818F49

Function 0044F4E0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88554fab2a861b58216585fa88a552d66bcc3b325aa0be243bc6fdf01ca1c5b8
Instruction ID: 8714f04db0820e7a7062501670de9cec521ad8c58189bdff857beb7b3a5d8711
Opcode Fuzzy Hash: 88554fab2a861b58216585fa88a552d66bcc3b325aa0be243bc6fdf01ca1c5b8
Instruction Fuzzy Hash: 0BF14071E002199FEF14CFA9D9806AEB7B1FF88314F15826EE815AB391D734AD45CB84

Function 003F3770 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

%, xrefs: 003F3C11
+, xrefs: 003F3C20

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 36a6a2b16b85ba2849e5d178c59f18e8beb5d9c5f34f8c7dbab4148fb496f9e3
Instruction ID: d52d3cd301bff59066a000af103dcc60f87d43c20ae7eafd98871cb9ced9436e
Opcode Fuzzy Hash: 36a6a2b16b85ba2849e5d178c59f18e8beb5d9c5f34f8c7dbab4148fb496f9e3
Instruction Fuzzy Hash: DAF1E3729083489FC716DF28C841A6FBBE5FFC9740F054A2DFA84AB251D735EA448792

Function 0043D746 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0043D8DE
#dC, xrefs: 0043DA83, 0043D94E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: #dC$0
API String ID: 0-1374298126
Opcode ID: 4c444ca3d2d7ffa634d7edd7ebdc583f585a67efe9aa71886902e1ae55ad36fa
Instruction ID: 6c52c93072c0f502f615a2f11e85362b20bd2ef046f9d78dd5e382c34aebb8df
Opcode Fuzzy Hash: 4c444ca3d2d7ffa634d7edd7ebdc583f585a67efe9aa71886902e1ae55ad36fa
Instruction Fuzzy Hash: 75B1C270E0060A8BDB28EF69D5806BFB7B1AF4C314F10691FD466A7350D738A946CB59

Function 00468CE3 Relevance: 2.8, APIs: 1, Instructions: 1260COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00468D60

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: c6dcb9a33f32913b1121b77cefd39cec9bc72d6c607bcb00cda6d40ac456c89f
Instruction ID: d09b48c3728b15114c9e30bb68e65514496e7a693c6aabbf46c87414b60c4a75
Opcode Fuzzy Hash: c6dcb9a33f32913b1121b77cefd39cec9bc72d6c607bcb00cda6d40ac456c89f
Instruction Fuzzy Hash: 07B23B71E046298FDB65CE28DD407EAB3B9EB44305F1445EBD80EE7240E778AE818F46

Function 00462067 Relevance: 1.9, APIs: 1, Instructions: 408timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,004624AC,00000000,00000000,00000000), ref: 0046236B

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 8da4e43e3c4b9915991f753ffc5d55cca253570e80aaea2e2331486e548f06c0
Instruction ID: 5db3e3ebfe9a4ff53e681f409676464a354e1579271ee126d57042b3435bd5bc
Opcode Fuzzy Hash: 8da4e43e3c4b9915991f753ffc5d55cca253570e80aaea2e2331486e548f06c0
Instruction Fuzzy Hash: 7AC15871A00211BBDB10ABA5DD02ABF77B9EF05754F14406BF901A7291FBB88E41C79E

Function 0045C2FF Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000000), ref: 0045C52C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: cf677d2eb6fc521559a46a34caebfcf0a6ebd83b677c8730cfd4a32d8d2228bf
Instruction ID: 59b4d6af6fe752d0d8b0c0d8f14623cef09dd45a9fc4b26f90253958bb6ae579
Opcode Fuzzy Hash: cf677d2eb6fc521559a46a34caebfcf0a6ebd83b677c8730cfd4a32d8d2228bf
Instruction Fuzzy Hash: C0B12A31210708DFDB15CF28C4D6A657BA0FF45366F258659E89ACF3A2C339E986CB44

Function 00462D95 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e00b94a54c8ab67656906e90275d90deb24027d7a3a5bc59a9e391743175ccf
Instruction ID: 67d2d4974181e072529f1bdb490b9094fd13436a3b646fbc079be7c42591e086
Opcode Fuzzy Hash: 2e00b94a54c8ab67656906e90275d90deb24027d7a3a5bc59a9e391743175ccf
Instruction Fuzzy Hash: C851F2B5800619BFDB24DF79CC89AEBB7B9EF45304F1441AEE409D3201EA799E448F54

Function 0041CBB5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041CBCB

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: faf9cd37a97b9b3b6386cb726263ac3f31f8d1dd2cf71c4362aa35bcfbd4639f
Instruction ID: c1baa41a410f9814fcbd6447b9046051df3d7879b934a32866a31019b0131d50
Opcode Fuzzy Hash: faf9cd37a97b9b3b6386cb726263ac3f31f8d1dd2cf71c4362aa35bcfbd4639f
Instruction Fuzzy Hash: C3514C719412058BEB19CF68DCC57AABBF0FB44314F24857AD419EB361D3B89D80CB98

Function 0043E5A5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

0, xrefs: 0043E749

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 362cf2cc3a29bafa9205c0e4d52e111d514e3929dcdb11621a59a7385fedfec7
Instruction ID: 2b97979562506cc5354605594c9126ceb2225326e6b365b9de92285f39857739
Opcode Fuzzy Hash: 362cf2cc3a29bafa9205c0e4d52e111d514e3929dcdb11621a59a7385fedfec7
Instruction Fuzzy Hash: AFE1DB70A026058FCB24DF2AC481AAEB7F1BF5D314F64660ED4569B3D1D738AD42CB1A

Function 0043E184 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 0043E319

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b71a6b7ae9b48fc5f86fc8b6610f9071c236723ae5e9fa81f1223e78fefe8513
Instruction ID: cc8971386995d2fa7c5497f2c9a6be099607917f75eb09a27d3a98d63bf1ad3f
Opcode Fuzzy Hash: b71a6b7ae9b48fc5f86fc8b6610f9071c236723ae5e9fa81f1223e78fefe8513
Instruction Fuzzy Hash: D8E1BD306026058FCB24CF6AC5806AFB7B1BF4D314F24665EE8569B3D0D738AD46CB59

Function 0043E9D5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

0, xrefs: 0043EB6A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f02a2b27d337e01063048e64a195353d112172e48d52fecf2c1a28a6401d0476
Instruction ID: 87a3e780d4071136c5976c1183d8d254507160c4181d416093f21edce74d01da
Opcode Fuzzy Hash: f02a2b27d337e01063048e64a195353d112172e48d52fecf2c1a28a6401d0476
Instruction Fuzzy Hash: 36E1BA306026068FCB24DF6AC580AAEB7B1BF4D314F24665EE4569B3D0D738AD42CB59

Function 0043D01B Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

0, xrefs: 0043D1B8

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b96e47928427b0a0c21b482cf705d82ce3763537efc10908e0566b1e578aa234
Instruction ID: feec03a09c29ca0a0815d8da5c12fda092de3d7f3750945fa29634532b40282b
Opcode Fuzzy Hash: b96e47928427b0a0c21b482cf705d82ce3763537efc10908e0566b1e578aa234
Instruction Fuzzy Hash: 03C1BE70E006468FDB28CE68D480A6FB7B1AB4D318F14665FD8529B391C739EC46CB5A

Function 0043CC8D Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0043CE1B

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1b24a1dadcf75589b94f428cd02406a338e226467e82a81901e73bfc4d8fde86
Instruction ID: f1eebeccd454205d242d44322e34987ff8393b10bcece1650c6180ea5249b53a
Opcode Fuzzy Hash: 1b24a1dadcf75589b94f428cd02406a338e226467e82a81901e73bfc4d8fde86
Instruction Fuzzy Hash: D5C1B0709006068FDB28CF28C4D166FBBB2BF4D314F14661FE456A7391C739A946CB99

Function 0043D3B8 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0043D546

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 19f3eb2f104937a9ba4ce9bf97ebb5c81e09374cacee412e170d31fae6462d9a
Instruction ID: e9a2df74590cb03012087134e02c61f5bda8e9415195c706c89d131491a86a11
Opcode Fuzzy Hash: 19f3eb2f104937a9ba4ce9bf97ebb5c81e09374cacee412e170d31fae6462d9a
Instruction Fuzzy Hash: B2C1EE70D006058FCB25CE68E4916BFBBB1AB1D308F24662FD46697391C738AC46CB99

Function 004675D8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0046762C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1b979685bb29ceb73f22035558e28a2fd459352ed36bff75625c5bc00056e102
Instruction ID: bb11d71983f9667a6227576f9474d040367b934177b0283d1d6ca234f9df0ff4
Opcode Fuzzy Hash: 1b979685bb29ceb73f22035558e28a2fd459352ed36bff75625c5bc00056e102
Instruction Fuzzy Hash: 7921B371609606ABDB189B29DC41ABB37A8EF44328F10417FFD05D6242FB3C9D41CB5A

Function 0043DAAB Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

0, xrefs: 0043DC52

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ebeada03c770d6bf14a5167a9fbc72d796bbfb2180abd8baf25290e7af970b94
Instruction ID: d6a45ad3b5fa27cd2b89abbf3788881750f86e910223ed5087272025b673c5b8
Opcode Fuzzy Hash: ebeada03c770d6bf14a5167a9fbc72d796bbfb2180abd8baf25290e7af970b94
Instruction Fuzzy Hash: 14B1BC70E0060A8ADB24CF69E981ABFF7B1AF4C304F10691FD456A7390D738AD46CB59

Function 0043DE1F Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

0, xrefs: 0043DFB7

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0d1d6ef029c7c960c48569510a9921d0ec7debf9ecd410e3c89b03bf905ff586
Instruction ID: 38580a0737739e9f66d979bf2169e12f227c2b79bcf2f6bba8325e7372df0fa0
Opcode Fuzzy Hash: 0d1d6ef029c7c960c48569510a9921d0ec7debf9ecd410e3c89b03bf905ff586
Instruction Fuzzy Hash: B0B10170E00A098ACB24DF65D881ABFBBF1AF5C304F10651FE452AB390D738AD46CB59

Function 0043C5EE Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 0043C787

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0cfc83da8dea6943ba02a26357f17333c8f090607384c5e71c1197662d7e9070
Instruction ID: 1a27a992dbbcdb2ab8a7b9f4b2d4714080ad2c4bee61819668de7279470fd946
Opcode Fuzzy Hash: 0cfc83da8dea6943ba02a26357f17333c8f090607384c5e71c1197662d7e9070
Instruction Fuzzy Hash: 4EB1C27090060A9BCB28DF6989D66BFB7A1AF09304F24251FD852B7391D73CDA42CF59

Function 0043C2A6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0043C430

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6d19cd1d13ac76ecf8266acfa447097619654e493ba946ead0a70bff20f45f9e
Instruction ID: 3be2b21145cb6cbc105f352b17f45cfa2c770c676c33eb2f808ca57be6b730dc
Opcode Fuzzy Hash: 6d19cd1d13ac76ecf8266acfa447097619654e493ba946ead0a70bff20f45f9e
Instruction Fuzzy Hash: 4FB1E07190071A9BCB248F68C4E56BFB7B1AB0C304F24661FD852F7391D738A942CB5A

Function 0043C945 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

0, xrefs: 0043CACF

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 95066677799f5983d3c47783897273c6c134eb2cbbf4e83d8c014383d022ccf5
Instruction ID: 1b462bcf2fcfa2ee43728c1c89adf31b6d502c0fcb87b037d300a39e31fd93e6
Opcode Fuzzy Hash: 95066677799f5983d3c47783897273c6c134eb2cbbf4e83d8c014383d022ccf5
Instruction Fuzzy Hash: 9AB1AFB090060A8BCB24DF6888D57BFB7A1AF0D314F14261FD556F7391C739A942CB5A

Function 0046725F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

EnumSystemLocalesW.KERNEL32(00467385,00000001,00000000,?,-00000050,?,004679B6,00000000,?,?,?,00000055,?), ref: 004672D1

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9ee2da1212caff95860b24e5c2deab9f76be5edeb211baa3bd712925980a00b4
Instruction ID: 0e373008b811f66bfc53cd95a85ed17c613b527dcf0a9fb3ab194419ca9101e0
Opcode Fuzzy Hash: 9ee2da1212caff95860b24e5c2deab9f76be5edeb211baa3bd712925980a00b4
Instruction Fuzzy Hash: BA110C3B2047015FDB189F39D8A167ABB91FF8036CB18452EE98787740E7797942C744

Function 00462799 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004627A0

Part of subcall function 0046EA8B: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 0046EAE1

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: 9df79618a6ea69d87d4e1a64e5e017969b54b273366e47cf88bdcfb703f1ad93
Instruction ID: 95af80e9bdd58314010cbd1d4e417dd9d23214800fc513518d6e01de1786c604
Opcode Fuzzy Hash: 9df79618a6ea69d87d4e1a64e5e017969b54b273366e47cf88bdcfb703f1ad93
Instruction Fuzzy Hash: CCF0F431001526BADF213EA25E46FAF270CAF01367F14440BFD149A283EA6DCC15A1BF

Function 00467807 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00467682,00000000,00000000,?), ref: 00467833

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: dcf8e0b52450cc5d31c129d8f966a4c3d7590ce991316372d978023d88763d4e
Instruction ID: da50a92f2d467d9071605e126e847dd024fe15dfb88cfe5addb1bbdbe4a3a30e
Opcode Fuzzy Hash: dcf8e0b52450cc5d31c129d8f966a4c3d7590ce991316372d978023d88763d4e
Instruction Fuzzy Hash: 16F0F932A04212BBDB246B228C49BBB7754EB4075CF14482AED06A3340FA78FE41C696

Function 0046714F Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004671A3

Strings

utf8, xrefs: 00467112
0G, xrefs: 00466FCB

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: 0G$utf8
API String ID: 3736152602-304224658
Opcode ID: c4d66a81324911c88fcf208b821201eaeeb271531dcae25a180b4c7a4b1cfb1c
Instruction ID: fa072aaf3621b6c600f7ee6d49297d799d099921117ef1e626a9e774d74d0052
Opcode Fuzzy Hash: c4d66a81324911c88fcf208b821201eaeeb271531dcae25a180b4c7a4b1cfb1c
Instruction Fuzzy Hash: 1EF02832650105ABC714AF35DC45EFE37A8DB45319F10017FBA02D7242EE7CAD058759

Function 004672FA Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

EnumSystemLocalesW.KERNEL32(004675D8,00000001,?,?,-00000050,?,0046797A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00467344

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b7a0f810bcfe53e07d7fc70bb075c146880630caba9b778147e9f9a0d2b0c5cc
Instruction ID: fc74b1aa4cc07033185a3d517e1fa4bb0f3d8f3c1d36491c739fe7c6330149b4
Opcode Fuzzy Hash: b7a0f810bcfe53e07d7fc70bb075c146880630caba9b778147e9f9a0d2b0c5cc
Instruction Fuzzy Hash: 6FF046322043041FDB245F359C81A7A7B90EF8136CF08846EFE0A8B780EA75AC82D758

Function 00458672 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446CD0: EnterCriticalSection.KERNEL32(?,?,00459A2C,?,004886F0,00000008,00459E1F,?,?,?), ref: 00446CDF

EnumSystemLocalesW.KERNEL32(0045865F,00000001,00488690,0000000C,00458F9F,00000000), ref: 004586AA

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: dbfcf1c1844c2670dc3e1d1cd3b4c41c7e0815f0b3f5e6156f2c1d3ba676acf2
Instruction ID: 5bc693e36aa8646ff851b2630d08f11eefc5b773928b724c4f2137103c0c6ce8
Opcode Fuzzy Hash: dbfcf1c1844c2670dc3e1d1cd3b4c41c7e0815f0b3f5e6156f2c1d3ba676acf2
Instruction Fuzzy Hash: D0F03772A50200DFD700EF99E842B9D77A0FB09725F20452FF910AB2A1CBB94944CF49

Function 0041B80D Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,00418FEF,00000000,?,00000004,004179DE,?,00000004,00417FE5,00000000,00000000), ref: 0041B826

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: c6ef6c353049330d652d419a0b2e035ad532233f5d5632a0da15e87606c45c39
Instruction ID: febf0681777082d932c0a5b3cec477021a98970a47090d25a8469f69ea1c011e
Opcode Fuzzy Hash: c6ef6c353049330d652d419a0b2e035ad532233f5d5632a0da15e87606c45c39
Instruction Fuzzy Hash: 7AE0D836290204B6E709EBBCDD0FFEB369CDB01B0AF104256F106E51C1CBA8CB80D199

Function 004671F6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045A1E8: GetLastError.KERNEL32(?,?,0042AC26,00488110,0000000C), ref: 0045A1EC
Part of subcall function 0045A1E8: SetLastError.KERNEL32(00000000), ref: 0045A28E

EnumSystemLocalesW.KERNEL32(0046714F,00000001,?,?,?,004679D8,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0046722D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 10858563b50706b110efb2549e88d005adbe6ccf9c0965e19481c3c1a2a946a4
Instruction ID: 48d77c2d811d545978aa0e75d8ef70d8b4718f83900eb4a4eaa4e20278e4d721
Opcode Fuzzy Hash: 10858563b50706b110efb2549e88d005adbe6ccf9c0965e19481c3c1a2a946a4
Instruction Fuzzy Hash: 29F0553630020557CB04AF35CC156ABBF94EFC2728B4A409EFE198B340DA399883CBA5

Function 0045912E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,004576BB,?,20001004,00000000,00000002,?,?,00456A33), ref: 00459162

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 344f6520afc24cf18c64a15da9c2abc93e0ce26bc415b2b473480c1388c7168b
Instruction ID: fcc5a3cc7e2871adbfd58104ad54b877ca3188bb0237113c517d5ddcd7247c7a
Opcode Fuzzy Hash: 344f6520afc24cf18c64a15da9c2abc93e0ce26bc415b2b473480c1388c7168b
Instruction Fuzzy Hash: F8E04F31541628FBDF122F61DC09EAE3F19EF44762F04442AFD0966262CF398D21AA99

Function 00458803 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0006865F,00000001), ref: 0045881D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0fe193306ef79eca68474028d4a4079bdc2af0d366a8e1bbcade256144c21c12
Instruction ID: f01a687fe11880dba9b96032c98ec2ecdd2e8490e8a276ab8ad65a5f60c0743b
Opcode Fuzzy Hash: 0fe193306ef79eca68474028d4a4079bdc2af0d366a8e1bbcade256144c21c12
Instruction Fuzzy Hash: 28D09231594304ABDB446F52EC4AA143B66F785725F64082EF908662A2DFFA68518A4C

Function 0041D07F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002D08E,0041C174), ref: 0041D084

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 92c4597ba61eb7137caee8de41abc8c807fdcd7f2ca210af8783842640dc1d05
Instruction ID: cc9aedb05a62b1d87b9331fd306dd5cb774320c7ac43f4f888dfe8ccb5d7669e
Opcode Fuzzy Hash: 92c4597ba61eb7137caee8de41abc8c807fdcd7f2ca210af8783842640dc1d05
Instruction Fuzzy Hash:

Function 00452595 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: bb43d45be5e09e650bd98d7837c3faac526adc4de985947fbf36a808a616297c
Instruction ID: ace1281d83fbfc78b99edd7c53b3effd0b366cfa6e70299e357a6c82325c6cde
Opcode Fuzzy Hash: bb43d45be5e09e650bd98d7837c3faac526adc4de985947fbf36a808a616297c
Instruction Fuzzy Hash: 2332A474A00206DFCF18CF98CA81ABEB7B5EF46305F24416EDC41A7316D675AE4ACB94

Function 0044C98E Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc234cc5b6bcedc6e5f4cbfcf4ada8d3665ec171457eb7034c8c541d9753a991
Instruction ID: 763259b6fbf7c47b902b8f02445e574d18871aea2058d14c5c16afe085d9f3c4
Opcode Fuzzy Hash: dc234cc5b6bcedc6e5f4cbfcf4ada8d3665ec171457eb7034c8c541d9753a991
Instruction Fuzzy Hash: A5126E71A012298FEB65CF18C8C0BAAB7B9FF45304F1840EAD949EB245D7749E81CF85

Function 0044FE50 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e05f526d6c0918f504bedfe13be593fa5d9bb95389b53d6cc604d22c41471a2
Instruction ID: 30efc4feacad5b962f27ef9251d6d8f03a02b1f1cc72120d648e012e1214cf6a
Opcode Fuzzy Hash: 9e05f526d6c0918f504bedfe13be593fa5d9bb95389b53d6cc604d22c41471a2
Instruction Fuzzy Hash: C5E17075A002288FDB25DF58D880BAAB7B8FF46305F1441EBE849A7342D7349E858F46

Function 00401550 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dbc3d2f66e467b2961a582e45db2979010f1329c0676bb916b8b98d7f6372a
Instruction ID: 07180a4dfcab4c9ef81a4d958d75507219a206095ca2d300c739c31b200b4781
Opcode Fuzzy Hash: 05dbc3d2f66e467b2961a582e45db2979010f1329c0676bb916b8b98d7f6372a
Instruction Fuzzy Hash: B5B1B272D112188BDB11DFB9C4812DDF7B1AFAA314F29C36BD824B7360E735AA818744

Function 0044FA10 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65070c2f9e41076afd7605473aae0f998b1369b75fbd57c50fe5d59937156dfd
Instruction ID: 6ee2794eb5f6d75bff4ba8e1ed424a5af377e3ece473b5fd783f6a92fd368621
Opcode Fuzzy Hash: 65070c2f9e41076afd7605473aae0f998b1369b75fbd57c50fe5d59937156dfd
Instruction Fuzzy Hash: DFA12C75A001698BDB24DF18C880BEEB7B5FB89304F2541EBDC09A7341D775AE858F85

Function 0044D461 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae62b88f01cb4a4f6514a758ad5d2aa8a52e993fd2c7fac2ce4aaa76944c7f0
Instruction ID: b60f13c6188ec48b1cccdcfa597e7a896a271098bd635ec14d0b3111ca6c0ce2
Opcode Fuzzy Hash: 6ae62b88f01cb4a4f6514a758ad5d2aa8a52e993fd2c7fac2ce4aaa76944c7f0
Instruction Fuzzy Hash: 54516371E00119AFDF14CF99C941AEEBBB1EF84314F19809DE415AB341D734AE51CB95

Function 0041EC10 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 2e76678fa799f5b04324568693b925fb87d3834662be7ee633d99751084251d9
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 35110B7F20004183D614862FCDF86F7A795EACA321B2C4377D8424B758F12A95C5A68C

Function 0045A73F Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391a6573f4fe22a487b3b1aca6a1e80b04b61327a8dfff2c957b84f3a8b165d4
Instruction ID: 3c6a6e894cb6101d2f68335ecb96ffd08ee090a42de256459aa3be59981486b7
Opcode Fuzzy Hash: 391a6573f4fe22a487b3b1aca6a1e80b04b61327a8dfff2c957b84f3a8b165d4
Instruction Fuzzy Hash: CEF040322002219BC716DA9CCA48B9573B8EB09B01F004247EA02EB352D2A8CE04C3CA

Function 0045A565 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44791a8bd089cea976374833b5e5a08ed1a89722e1081bd559db93eb5a52482f
Instruction ID: 30e8bbe1eff847ca9a1d5c7d950bfd249b4d87372d0163212749e414f9960af6
Opcode Fuzzy Hash: 44791a8bd089cea976374833b5e5a08ed1a89722e1081bd559db93eb5a52482f
Instruction Fuzzy Hash: 1DF06D3124020CFFC716CA6DC549F5973E4EB05707F204666AA07DB752E678DE58C60A

Function 0045A6CA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d9ec40200cb10b7115b5ec3d5aa2eb1304b9d01f7512890e7f56a34e7429e8
Instruction ID: 992a941f9a9278038402b39fd98fe1862c14f7ebf83d5bb28925baab49c1af3b
Opcode Fuzzy Hash: e6d9ec40200cb10b7115b5ec3d5aa2eb1304b9d01f7512890e7f56a34e7429e8
Instruction Fuzzy Hash: 73F0A031610220DBCB12CB8EC845B4973BCEB09B95F11405BE841E7252CBB8ED44CBD4

Function 0045A4DF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa490093fb1ccd5579076fc6fc5896914ea530780350ad677dbcd92b4cf2393
Instruction ID: d9baad4cc46a75719148bddb089033ab6ea5fc5834014878945acf2b2dda3dd3
Opcode Fuzzy Hash: 0fa490093fb1ccd5579076fc6fc5896914ea530780350ad677dbcd92b4cf2393
Instruction Fuzzy Hash: D8E06D39600248EFCB45CF5AC544F0AB3F8EB49749F10406DE809D7652E738DE44CB54

Function 0045A522 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a8bd449331e0fbaff9db047ca477c3f5c70dcfc62e26df1ed4ec29e47070cf
Instruction ID: 59e521a1b95270436db776aa525ad5e9776d56dbc4122a677bba2d83919c8c19
Opcode Fuzzy Hash: 66a8bd449331e0fbaff9db047ca477c3f5c70dcfc62e26df1ed4ec29e47070cf
Instruction Fuzzy Hash: 94E06D35600248EFCB45CF6AC584F0973F8EB49789F108069E845D7752E738DE44CB54

Function 0045A70E Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
Instruction ID: 8a890c79ff57300802864f0d721017863850aa235fe387ff2e2004d40e088d21
Opcode Fuzzy Hash: d9d4e2dfcbfd14504dd5c583896d366168cbc076de7f7db6caaae018fb7c7fb6
Instruction Fuzzy Hash: 8CE08C32911228EBCB15DB9DC90498AF3FCEB48B06B1201ABF901E3202C674DE04C7D4

Function 0045A5C0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
Instruction ID: 90513425b63049aea5bfb43dc6de30ecb73ac61fb036262dec07327c0735fc05
Opcode Fuzzy Hash: a167dba0b7fe516a20e84a041e270c8a941c5198453821c7edd0995884e7b0c9
Instruction Fuzzy Hash: B6E08230905248EFCB00CBA9C048E4AB3F8EB0834AF2048A9E804D7242D638EE88CA00

Function 004557D9 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90b54524ff4a66a353ae9917df2b8be735c315749e427826934948b66141c99
Instruction ID: cdb87c87c0ac02fc8090e8aa9c19c02475ebe9987d53c655645564bc5f7521b5
Opcode Fuzzy Hash: c90b54524ff4a66a353ae9917df2b8be735c315749e427826934948b66141c99
Instruction Fuzzy Hash: 2FC0123804098086CE29CA1882753BA33A8AB9A7C3F80148EC8120AB43C51E9C8ADB05

Function 00426DBC Relevance: 19.8, APIs: 13, Instructions: 332
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 00426E85
DName::operator+.LIBCMT ref: 00426EC2
DName::DName.LIBVCRUNTIME ref: 00426ED6
DName::operator+.LIBCMT ref: 00426EE5
DName::operator+.LIBCMT ref: 00426F73
DName::DName.LIBVCRUNTIME ref: 00426F9B
DName::operator+.LIBCMT ref: 00426FA9
DName::operator+.LIBCMT ref: 00426FE3
DName::operator+.LIBCMT ref: 00427024
UnDecorator::getReturnType.LIBCMT ref: 00427054
operator+.LIBVCRUNTIME ref: 00427156

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
String ID:
API String ID: 2932655852-0
Opcode ID: 4242e687256c9fc5f5ec6ccd2b453579edffa5275be1e6c6ab62c45d589fed60
Instruction ID: a5cde05aafc80c3bfaaca524e4471942dfda28ae7e749830cce3f4058e95a966
Opcode Fuzzy Hash: 4242e687256c9fc5f5ec6ccd2b453579edffa5275be1e6c6ab62c45d589fed60
Instruction Fuzzy Hash: D6C1A176A04228AFDB04EF95E895EEE77B4EF08304F91006FF501A7381DB389A45CB58

Function 004283B4 Relevance: 19.8, APIs: 13, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DName::operator+.LIBCMT ref: 0042841F
DName::operator+.LIBCMT ref: 00428562

Part of subcall function 00423D3A: shared_ptr.LIBCMT ref: 00423D56

DName::operator+.LIBCMT ref: 0042850D
DName::operator+.LIBCMT ref: 004285AE
DName::operator+.LIBCMT ref: 004285BD
DName::operator+.LIBCMT ref: 004286E9
DName::operator=.LIBVCRUNTIME ref: 00428729
DName::DName.LIBVCRUNTIME ref: 00428733
DName::operator+.LIBCMT ref: 00428750
DName::operator+.LIBCMT ref: 0042875C

Part of subcall function 00429C74: Replicator::operator[].LIBCMT ref: 00429CB1

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
String ID:
API String ID: 1043660730-0
Opcode ID: c1b264d577488d8edfba1feb5eb5c37d4f11401ca2c081994e4791fe3fcdfbe1
Instruction ID: 414f92ddf917af93faee912682137a1df939f0604a93fdf62e51079cee6b6001
Opcode Fuzzy Hash: c1b264d577488d8edfba1feb5eb5c37d4f11401ca2c081994e4791fe3fcdfbe1
Instruction Fuzzy Hash: 94C1C371A012249FDB24DFA4E849FEEB7F4AF15304F94449FE146A7281DB7D9A44CB08

Function 003F59E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F59ED
std::_Lockit::_Lockit.LIBCPMT ref: 003F5A07
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A28
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A54
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A89
std::_Lockit::_Lockit.LIBCPMT ref: 003F5AC6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F5B17
__Getctype.LIBCPMT ref: 003F5B2E
std::_Facet_Register.LIBCPMT ref: 003F5B47
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5B60

Strings

bad locale name, xrefs: 003F5B6F

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_GetctypeLocinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 1407599034-1405518554
Opcode ID: b909ad2e58b154654d2c3bff5ea1351cb821a6c31b8570b92b6f00076271cbf6
Instruction ID: 634de901754b733bed872be614f8eb2873c56435bf5eb55f4954ffce6664413c
Opcode Fuzzy Hash: b909ad2e58b154654d2c3bff5ea1351cb821a6c31b8570b92b6f00076271cbf6
Instruction Fuzzy Hash: 574137316043889FC712DF58D880B7AB7E0FF94710F05496EFA899B252DB35E909CB92

Function 003F5F70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F5F7D
std::_Lockit::_Lockit.LIBCPMT ref: 003F5F97
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5FB8
std::_Lockit::~_Lockit.LIBCPMT ref: 003F5FE4
std::_Lockit::~_Lockit.LIBCPMT ref: 003F6019
std::_Lockit::_Lockit.LIBCPMT ref: 003F6056
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F60A7
std::_Facet_Register.LIBCPMT ref: 003F60C6
std::_Lockit::~_Lockit.LIBCPMT ref: 003F60DF

Strings

bad locale name, xrefs: 003F60EE

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Locinfo::_Locinfo_ctorRegister
String ID: bad locale name
API String ID: 3434717313-1405518554
Opcode ID: dcc3e752a5039425cc3ce0824ec91ad3949885ab0315595d03aab3cac38b8caa
Instruction ID: e52dfe4da749d199823bccb10c5e6d914afb6182a4a453fec1939d5ccc40e512
Opcode Fuzzy Hash: dcc3e752a5039425cc3ce0824ec91ad3949885ab0315595d03aab3cac38b8caa
Instruction Fuzzy Hash: 4E4125312043489FC312DF58D881B6AF7E0EF91310F15486EFA899B261DB35ED09CB96

Function 0042544F Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 004254C2
shared_ptr.LIBCMT ref: 0042550A
shared_ptr.LIBCMT ref: 00425529
operator+.LIBVCRUNTIME ref: 00425657
DName::operator=.LIBVCRUNTIME ref: 00425669
shared_ptr.LIBCMT ref: 004258AE
DName::operator+.LIBCMT ref: 004258F0
operator+.LIBVCRUNTIME ref: 00425936

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 8d279420f24d8b2b10f8b99818521fe0743273ec9b623a3c42be63cd3713784c
Instruction ID: fce002f16474c29a4ed36056954a21a2618652d5ad34001ea683c8a8fd3cc9df
Opcode Fuzzy Hash: 8d279420f24d8b2b10f8b99818521fe0743273ec9b623a3c42be63cd3713784c
Instruction Fuzzy Hash: 2CE169B1E0062ADACB04DF95E498AFFBBB4EF04304F90815BD516A7241D77C4A49CF99

Function 00429C74 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBCMT ref: 00429CB1

Strings

template-parameter-, xrefs: 00429D10
@, xrefs: 00429E1D
generic-type-, xrefs: 00429D37

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Replicator::operator[]
String ID: @$generic-type-$template-parameter-
API String ID: 3676697650-1320211309
Opcode ID: b53610955d8068a9a12a771f7b2e73f8559dcd42d76b85e4ca0d07439677619d
Instruction ID: 532a77ca1f711164bcbd51e229507536b5a65f36d71e914ad744e0f85bdfa4a4
Opcode Fuzzy Hash: b53610955d8068a9a12a771f7b2e73f8559dcd42d76b85e4ca0d07439677619d
Instruction Fuzzy Hash: EC61D271E002199FDB10DFA5E845AEEB7B8AF18304F90806BE505A7291DB7C9D05CB9D

Function 00445B65 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00445F3D

Strings

f, xrefs: 00445C77
:, xrefs: 00445C30
f, xrefs: 00445C5B
f, xrefs: 00445CBD
p, xrefs: 00445C7E
p, xrefs: 00445CC4
p, xrefs: 00445C62

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 53faec21a0f61ad56f913964f669a59e52bd3e7363a596dc7a2b68de40648e67
Instruction ID: 271921236e9888cadef87aeda415862ef256f4db4c08b6b54523f77e52683e30
Opcode Fuzzy Hash: 53faec21a0f61ad56f913964f669a59e52bd3e7363a596dc7a2b68de40648e67
Instruction Fuzzy Hash: A80292759002189BFF30CF64D6496EEB7B6FF42B14FA1810BD4157B286D7388E858B1A

Function 00412600 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00412607

Part of subcall function 00409020: __EH_prolog3.LIBCMT ref: 00409027
Part of subcall function 00409020: std::_Lockit::_Lockit.LIBCPMT ref: 00409031

Strings

:AM:am:PM:pm, xrefs: 0041299C
%d / %m / %y, xrefs: 0041296A
%b %d %H : %M : %S %Y, xrefs: 004128BF
%m / %d / %y, xrefs: 00412703
%I : %M : %S %p, xrefs: 00412991
%H : %M, xrefs: 0041274C
%H : %M : %S, xrefs: 004127C3

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$LockitLockit::_std::_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 2181796688-2891247106
Opcode ID: ee78f738b5d791e510dcfc4965dbdc39ea97b6c73f5f38c9b9ad9b4424f1a1df
Instruction ID: 75655a606b08c9a63ce2cd3c95dc9768b60f5f17d312400a7c17efb4fcc91276
Opcode Fuzzy Hash: ee78f738b5d791e510dcfc4965dbdc39ea97b6c73f5f38c9b9ad9b4424f1a1df
Instruction Fuzzy Hash: E5C181B250010AAFDF18DF58CA55DFF7BA8EB04304F14411BFA16E6291D678DAA0CB69

Function 004129F0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004129F7

Part of subcall function 004090B5: __EH_prolog3.LIBCMT ref: 004090BC
Part of subcall function 004090B5: std::_Lockit::_Lockit.LIBCPMT ref: 004090C6

Strings

:AM:am:PM:pm, xrefs: 00412D8C
%d / %m / %y, xrefs: 00412D5A
%b %d %H : %M : %S %Y, xrefs: 00412CAF
%m / %d / %y, xrefs: 00412AF3
%I : %M : %S %p, xrefs: 00412D81
%H : %M, xrefs: 00412B3C
%H : %M : %S, xrefs: 00412BB3

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3$LockitLockit::_std::_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 2181796688-2891247106
Opcode ID: 8d4768357198707abb3cfe9af3d93f76d864ed6b8a38e29388da948788bbd64f
Instruction ID: 637e9393de0fcaa62c429f9af951396c962f9f37bec9bb7c7b2318c15b26907a
Opcode Fuzzy Hash: 8d4768357198707abb3cfe9af3d93f76d864ed6b8a38e29388da948788bbd64f
Instruction Fuzzy Hash: 4DC1817250010AABDB18DF58CA65DFF7BB8EF05304F15411BFA06E6251D278DAA0CB69

Function 00419CE7 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 351COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00419CEE

Part of subcall function 003F59E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F59ED
Part of subcall function 003F59E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F5A07
Part of subcall function 003F59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A28
Part of subcall function 003F59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A54

Strings

:AM:am:PM:pm, xrefs: 0041A083
%d / %m / %y, xrefs: 0041A051
%b %d %H : %M : %S %Y, xrefs: 00419FA6
%m / %d / %y, xrefs: 00419DEA
%I : %M : %S %p, xrefs: 0041A078
%H : %M, xrefs: 00419E33
%H : %M : %S, xrefs: 00419EAA

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 5b7a16d910241c0936fc5ff66c198bb8b78238579b9f4e2117081fd357d08d51
Instruction ID: 882cf3528909a99356e8ea24f9475fbddb0d005f209b34a0d2c832906bc422ee
Opcode Fuzzy Hash: 5b7a16d910241c0936fc5ff66c198bb8b78238579b9f4e2117081fd357d08d51
Instruction Fuzzy Hash: 85C1817254020AAFDB18DF58C965DFF3BE8EB09300F14451BF606E6291D239DE91CB6A

Function 003F7220 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F7272
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F72C7
Concurrency::cancel_current_task.LIBCPMT ref: 003F7391
Concurrency::cancel_current_task.LIBCPMT ref: 003F7396
Concurrency::cancel_current_task.LIBCPMT ref: 003F739B

Strings

true, xrefs: 003F7355
bad locale name, xrefs: 003F7387
false, xrefs: 003F732F

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: 3cedb9d7275991b956e1ab5a0226b29e1aff321f3185218a77d718fa976dd63f
Instruction ID: 532247e06a895261ef1f3af79f16cbb1613659b972f69e3b5325bfea70ff3fb3
Opcode Fuzzy Hash: 3cedb9d7275991b956e1ab5a0226b29e1aff321f3185218a77d718fa976dd63f
Instruction Fuzzy Hash: 9D41DE741483449FD721EF65C841B6ABBE4AF84300F04495EFA888B391D7B9D449CBA6

Function 0041B49B Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041B4A1
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041B4AF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041B4C0
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0041B4D1

Strings

kernel32.dll, xrefs: 0041B49C
GetTempPath2W, xrefs: 0041B4C6
GetCurrentPackageId, xrefs: 0041B4A9
GetSystemTimePreciseAsFileTime, xrefs: 0041B4B5

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 90673c52204e63aee60387260f2789db759f982672676d7f1ecf7504acd61f9d
Instruction ID: aecaa4f1ea486f3f9259d2b47d3963f1dfbc341b79e45af4a02591a29ea5c606
Opcode Fuzzy Hash: 90673c52204e63aee60387260f2789db759f982672676d7f1ecf7504acd61f9d
Instruction Fuzzy Hash: 68E0E631581250AF83106F747C0D99B3E54FA45712311853BF50DD2261EAF944588BBD

Function 00428EBB Relevance: 13.8, APIs: 9, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00428F91
UnDecorator::getSignedDimension.LIBCMT ref: 00428F9C
UnDecorator::getSignedDimension.LIBCMT ref: 00429088
UnDecorator::getSignedDimension.LIBCMT ref: 004290A5
UnDecorator::getSignedDimension.LIBCMT ref: 004290C2
DName::operator+.LIBCMT ref: 004290D7
UnDecorator::getSignedDimension.LIBCMT ref: 004290F1
DName::operator+.LIBCMT ref: 004291C6

Part of subcall function 00424E74: DName::DName.LIBVCRUNTIME ref: 00424ED2

DName::DName.LIBVCRUNTIME ref: 0042923D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::
String ID:
API String ID: 3679549980-0
Opcode ID: 6a7418aae6068401cf2e3677b3ea113663646030b0632d2233553a8b6a362c6a
Instruction ID: 8a7b2423ec6d1cc2b745cb08d35fb137a532b954bbfdd795850540f101d9ae74
Opcode Fuzzy Hash: 6a7418aae6068401cf2e3677b3ea113663646030b0632d2233553a8b6a362c6a
Instruction Fuzzy Hash: 8591B171F0422A99DB14EFB6F949AFF7779AB04304FE0441FE101A6281DE7C9E05866D

Function 004222B6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 004223D5
___TypeMatch.LIBVCRUNTIME ref: 004224E3
_UnwindNestedFrames.LIBCMT ref: 00422635
CallUnexpected.LIBVCRUNTIME ref: 00422650

Strings

csm, xrefs: 0042240C
csm, xrefs: 004222F3
csm, xrefs: 00422360

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 729e3641ad9b6972ced4a2ec7db3f9c5dd2ee9ba6b809f257cda40fa4683e341
Instruction ID: c748332a4cba55b665b610f13ae1d238824afc5e49b95c579f456394038a283d
Opcode Fuzzy Hash: 729e3641ad9b6972ced4a2ec7db3f9c5dd2ee9ba6b809f257cda40fa4683e341
Instruction Fuzzy Hash: B1B1BF71A00229FFCF14DFA5EA409AFB7B4FF14304B94815BE8106B212C7B8DA51CB99

Function 0045FA6B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 0045FCE4

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 77a7d0fa175b6356cb51276f5df019ac61c6ecfbab5930f0b92887b075481b1c
Instruction ID: 052bb3f6dd9402d5053cb5c5b5f6bf7052fd4c1a2a06de9c1970dba718f3a4e8
Opcode Fuzzy Hash: 77a7d0fa175b6356cb51276f5df019ac61c6ecfbab5930f0b92887b075481b1c
Instruction Fuzzy Hash: B5B10471A002099FDB11DF99C880BAE7BB1AF45305F14416BED01AB393C7789D4ECB6A

Function 0040E3C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E3C7
_Maklocstr.LIBCPMT ref: 0040E42E
_Maklocstr.LIBCPMT ref: 0040E440
_Maklocchr.LIBCPMT ref: 0040E458
_Maklocchr.LIBCPMT ref: 0040E468

Strings

true, xrefs: 0040E43B
false, xrefs: 0040E429

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: MaklocchrMaklocstr$H_prolog3_
String ID: false$true
API String ID: 2404127365-2658103896
Opcode ID: 99e7b971e7202e15a6b39e49597b9b4e7ae33bb80f7b3139cdc2819b46701caf
Instruction ID: 1c70b92b5409e6932430837e3ce4f43def1d6702eaa523cc892dc406ef23c5a3
Opcode Fuzzy Hash: 99e7b971e7202e15a6b39e49597b9b4e7ae33bb80f7b3139cdc2819b46701caf
Instruction Fuzzy Hash: F5217CB1C00348AADF14EFA6C885DAEB7B8AF45700F00885BF905AF295EB78D550CB64

Function 00425203 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00425291
DName::operator+.LIBCMT ref: 004252E4

Part of subcall function 00423D3A: shared_ptr.LIBCMT ref: 00423D56

Part of subcall function 00423C29: DName::operator+.LIBCMT ref: 00423C4A

DName::operator+.LIBCMT ref: 004252D5
DName::operator+.LIBCMT ref: 00425335
DName::operator+.LIBCMT ref: 00425342
DName::operator+.LIBCMT ref: 00425389
DName::operator+.LIBCMT ref: 00425396

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: ee89fda926af3d37fa7e50c54335fa2b0d50928cf5262bd702546002d54e397b
Instruction ID: 234f84d9a7f023f6cdf65cd6010f04a78d5fabe4d3f2041c88c689950bc0e1ec
Opcode Fuzzy Hash: ee89fda926af3d37fa7e50c54335fa2b0d50928cf5262bd702546002d54e397b
Instruction Fuzzy Hash: 00516A72A00228ABDF15DF95E845EEFB7B8AB08305F44445FF505B7281DB789A44CBA8

Function 00421A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00421AB7
___except_validate_context_record.LIBVCRUNTIME ref: 00421ABF
_ValidateLocalCookies.LIBCMT ref: 00421B48
__IsNonwritableInCurrentImage.LIBCMT ref: 00421B73
_ValidateLocalCookies.LIBCMT ref: 00421BC8

Strings

csm, xrefs: 00421B5D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2a3dfc1e3ba5c1e86e37ab9b8a2f17d7bd0752c3226b7fedcf2f6e2ae35e03fe
Instruction ID: 5f1ec1f2a8d00edc3a4a40cd5e82d146bc90078225afeccc5f96c88d58ece791
Opcode Fuzzy Hash: 2a3dfc1e3ba5c1e86e37ab9b8a2f17d7bd0752c3226b7fedcf2f6e2ae35e03fe
Instruction Fuzzy Hash: 8941F630B00228ABCF00DF29D841A9E7FB0BF15318F54805BE8145B362D739AA15CB99

Function 003F7880 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113COMMON

Download Yara Rule

Strings

true, xrefs: 003F7954
false, xrefs: 003F7929
ios_base::badbit set, xrefs: 003F78F2, 003F7909

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: false$ios_base::badbit set$true
API String ID: 0-1679644946
Opcode ID: eb622e4fa44840247af2b3cc5221a64d602236f06c6ff689db2113bbb21223e8
Instruction ID: 9fda6c8c7fb04b4ad700603e417afc49ae21b51920335d1474bbb9af5ff26736
Opcode Fuzzy Hash: eb622e4fa44840247af2b3cc5221a64d602236f06c6ff689db2113bbb21223e8
Instruction Fuzzy Hash: 84313B756043448FD311DF74D841BA7BBE4AF45304F0889AEE9C98B322D7B6D809CBA2

Function 003F7AA0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Strings

true, xrefs: 003F7B67
false, xrefs: 003F7B3C
ios_base::badbit set, xrefs: 003F7B05, 003F7B1C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: false$ios_base::badbit set$true
API String ID: 0-1679644946
Opcode ID: dc946e1c2eedc7c99c32b1fffb6f61f3e935d6d5ec81e82073e39ca32fdb082b
Instruction ID: 3e86ccd2c5d50c74e75481cbe853a4367ffc1126d5ed017a479d6b2857806bf6
Opcode Fuzzy Hash: dc946e1c2eedc7c99c32b1fffb6f61f3e935d6d5ec81e82073e39ca32fdb082b
Instruction Fuzzy Hash: 1A317A751443444FD711EF74A84177BBFA49F52304F0888AEEAC54B312D7B7980AC7A2

Function 0040E2E7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E2EE
_Maklocstr.LIBCPMT ref: 0040E357
_Maklocstr.LIBCPMT ref: 0040E369
_Getvals.LIBCPMT ref: 0040E3B3

Strings

true, xrefs: 0040E364
false, xrefs: 0040E352

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 1611767717-2658103896
Opcode ID: 6e94405daa38bb1ec08c738693b56275eee1a3e29f942cdaf161775e259a5fb2
Instruction ID: 9f213076e34317047ad7df5b0bf018d24ce15e682fb15b30164cc2c23dfb59b4
Opcode Fuzzy Hash: 6e94405daa38bb1ec08c738693b56275eee1a3e29f942cdaf161775e259a5fb2
Instruction Fuzzy Hash: 372171B1D40308AADF14FFE6D885ADE7B68AF05710F00845BF915AF282DB748554CBA5

Function 00470808 Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(015A54D0,015A54D0,?,7FFFFFFF,?,00470AD8,015A54D0,015A54D0,?,015A54D0,?,?,?,?,015A54D0,?), ref: 004708AE
__freea.LIBCMT ref: 00470A43
__freea.LIBCMT ref: 00470A49
__freea.LIBCMT ref: 00470A7F
__freea.LIBCMT ref: 00470A85
__freea.LIBCMT ref: 00470A95

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 4bcb24920e72770f31e38220167a8d24629793fcab21cffe7faf691791be7e20
Instruction ID: 2ab9b6eb88b1bacaa4a74c92695b4b23228e40199db310b5852f34dc7eec2f67
Opcode Fuzzy Hash: 4bcb24920e72770f31e38220167a8d24629793fcab21cffe7faf691791be7e20
Instruction Fuzzy Hash: ED71C672901306DBDF21AAA4CC41FEF77B9AF55314F19806BE91DA7282E63DDC008799

Function 0041BD8E Relevance: 9.2, APIs: 6, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?), ref: 0041BE19
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0041BEA5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041BF10
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0041BF2C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041BF8F
CompareStringEx.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041BFAC

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 01a52a310d0eed7c9acc899d3a462634c208adcd48b3de2172202c2a7aa56a56
Instruction ID: 726af019efacefcd3c971db039ae46f99047a08838126b5d2ccc7db9588ab579
Opcode Fuzzy Hash: 01a52a310d0eed7c9acc899d3a462634c208adcd48b3de2172202c2a7aa56a56
Instruction Fuzzy Hash: EC71CF32900259ABDF219F64CC85BEF7BB5EF05714F19406AEA04F6291D7388C85CBE9

Function 003FEA67 Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 003FEAB0
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 003FEB1B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FEB38
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 003FEB77
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FEBD6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 003FEBF9

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: fb9a826fb0dfdf6266b080cc893b156bf170fdc0d3bc059421f36c8a815bb2df
Instruction ID: 31db1918b53f5e32b81ffba7d2ff088faa8f97d70afd6d30bf4780179192ed1e
Opcode Fuzzy Hash: fb9a826fb0dfdf6266b080cc893b156bf170fdc0d3bc059421f36c8a815bb2df
Instruction Fuzzy Hash: 4C519E7250020EABEF229F61CC45FBA7BA9FF44750F164529FA15E6160DB389C548B60

Function 00429B20 Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00429B64
DName::operator+.LIBCMT ref: 00429B70

Part of subcall function 00423D3A: shared_ptr.LIBCMT ref: 00423D56

DName::operator+=.LIBCMT ref: 00429C2E

Part of subcall function 004283B4: DName::operator+.LIBCMT ref: 0042841F
Part of subcall function 004283B4: DName::operator+.LIBCMT ref: 004286E9

Part of subcall function 00423C29: DName::operator+.LIBCMT ref: 00423C4A

DName::operator+.LIBCMT ref: 00429BEB

Part of subcall function 00423D92: DName::operator=.LIBVCRUNTIME ref: 00423DB3

DName::DName.LIBVCRUNTIME ref: 00429C52
DName::operator+.LIBCMT ref: 00429C5E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: e3000a6e0272c83d31359d536908e6994c44857775c737a55f139ce3cca35c93
Instruction ID: f7aa2e4b69dc9abd6e7ef546431b3a6d33336e0a92faff241f2e17c05be1e86c
Opcode Fuzzy Hash: e3000a6e0272c83d31359d536908e6994c44857775c737a55f139ce3cca35c93
Instruction Fuzzy Hash: 8241F7B1B00224AFDB14DF65E855BAE7BF9AB09304F90449EE085A7341D73C9E44CB5C

Function 003F69D0 Relevance: 9.1, APIs: 6, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F69DD
std::_Lockit::_Lockit.LIBCPMT ref: 003F69FB
std::_Lockit::~_Lockit.LIBCPMT ref: 003F6A1C
std::_Lockit::~_Lockit.LIBCPMT ref: 003F6A6C
std::_Facet_Register.LIBCPMT ref: 003F6A96
std::_Lockit::~_Lockit.LIBCPMT ref: 003F6AAF

Part of subcall function 003F1FE0: ___std_exception_copy.LIBVCRUNTIME ref: 003F201C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$Facet_Register___std_exception_copy
String ID:
API String ID: 728164013-0
Opcode ID: cd978813acc066c0ac0cbd82a775847e099c8f083876531838a3d2a072803e12
Instruction ID: 7737180bebdf9335b1634f3949cf8efbb56d7ff55eb92bb19baf7d3e1581af86
Opcode Fuzzy Hash: cd978813acc066c0ac0cbd82a775847e099c8f083876531838a3d2a072803e12
Instruction Fuzzy Hash: 983139759002589FCF12DF04E881A7AB3A4EF85320F15856EEA45AB262D735ED09CBC2

Function 00428772 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00429C74: Replicator::operator[].LIBCMT ref: 00429CB1

DName::operator=.LIBVCRUNTIME ref: 0042881E

Part of subcall function 004283B4: DName::operator+.LIBCMT ref: 0042841F
Part of subcall function 004283B4: DName::operator+.LIBCMT ref: 004286E9

DName::operator+.LIBCMT ref: 004287D8
DName::operator+.LIBCMT ref: 004287E4
DName::DName.LIBVCRUNTIME ref: 00428828
DName::operator+.LIBCMT ref: 00428845
DName::operator+.LIBCMT ref: 00428851

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 2f427f8c57a3bef26d619363836e4ae8a6c0fada06093d99690011dca2b2e60e
Instruction ID: 8f3c9200c42471270195d3b23c2b6ac9238602f9ca3ef53e8d2f6062f14f9568
Opcode Fuzzy Hash: 2f427f8c57a3bef26d619363836e4ae8a6c0fada06093d99690011dca2b2e60e
Instruction Fuzzy Hash: 2631F5B1B053249FCB14EF55E854AAEBBF8AF99304F90845EE586A7341DB389904CB1C

Function 00421F48 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00421F3F,0041E9DD,0041D0D2), ref: 00421F56
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00421F64
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00421F7D
SetLastError.KERNEL32(00000000,00421F3F,0041E9DD,0041D0D2), ref: 00421FCF

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 93d732f7b1222a4bec06db4402f62ca851c84aa42ba73ac84b2d22d9a46949e1
Instruction ID: 8cf474bbadd2f4fa3644f2268abde97aa1e32cb48467839a0905d819ed02bf3d
Opcode Fuzzy Hash: 93d732f7b1222a4bec06db4402f62ca851c84aa42ba73ac84b2d22d9a46949e1
Instruction Fuzzy Hash: 9501F53230C2315FA6102B757E85A1B2A85EB123B8772063FF420911F0EF594C26A24E

Function 004541F3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,004C0482,00000104), ref: 00454250

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004542E5
<program name unknown>, xrefs: 0045425F
Runtime Error!Program: , xrefs: 0045421C
..., xrefs: 0045429E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 0142e838c9e977559fb57af4fbb14455aefef6f8c4ae5280e741f4afdb6ab2fd
Instruction ID: 7b0f498f1d304db4c2d4876cb4f10c36385135e7189c08fb7ac862b784f89904
Opcode Fuzzy Hash: 0142e838c9e977559fb57af4fbb14455aefef6f8c4ae5280e741f4afdb6ab2fd
Instruction Fuzzy Hash: 2A219B32A4031172D63026624C4BFE7365C8BD17CDF14003BFD099A243FA5DCA89C2AE

Function 0040E120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E127
_Getvals.LIBCPMT ref: 0040E179
_Mpunct.LIBCPMT ref: 0040E1B4
_Mpunct.LIBCPMT ref: 0040E1CE

Strings

$+xv, xrefs: 0040E1D9

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: 2a4c3fe0f53442eb1887a80412faa889e5adb718468999698c41b05d10af5d58
Instruction ID: ceb8a465f8006948509d0d3a052712813ad8ea928c8ca720ea43fb7af6dd789f
Opcode Fuzzy Hash: 2a4c3fe0f53442eb1887a80412faa889e5adb718468999698c41b05d10af5d58
Instruction Fuzzy Hash: C921E2B0804B526ED721DF76C89077BBEF8AB08304F04492FE458CBA81D738E615CB94

Function 004557FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,CC824C46,?,?,00000000,0047647A,000000FF,?,00455782,00000002,?,00455756,00446DAA), ref: 00455830
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00455842
FreeLibrary.KERNEL32(00000000,?,?,00000000,0047647A,000000FF,?,00455782,00000002,?,00455756,00446DAA), ref: 00455864

Strings

mscoree.dll, xrefs: 00455829
CorExitProcess, xrefs: 0045583A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 709d98e77731087f4adbf431e49a843d394955b81cce2e0773dac1e507725177
Instruction ID: 318ab5f7c3408982e5b90808bba4063b6360bac0f8c4c1dcebca723d68614561
Opcode Fuzzy Hash: 709d98e77731087f4adbf431e49a843d394955b81cce2e0773dac1e507725177
Instruction Fuzzy Hash: 6401A731544615EFDB119F50CC09BAEB7B8FB04712F14493EF815A27E0DB789940CB98

Function 00458D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00458D26), ref: 00458D7C
GetLastError.KERNEL32(?,00458D26), ref: 00458D86
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00458DC4

Strings

ext-ms-, xrefs: 00458DA9
api-ms-, xrefs: 00458D93

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 1caa1f702caf4895c46f52e5befcae1fa15dd110c6aa43e5027349eae97bddf6
Instruction ID: 7f1a127b090d56ddff986e74af32a2bb0324123451cbb03b15b733f4ae94fea0
Opcode Fuzzy Hash: 1caa1f702caf4895c46f52e5befcae1fa15dd110c6aa43e5027349eae97bddf6
Instruction Fuzzy Hash: B8F0FE71680209B6DB102B61DC06B5A3EA5DB20B59F24442AFE4CB41E3EF79D959C98C

Function 0040EBD7 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040EBDE
ctype.LIBCPMT ref: 0040EC25

Part of subcall function 0040E257: __Getctype.LIBCPMT ref: 0040E266

Part of subcall function 00409274: __EH_prolog3.LIBCMT ref: 0040927B
Part of subcall function 00409274: std::_Lockit::_Lockit.LIBCPMT ref: 00409285

Part of subcall function 0040939E: __EH_prolog3.LIBCMT ref: 004093A5
Part of subcall function 0040939E: std::_Lockit::_Lockit.LIBCPMT ref: 004093AF

Part of subcall function 0040955D: __EH_prolog3.LIBCMT ref: 00409564
Part of subcall function 0040955D: std::_Lockit::_Lockit.LIBCPMT ref: 0040956E
Part of subcall function 0040955D: std::_Lockit::~_Lockit.LIBCPMT ref: 004095DF

Part of subcall function 004094C8: __EH_prolog3.LIBCMT ref: 004094CF
Part of subcall function 004094C8: std::_Lockit::_Lockit.LIBCPMT ref: 004094D9

Part of subcall function 003FD91A: __EH_prolog3.LIBCMT ref: 003FD921
Part of subcall function 003FD91A: std::_Lockit::_Lockit.LIBCPMT ref: 003FD92B
Part of subcall function 003FD91A: std::_Lockit::~_Lockit.LIBCPMT ref: 003FD9D2

numpunct.LIBCPMT ref: 0040EFD3

Part of subcall function 0040A2FC: __EH_prolog3.LIBCMT ref: 0040A303

Part of subcall function 00409A9A: __EH_prolog3.LIBCMT ref: 00409AA1
Part of subcall function 00409A9A: std::_Lockit::_Lockit.LIBCPMT ref: 00409AAB
Part of subcall function 00409A9A: std::_Lockit::~_Lockit.LIBCPMT ref: 00409B1C

Part of subcall function 00409BC4: __EH_prolog3.LIBCMT ref: 00409BCB
Part of subcall function 00409BC4: std::_Lockit::_Lockit.LIBCPMT ref: 00409BD5
Part of subcall function 00409BC4: std::_Lockit::~_Lockit.LIBCPMT ref: 00409C46

Part of subcall function 003FD91A: Concurrency::cancel_current_task.LIBCPMT ref: 003FD9DD

Part of subcall function 00408DCC: __EH_prolog3.LIBCMT ref: 00408DD3
Part of subcall function 00408DCC: std::_Lockit::_Lockit.LIBCPMT ref: 00408DDD
Part of subcall function 00408DCC: std::_Lockit::~_Lockit.LIBCPMT ref: 00408E4E

__Getcoll.LIBCPMT ref: 0040ED99

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

codecvt.LIBCPMT ref: 0040F084

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
String ID:
API String ID: 778957219-0
Opcode ID: 7065f65accd831b29c26487dde7980940dba17c38aafc7414f203b3d63d165f6
Instruction ID: f7b8e38ee7a8262a825a0ec0ae874d978e44240d7aba2e4ab89644ddcda4df51
Opcode Fuzzy Hash: 7065f65accd831b29c26487dde7980940dba17c38aafc7414f203b3d63d165f6
Instruction Fuzzy Hash: FEE11B7180020AABDB126F768C415BF7AA6EF41314F14893FF9187B3D2DB798D108799

Function 0040F0B3 Relevance: 7.9, APIs: 5, Instructions: 433COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040F0BA
ctype.LIBCPMT ref: 0040F101

Part of subcall function 0040E290: __Getctype.LIBCPMT ref: 0040E29F

Part of subcall function 00409309: __EH_prolog3.LIBCMT ref: 00409310
Part of subcall function 00409309: std::_Lockit::_Lockit.LIBCPMT ref: 0040931A

Part of subcall function 00409433: __EH_prolog3.LIBCMT ref: 0040943A
Part of subcall function 00409433: std::_Lockit::_Lockit.LIBCPMT ref: 00409444

Part of subcall function 00409687: __EH_prolog3.LIBCMT ref: 0040968E
Part of subcall function 00409687: std::_Lockit::_Lockit.LIBCPMT ref: 00409698
Part of subcall function 00409687: std::_Lockit::~_Lockit.LIBCPMT ref: 00409709

Part of subcall function 004095F2: __EH_prolog3.LIBCMT ref: 004095F9
Part of subcall function 004095F2: std::_Lockit::_Lockit.LIBCPMT ref: 00409603
Part of subcall function 004095F2: std::_Lockit::~_Lockit.LIBCPMT ref: 00409674

Part of subcall function 003FD91A: __EH_prolog3.LIBCMT ref: 003FD921
Part of subcall function 003FD91A: std::_Lockit::_Lockit.LIBCPMT ref: 003FD92B
Part of subcall function 003FD91A: std::_Lockit::~_Lockit.LIBCPMT ref: 003FD9D2

numpunct.LIBCPMT ref: 0040F4AF

Part of subcall function 0040A32F: __EH_prolog3.LIBCMT ref: 0040A336

Part of subcall function 00409B2F: __EH_prolog3.LIBCMT ref: 00409B36
Part of subcall function 00409B2F: std::_Lockit::_Lockit.LIBCPMT ref: 00409B40
Part of subcall function 00409B2F: std::_Lockit::~_Lockit.LIBCPMT ref: 00409BB1

Part of subcall function 00409C59: __EH_prolog3.LIBCMT ref: 00409C60
Part of subcall function 00409C59: std::_Lockit::_Lockit.LIBCPMT ref: 00409C6A
Part of subcall function 00409C59: std::_Lockit::~_Lockit.LIBCPMT ref: 00409CDB

Part of subcall function 003FD91A: Concurrency::cancel_current_task.LIBCPMT ref: 003FD9DD

Part of subcall function 00408E61: __EH_prolog3.LIBCMT ref: 00408E68
Part of subcall function 00408E61: std::_Lockit::_Lockit.LIBCPMT ref: 00408E72
Part of subcall function 00408E61: std::_Lockit::~_Lockit.LIBCPMT ref: 00408EE3

__Getcoll.LIBCPMT ref: 0040F275

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

codecvt.LIBCPMT ref: 0040F560

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3$Lockit::_$Lockit::~_$Concurrency::cancel_current_taskGetcollGetctypecodecvtctypenumpunct
String ID:
API String ID: 778957219-0
Opcode ID: 6d6ee8fd834779846f1a0f579139e8630d4ee42f747e9e457608005a0b995436
Instruction ID: 2e9e7e88e25c49c52d0a71c17f06b71fe45696ba485025b395d522cb0850f6af
Opcode Fuzzy Hash: 6d6ee8fd834779846f1a0f579139e8630d4ee42f747e9e457608005a0b995436
Instruction Fuzzy Hash: 5BE1F57180020AABDB226FA58C019BF7AA5EF41314F14853FFD187B7C2DB798D058799

Function 00427D84 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

shared_ptr.LIBCMT ref: 00427DEF
operator+.LIBVCRUNTIME ref: 00427E3F
shared_ptr.LIBCMT ref: 00427F0B
DName::DName.LIBVCRUNTIME ref: 00427F3B
operator+.LIBVCRUNTIME ref: 00427F9C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: operator+shared_ptr$NameName::
String ID:
API String ID: 2894330373-0
Opcode ID: 77e57b9b62fc614b5b6c31a4250db0471d9401dd808bc32d990e83e33a8ef057
Instruction ID: aeb423790579d389a98909d938de52f2ddd95e78867ea855bfa3e9598055be96
Opcode Fuzzy Hash: 77e57b9b62fc614b5b6c31a4250db0471d9401dd808bc32d990e83e33a8ef057
Instruction Fuzzy Hash: 6E61A071A0812AEFCB14DF65E8489BA7BB4FF04304F94C1ABE4159B210D7398A05CF99

Function 003FEDA2 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003FEDB6
AcquireSRWLockExclusive.KERNEL32(?,?,003FBF1B,?), ref: 003FEDD5
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,003FBF1B,?), ref: 003FEE03
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,003FBF1B,?), ref: 003FEE5E
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,003FBF1B,?), ref: 003FEE75

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: ac4a25064efc8ee8259e57e9fee27719b0ebb21a5b776445ffd8a78a873fbd30
Instruction ID: be6d594d7b593bb19085fdbdda180455fac7361f63a4b029289bfef5e0633f75
Opcode Fuzzy Hash: ac4a25064efc8ee8259e57e9fee27719b0ebb21a5b776445ffd8a78a873fbd30
Instruction Fuzzy Hash: CA414C3190060ADFCB22DF65E4849BAB3F9FF24310B11492AE65AD7A60D730F984CB55

Function 003F9DAA Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003F9DB1
std::_Lockit::_Lockit.LIBCPMT ref: 003F9DBB

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

codecvt.LIBCPMT ref: 003F9DF5
std::_Facet_Register.LIBCPMT ref: 003F9E0C
std::_Lockit::~_Lockit.LIBCPMT ref: 003F9E2C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: c506b98b187dc72da6b2974b943bfaff8e60896edbd476531cfa0e1fd8a7d687
Instruction ID: 177e85ab82f4d61e27560e381a194b9d66567044a72e1f06020fa574aac7091d
Opcode Fuzzy Hash: c506b98b187dc72da6b2974b943bfaff8e60896edbd476531cfa0e1fd8a7d687
Instruction Fuzzy Hash: BE11D67190011DABCB06EB94DC41BBEB7A5AF54710F10801BFA096F391CF749E00CB95

Function 00408DCC Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408DD3
std::_Lockit::_Lockit.LIBCPMT ref: 00408DDD

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

codecvt.LIBCPMT ref: 00408E17
std::_Facet_Register.LIBCPMT ref: 00408E2E
std::_Lockit::~_Lockit.LIBCPMT ref: 00408E4E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 3f5f874b81900ada2ee755a2493e08e37da1b64a81cf08175d4c7692afe19144
Instruction ID: 252cdb2244f6ac7bf546911a7f02a042d2bc461a5f364dc35b7061ce02c0b2b8
Opcode Fuzzy Hash: 3f5f874b81900ada2ee755a2493e08e37da1b64a81cf08175d4c7692afe19144
Instruction Fuzzy Hash: EB01D671900119DBCB06EBA4D9416BEB775AF94320F14452FE529AB3D1CF789E05CBC8

Function 00408E61 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408E68
std::_Lockit::_Lockit.LIBCPMT ref: 00408E72

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

codecvt.LIBCPMT ref: 00408EAC
std::_Facet_Register.LIBCPMT ref: 00408EC3
std::_Lockit::~_Lockit.LIBCPMT ref: 00408EE3

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: e9b747f119d94ceb793b1c746de503cb3d0a78d44047477d819f4a6e08431965
Instruction ID: c62dcb6a531a052af91cac97177654820637e81894e8fded75eae2fabcd2b4a7
Opcode Fuzzy Hash: e9b747f119d94ceb793b1c746de503cb3d0a78d44047477d819f4a6e08431965
Instruction Fuzzy Hash: 4901C4719001199BCB06EBA4D941ABEB771AF84710F14452EE515AB3D2CF789E45CBC8

Function 00417483 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041748A
std::_Lockit::_Lockit.LIBCPMT ref: 00417494

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

messages.LIBCPMT ref: 004174CE
std::_Facet_Register.LIBCPMT ref: 004174E5
std::_Lockit::~_Lockit.LIBCPMT ref: 00417505

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID:
API String ID: 2750803064-0
Opcode ID: 56b86be3ba9491d386dde6becf42985c8534c1f65e111aca5c6cd8db27aee768
Instruction ID: 53ae6d125e1085abfd9fb53eb52594e5c422d5c5a25254ae22cb47101bb6bfdf
Opcode Fuzzy Hash: 56b86be3ba9491d386dde6becf42985c8534c1f65e111aca5c6cd8db27aee768
Instruction Fuzzy Hash: 3701D271904119ABCB06EBA4D842AFEB771AF84320F14451AE5156F3E2CF789E45CB98

Function 0040955D Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409564
std::_Lockit::_Lockit.LIBCPMT ref: 0040956E

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 004095A8
std::_Facet_Register.LIBCPMT ref: 004095BF
std::_Lockit::~_Lockit.LIBCPMT ref: 004095DF

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 16190cd0706e9e35a10190d99d73be11a309b406b6e7331f5cfd3215ab167480
Instruction ID: 42f98dfe9721051a793b0356701bca8de5c0be6ec0f6ad65a911d3a0bdbffece
Opcode Fuzzy Hash: 16190cd0706e9e35a10190d99d73be11a309b406b6e7331f5cfd3215ab167480
Instruction Fuzzy Hash: FF01C43290011DABCB06EBA4DC416BEB761AF80310F14452AE515AB3D2CF78DE05CB98

Function 004095F2 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004095F9
std::_Lockit::_Lockit.LIBCPMT ref: 00409603

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 0040963D
std::_Facet_Register.LIBCPMT ref: 00409654
std::_Lockit::~_Lockit.LIBCPMT ref: 00409674

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: fd3dcdddb7d20991b82620dc84613adc3af0b1f3617e2fb3a3b29227243a6adc
Instruction ID: ebaa08adadf6c9366c2a63d8baa77c5dad341c7182f44447af60396269fbdf33
Opcode Fuzzy Hash: fd3dcdddb7d20991b82620dc84613adc3af0b1f3617e2fb3a3b29227243a6adc
Instruction Fuzzy Hash: F50104359001199BCB02EBA4C845BBEB765AF80310F10492BE515AB3D2CF789E01CB98

Function 00417642 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417649
std::_Lockit::_Lockit.LIBCPMT ref: 00417653

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 0041768D
std::_Facet_Register.LIBCPMT ref: 004176A4
std::_Lockit::~_Lockit.LIBCPMT ref: 004176C4

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 584af903ca741bbbd703c5a8440e24fa146c961aceca800bdbe20bdb0ebc9dc8
Instruction ID: ec8d1d149b9649a721e893ec8126f55bd9c54b2494e2575f322ff00f0507d589
Opcode Fuzzy Hash: 584af903ca741bbbd703c5a8440e24fa146c961aceca800bdbe20bdb0ebc9dc8
Instruction Fuzzy Hash: 7B010071900219DBCB06EBA4D841AFEB7B1AF80320F24451AE5156F3E2CF789E40CB98

Function 004176D7 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004176DE
std::_Lockit::_Lockit.LIBCPMT ref: 004176E8

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 00417722
std::_Facet_Register.LIBCPMT ref: 00417739
std::_Lockit::~_Lockit.LIBCPMT ref: 00417759

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: aceaa4c6469f156c85725d5131b1de8147cba0e6e568589b1ab6e7ae1aa72b8d
Instruction ID: d811eb99baa7a2c449cccd99a76abf6543ee96c290315180482594cccafc2a2e
Opcode Fuzzy Hash: aceaa4c6469f156c85725d5131b1de8147cba0e6e568589b1ab6e7ae1aa72b8d
Instruction Fuzzy Hash: 510104359002199FCB02EBA4D881BFEB772AF40710F10451AE615AF3D2CF78AA458B98

Function 00409687 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040968E
std::_Lockit::_Lockit.LIBCPMT ref: 00409698

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 004096D2
std::_Facet_Register.LIBCPMT ref: 004096E9
std::_Lockit::~_Lockit.LIBCPMT ref: 00409709

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID:
API String ID: 419941038-0
Opcode ID: 81a81cf512cf7db72bc515997c7e50182c631e729282a445e693e3a813334f8c
Instruction ID: 1128c78e53d380b2a58bd3b0c680c269c4b236b310af0c341c463e7a7d422aff
Opcode Fuzzy Hash: 81a81cf512cf7db72bc515997c7e50182c631e729282a445e693e3a813334f8c
Instruction Fuzzy Hash: 7601D676900119DBCB06EBA4D8456BEB771AF80320F24492AF5156B3D2CF789E05CB89

Function 00409970 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409977
std::_Lockit::_Lockit.LIBCPMT ref: 00409981

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

numpunct.LIBCPMT ref: 004099BB
std::_Facet_Register.LIBCPMT ref: 004099D2
std::_Lockit::~_Lockit.LIBCPMT ref: 004099F2

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: bfcf7082270016f04bc08d3f63cb866d27dd49d59935f92c78c61df802711cc8
Instruction ID: 2fb123a2567a7edf0700cfc1e19071a606921be934b7e27775f58c7efffb52ec
Opcode Fuzzy Hash: bfcf7082270016f04bc08d3f63cb866d27dd49d59935f92c78c61df802711cc8
Instruction Fuzzy Hash: 5B01C07590015A9BCB06EBA4D842BBEB761AF80720F24452FE5156B3D2CF789E44CB88

Function 00409A05 Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409A0C
std::_Lockit::_Lockit.LIBCPMT ref: 00409A16

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

numpunct.LIBCPMT ref: 00409A50
std::_Facet_Register.LIBCPMT ref: 00409A67
std::_Lockit::~_Lockit.LIBCPMT ref: 00409A87

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID:
API String ID: 743221004-0
Opcode ID: f9bee813e7d33bbf3fb916ebaaa24aa3ef23e2726ffb4003f019fc97a9b76663
Instruction ID: df0d0dfca630b110a72a08da93461b4fa6977c5b7e991bfd07f6e1c6a8ee7ba3
Opcode Fuzzy Hash: f9bee813e7d33bbf3fb916ebaaa24aa3ef23e2726ffb4003f019fc97a9b76663
Instruction Fuzzy Hash: 0C010431A0011ADBCB02EBA0D8416BFB7B1AF84710F14452BE9156B3E2DF788E04CB98

Function 003FB626 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003FB62D
std::_Lockit::_Lockit.LIBCPMT ref: 003FB638
std::_Lockit::~_Lockit.LIBCPMT ref: 003FB6A6

Part of subcall function 003FB7B9: std::locale::_Locimp::_Locimp.LIBCPMT ref: 003FB7D1

std::locale::_Setgloballocale.LIBCPMT ref: 003FB653
_Yarn.LIBCPMT ref: 003FB669

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 0fd271b88863ea352e1281dc38b3ca384c51c69d1cdcc26c9e649599629f0bb1
Instruction ID: 3187e02efa79a1b7f9dc23d949640b4aa428978d9d4599885b6b4bc75d2ffcb0
Opcode Fuzzy Hash: 0fd271b88863ea352e1281dc38b3ca384c51c69d1cdcc26c9e649599629f0bb1
Instruction Fuzzy Hash: 7D01F1B56000259BC70ABB60CC8167CB761AF88310B15401AE9195B792CF786A42CBC8

Function 00451E9E Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 0045201E
__freea.LIBCMT ref: 0045203A

Strings

a/p, xrefs: 00452102
am/pm, xrefs: 0045209E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 7e4f0acf8f00d4547cb2e1127662fff920add55343fb1bbed263a480ff0486a3
Instruction ID: 052252d9201d48e3ff68f6f669081da6920d5c9281f60ec761e944bf2c8b99a5
Opcode Fuzzy Hash: 7e4f0acf8f00d4547cb2e1127662fff920add55343fb1bbed263a480ff0486a3
Instruction Fuzzy Hash: C4C1D239900215DBDB248F68C6857BB7770FF06702F14409BED01AB352D3B99D4ACB9A

Function 003F2480 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F24C9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F251A
__Getctype.LIBCPMT ref: 003F2531

Strings

bad locale name, xrefs: 003F2557

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: 4392e3a8da01af881e313ba4a5d2a216a9a5fecd8997424b91b43f18c6992de6
Instruction ID: 23441b2f0870a3c0cf599fafec06828c17b51f8138ae9ad3d839d24b502bf374
Opcode Fuzzy Hash: 4392e3a8da01af881e313ba4a5d2a216a9a5fecd8997424b91b43f18c6992de6
Instruction Fuzzy Hash: BE31E1B0804344CFC7219F29C841B6BFBE4AF95304F14891EFA889B212D775D948CB93

Function 0040E055 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E05C

Part of subcall function 00405FE3: _Maklocstr.LIBCPMT ref: 00406003
Part of subcall function 00405FE3: _Maklocstr.LIBCPMT ref: 00406020
Part of subcall function 00405FE3: _Maklocstr.LIBCPMT ref: 0040603D

_Mpunct.LIBCPMT ref: 0040E0E9
_Mpunct.LIBCPMT ref: 0040E103

Strings

$+xv, xrefs: 0040E10E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Maklocstr$Mpunct$H_prolog3
String ID: $+xv
API String ID: 4259326447-1686923651
Opcode ID: 31ba906daf15f27ed2f887f074968e7da64ac0addb37d8a844ac1d8b52b3622f
Instruction ID: b27b77584c8a3403c63d95012d3651bb42a82be57fe6330e891f0e675cf6801c
Opcode Fuzzy Hash: 31ba906daf15f27ed2f887f074968e7da64ac0addb37d8a844ac1d8b52b3622f
Instruction Fuzzy Hash: BA21E2B1804B566ED725DF76C88077BBEF8AB08300F04492FE058D7A82E778E601CB94

Function 00418EDC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418EE3
_Mpunct.LIBCPMT ref: 00418F70
_Mpunct.LIBCPMT ref: 00418F8A

Strings

$+xv, xrefs: 00418F95

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: b2c02a4d1a55d28f8033abf7aea96d3c47be9c5cccf5944fdece4f21358f50e6
Instruction ID: e7345da9fb2929bf4f50f6b94242e35b6ba7db334e7fa940b6c347d929f46e7c
Opcode Fuzzy Hash: b2c02a4d1a55d28f8033abf7aea96d3c47be9c5cccf5944fdece4f21358f50e6
Instruction Fuzzy Hash: FD21D1B0804A566ED725DF75C8907BBBFF8AB09300F04495FF458C6A41D738EA41CB94

Function 0041E936 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 0041E9CA

Strings

RCC, xrefs: 0041E940
MOC, xrefs: 0041E948
csm, xrefs: 0041E950

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: 93355e13ab2b437af53ed2aad950cfb81cb0528d5153333b0e774dbadee3dac5
Instruction ID: 1a71bb91fc7b90eb078dee62a451a7adba09545c0c4b1efaf791266ebe21fef2
Opcode Fuzzy Hash: 93355e13ab2b437af53ed2aad950cfb81cb0528d5153333b0e774dbadee3dac5
Instruction Fuzzy Hash: AC11E175520315DFD704DF57D001BDAB7A8EF00319F11409BE8008B222C7BCE980CB99

Function 0042A5D6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0042A4D3,00000000,00000001,004C0264,?,?,?,0042A72A,00000004,InitializeCriticalSectionEx,0047B5DC,InitializeCriticalSectionEx), ref: 0042A5E3
GetLastError.KERNEL32(?,0042A4D3,00000000,00000001,004C0264,?,?,?,0042A72A,00000004,InitializeCriticalSectionEx,0047B5DC,InitializeCriticalSectionEx,00000000,?,0042321D), ref: 0042A5ED
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00421BE3), ref: 0042A615

Strings

api-ms-, xrefs: 0042A5FA

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: fb4337cc2a0e5e147034947e14f6deb5574998701b2eb40fc43e932c75ab8f48
Instruction ID: bbb5eeecaf5321407d6fec750caad06851983d2c296bc102cd1fc1a4eb6e2d64
Opcode Fuzzy Hash: fb4337cc2a0e5e147034947e14f6deb5574998701b2eb40fc43e932c75ab8f48
Instruction Fuzzy Hash: 52E01230380208B7DF101F61EC0AB593E54DB01B54FA44436FD4DA42A1EB759961898D

Function 0045D8CE Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(CC824C46,00000010,00000000,?), ref: 0045D931

Part of subcall function 00461776: WideCharToMultiByte.KERNEL32(00000010,00000000,00488210,00000010,00000010,00000010,0045E309,0000FDE9,00488210,?,?,?,0045E002,0000FDE9,00000000,?), ref: 00461822

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0045DB8C
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0045DBD4
GetLastError.KERNEL32 ref: 0045DC77

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 8a7a6ca2e146d341cc422be992365cfcae59025cf63b92ea37ab43d9d9693c69
Instruction ID: 048ea9e46651d3829ba1a5ccebb2763e7881dc98246415a7cc83d24d0ea544db
Opcode Fuzzy Hash: 8a7a6ca2e146d341cc422be992365cfcae59025cf63b92ea37ab43d9d9693c69
Instruction Fuzzy Hash: EDD18AB5E002489FCF25CFA8C880AAEBBB5FF09305F18452AE855E7352D734A946CB54

Function 004263F1 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004263F8
UnDecorator::getSymbolName.LIBCMT ref: 0042648A
DName::operator+.LIBCMT ref: 0042658E
DName::DName.LIBVCRUNTIME ref: 00426631

Part of subcall function 00423D3A: shared_ptr.LIBCMT ref: 00423D56

Part of subcall function 00423FD4: DName::DName.LIBVCRUNTIME ref: 00424022

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
String ID:
API String ID: 1134295639-0
Opcode ID: 27ef042c050c7dfc1a4df25bbdcb3639e4b4b042e5fe62219c462ae7397ad722
Instruction ID: 6434c2e672be3855cfd3d1e5a167d7d96dc60588079a5b4c18f9562f2ba1c13a
Opcode Fuzzy Hash: 27ef042c050c7dfc1a4df25bbdcb3639e4b4b042e5fe62219c462ae7397ad722
Instruction Fuzzy Hash: 66716D71E01229DFDB50DF94E885AEEBBB4AB08314F96406BE801AB351D7389D45CF98

Function 00426A90 Relevance: 6.2, APIs: 4, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 00426BC5

Part of subcall function 00423989: __aulldvrm.LIBCMT ref: 004239BA

DName::operator+.LIBCMT ref: 00426B26
DName::operator=.LIBVCRUNTIME ref: 00426C0A
DName::DName.LIBVCRUNTIME ref: 00426C3C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::Name::operator=__aulldvrm
String ID:
API String ID: 2973644308-0
Opcode ID: 2a5672ba92114f4d29f065380127dcef9ee622135d31b6802a03330c7224e48e
Instruction ID: 108acfa91f267889e3deafb9364d2a09469dce71afb7ad5bbcc7abf628925a85
Opcode Fuzzy Hash: 2a5672ba92114f4d29f065380127dcef9ee622135d31b6802a03330c7224e48e
Instruction Fuzzy Hash: A561BFB5E00229DFCB15DF46E884AAEBBB4FB45300F51819BE8416B351C778AE41CF98

Function 0042205F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00422126
___AdjustPointer.LIBCMT ref: 00422149
___AdjustPointer.LIBCMT ref: 004221E5

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 8cdaed41c8b6ce61cfb3588b679f20c4e09c0cc19d0f4c4f220a8a25a3b6a72b
Instruction ID: 3154915456ac464c74dccf43d1061fdd9fef4f9a1dd4177011d51e44e4d528af
Opcode Fuzzy Hash: 8cdaed41c8b6ce61cfb3588b679f20c4e09c0cc19d0f4c4f220a8a25a3b6a72b
Instruction Fuzzy Hash: 405103B5701222BFDB248F11EA40FBA77A4EF00310F90052FEE01472A1D7B9AC91C798

Function 004267C1 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBCMT ref: 004267F4

Part of subcall function 00423CFE: DName::operator+=.LIBCMT ref: 00423D14

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Name::operator+Name::operator+=
String ID:
API String ID: 382699925-0
Opcode ID: e12cd399dd2061f1bf00779b6eb4e560eecc105813ae3714ad3c12dba20654b5
Instruction ID: 478966a86f30e740541abfb6bfd4558ed3b54e679ce7df0624610ef3b9055d4e
Opcode Fuzzy Hash: e12cd399dd2061f1bf00779b6eb4e560eecc105813ae3714ad3c12dba20654b5
Instruction Fuzzy Hash: 414183B1E0122ADACF04DF99E449AEEBBB4EF04304F91405BE405B7351DB789A85CB98

Function 003FE874 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003FE87B

Part of subcall function 003FB626: __EH_prolog3.LIBCMT ref: 003FB62D
Part of subcall function 003FB626: std::_Lockit::_Lockit.LIBCPMT ref: 003FB638
Part of subcall function 003FB626: std::locale::_Setgloballocale.LIBCPMT ref: 003FB653
Part of subcall function 003FB626: _Yarn.LIBCPMT ref: 003FB669
Part of subcall function 003FB626: std::_Lockit::~_Lockit.LIBCPMT ref: 003FB6A6

std::_Lockit::_Lockit.LIBCPMT ref: 003FE89F
std::locale::_Setgloballocale.LIBCPMT ref: 003FE8EE
std::_Lockit::~_Lockit.LIBCPMT ref: 003FE94E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocalestd::locale::_$Yarn
String ID:
API String ID: 2301162320-0
Opcode ID: 2bbc5d8ce141e15258c814e2adeeb4ca51df2ab81c2e5642586a6740e1330bd7
Instruction ID: 2531131e8981f2ce1cab44f522452640ee3735122e9ef1e402df4476b7b5a3bc
Opcode Fuzzy Hash: 2bbc5d8ce141e15258c814e2adeeb4ca51df2ab81c2e5642586a6740e1330bd7
Instruction Fuzzy Hash: 892182716002189FDB45EF68C8C197EB7B4EF49310B05846EE906DF292DF78ED418B95

Function 0046297D Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00461776: WideCharToMultiByte.KERNEL32(00000010,00000000,00488210,00000010,00000010,00000010,0045E309,0000FDE9,00488210,?,?,?,0045E002,0000FDE9,00000000,?), ref: 00461822

GetLastError.KERNEL32 ref: 004629E1
__dosmaperr.LIBCMT ref: 004629E8
GetLastError.KERNEL32(?,?,?,?), ref: 00462A22
__dosmaperr.LIBCMT ref: 00462A29

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 81c52e9df1b152f8ed9edca7003a71b229a7e2fb64eb07a11a9161f1ca279427
Instruction ID: ef0d338ce3b8bb0624f60254d9420ea55616ca72eb2d72c4ac5dfec31c47f43d
Opcode Fuzzy Hash: 81c52e9df1b152f8ed9edca7003a71b229a7e2fb64eb07a11a9161f1ca279427
Instruction Fuzzy Hash: 7321F871700605BFDB20AFA2CA8086BB7A9EF44368700841FF819D7250F7B8EC10876B

Function 00450BD4 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0889d405b80d1747b1bb7a22245d28b2774bbea11af95b404e83402c8fb0db05
Instruction ID: bf3fd409b28ed6ef44bcafe8c931ca3c7010773e266128adb61241fc061a6e22
Opcode Fuzzy Hash: 0889d405b80d1747b1bb7a22245d28b2774bbea11af95b404e83402c8fb0db05
Instruction Fuzzy Hash: 7021F639200205AFDB25AF72CC8186B7768EF0136A7108A1BFD5997253DB38FC549759

Function 0046462B Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00464633

Part of subcall function 00461776: WideCharToMultiByte.KERNEL32(00000010,00000000,00488210,00000010,00000010,00000010,0045E309,0000FDE9,00488210,?,?,?,0045E002,0000FDE9,00000000,?), ref: 00461822

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0046466B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0046468B

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 577dc32945a941317e0b1178fdefa4d0fb35260714244c5e72df998df3e32dd0
Instruction ID: 2c7171d519b4c2325cc2d1cf5e8b4cebdab34a6b72652e473e8df350f01496a1
Opcode Fuzzy Hash: 577dc32945a941317e0b1178fdefa4d0fb35260714244c5e72df998df3e32dd0
Instruction Fuzzy Hash: FD1161F29015157E6B2127B29C8EC6F6A6CDEC63AA710012EF90691112FE6C9E4241BF

Function 003FD91A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003FD921
std::_Lockit::_Lockit.LIBCPMT ref: 003FD92B
std::_Lockit::~_Lockit.LIBCPMT ref: 003FD9D2
Concurrency::cancel_current_task.LIBCPMT ref: 003FD9DD

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID:
API String ID: 4244582100-0
Opcode ID: f657c4d3eac501b8d9bc5f650f1a8de1ea43285030f79dcbe809da27d1be8860
Instruction ID: c99bbd4396d6d68e161ddbe85b39eb3bf5efe2d14c4006959a3a0080905cc18a
Opcode Fuzzy Hash: f657c4d3eac501b8d9bc5f650f1a8de1ea43285030f79dcbe809da27d1be8860
Instruction Fuzzy Hash: E1217F3464061AAFCB05EF54C895ABDB761FF45310F01845AE9259B3A1CF70ED50CF84

Function 003FD6F1 Relevance: 6.1, APIs: 4, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 003FD6F8
std::_Lockit::_Lockit.LIBCPMT ref: 003FD702

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 003FD753
std::_Lockit::~_Lockit.LIBCPMT ref: 003FD773

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: b8f31ef2514895096c24f30be83ef3f8dd010271ba02ec86ac7553c94f30e7af
Instruction ID: 1b3fd724af3a724a38abc44e92d2ddaa5069e433c8fa6667d2ef45899a53076f
Opcode Fuzzy Hash: b8f31ef2514895096c24f30be83ef3f8dd010271ba02ec86ac7553c94f30e7af
Instruction Fuzzy Hash: 2D11047190021DABCB06EFA8D845ABEB7B6AF44310F10851AF619AF381CB749E05CB84

Function 0042AE2C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0042AB81,00000000,00000004,00000000), ref: 0042AE7B
GetLastError.KERNEL32 ref: 0042AE87
__dosmaperr.LIBCMT ref: 0042AE8E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b22a5f5e9fc74f5f1c962f32199b3dfc9fbdf9f1788205b955f2d6ed071825d
Instruction ID: 9fdabbbabf2342577464fc82418ee6d4bb52de14638f486af2d52ff70a05132f
Opcode Fuzzy Hash: 2b22a5f5e9fc74f5f1c962f32199b3dfc9fbdf9f1788205b955f2d6ed071825d
Instruction Fuzzy Hash: 3A018E31640214BFDB109B65EC0AB9F7B79DF80375F61021EF924821D0DB78C916D71A

Function 00460118 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 0046012E
GetLastError.KERNEL32(?,?,?,?), ref: 0046013B
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00460161
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00460187

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 593907b3f79b5a9fe5b56778b4e842746dd1c7d2caf74d31b3aad9e61bd9a1dc
Instruction ID: e6db7d0c27764c3aa72d399c63ad844bfbf414709a742b2e602dce2f74f60f41
Opcode Fuzzy Hash: 593907b3f79b5a9fe5b56778b4e842746dd1c7d2caf74d31b3aad9e61bd9a1dc
Instruction Fuzzy Hash: 9F117C71900218BBDF109F55CC489DF3F79FF05360F104159F818962A0E736CA91DBA5

Function 00408EF6 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408EFD
std::_Lockit::_Lockit.LIBCPMT ref: 00408F07

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00408F58
std::_Lockit::~_Lockit.LIBCPMT ref: 00408F78

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 99408d0a3fd8011434b839247924b93a5bcbc83632bf3744644834f41777a95d
Instruction ID: 0040ccbb6f7b27007300daa5f41f95438251a6251562a67fd3f639a1dd737f82
Opcode Fuzzy Hash: 99408d0a3fd8011434b839247924b93a5bcbc83632bf3744644834f41777a95d
Instruction Fuzzy Hash: 4D01C43190011AEBCB06EBA4D945BBEB762AF84710F14452EE515AB3D1CF789A058B89

Function 00408F8B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408F92
std::_Lockit::_Lockit.LIBCPMT ref: 00408F9C

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00408FED
std::_Lockit::~_Lockit.LIBCPMT ref: 0040900D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 222b11814c8577814627404c8cebc75738c544572ac606d5e0256473ce390de7
Instruction ID: b122dbf05ef1910c85ad07c98bb81ffe7fde28174629aac7e4562c00b60f3139
Opcode Fuzzy Hash: 222b11814c8577814627404c8cebc75738c544572ac606d5e0256473ce390de7
Instruction Fuzzy Hash: 3C012231900219EBCB02FBA4C8456BEB771AF94320F24482BE5156B3D2CF788E01CB88

Function 004173EE Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004173F5
std::_Lockit::_Lockit.LIBCPMT ref: 004173FF

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00417450
std::_Lockit::~_Lockit.LIBCPMT ref: 00417470

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: d7abc30489400e81484b731da0e57914bebdac7175f5ff0e11b8aa01c7afa2b7
Instruction ID: 9e37ec08baca6d2693efd30d19a8a7c12b30cd59c3888d5fe2dc0915110c7849
Opcode Fuzzy Hash: d7abc30489400e81484b731da0e57914bebdac7175f5ff0e11b8aa01c7afa2b7
Instruction Fuzzy Hash: 0B01D2719001199FCB06EBA4D841AFEBB71AF84320F54451AF5156B3E2CF78AE85CF98

Function 00417518 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041751F
std::_Lockit::_Lockit.LIBCPMT ref: 00417529

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 0041757A
std::_Lockit::~_Lockit.LIBCPMT ref: 0041759A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: f01e222f18621794377160519e43bd9fbbe4608f042ccdd31852fd5c4ac07205
Instruction ID: d8aaf4ff6e37f6b554c8f62e7946f66656058934e977240c4af4a78b7d637df4
Opcode Fuzzy Hash: f01e222f18621794377160519e43bd9fbbe4608f042ccdd31852fd5c4ac07205
Instruction Fuzzy Hash: C901C471900119ABCB06EBA4D8416FEB772AF84320F14451BE5196B3D2CF789A45CB99

Function 004175AD Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004175B4
std::_Lockit::_Lockit.LIBCPMT ref: 004175BE

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 0041760F
std::_Lockit::~_Lockit.LIBCPMT ref: 0041762F

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 0d7acf0b3206cd3239918613c489c5b1c35cfc38f642fef1df9e69cbca2f0c02
Instruction ID: c804a0ccf75692e5a4451afd840f87acdcf3c9e33bbd92b792296ad89897f1ed
Opcode Fuzzy Hash: 0d7acf0b3206cd3239918613c489c5b1c35cfc38f642fef1df9e69cbca2f0c02
Instruction Fuzzy Hash: 7701C4719001199BCB06EBA8DC416FEB771AF44320F14451AF515AB3D2CFB8DE45CB88

Function 0041776C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417773
std::_Lockit::_Lockit.LIBCPMT ref: 0041777D

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 004177CE
std::_Lockit::~_Lockit.LIBCPMT ref: 004177EE

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 7a3f645d136e94c071687da5c727a70d4f6b387156c50911db59182e0d4e9329
Instruction ID: a4468dca0d66ccac40839b0cd1512baa883553104e253858c24d84fb6c0052d9
Opcode Fuzzy Hash: 7a3f645d136e94c071687da5c727a70d4f6b387156c50911db59182e0d4e9329
Instruction Fuzzy Hash: 3D0126769002199BCB06EBA4C881BFFB771AF44320F14441AE5256B3E2CF789E41CB98

Function 0040971C Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409723
std::_Lockit::_Lockit.LIBCPMT ref: 0040972D

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 0040977E
std::_Lockit::~_Lockit.LIBCPMT ref: 0040979E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 3e9ccbf2461bbebd33c5169694f20d57e55005e3383f87e55e7f894717f4d493
Instruction ID: d9afba6ca3a59fbd8cc225216a02ef2dee46cd4dfc3def5983d583285d859c0a
Opcode Fuzzy Hash: 3e9ccbf2461bbebd33c5169694f20d57e55005e3383f87e55e7f894717f4d493
Instruction Fuzzy Hash: 0E01C036900219DBCB06EBA4D841BBEB775AF84720F14452AF5157B3D2CF789E05CB88

Function 004097B1 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004097B8
std::_Lockit::_Lockit.LIBCPMT ref: 004097C2

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00409813
std::_Lockit::~_Lockit.LIBCPMT ref: 00409833

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9da9581d0b7b97286736f739827baaccf8dffda11fcbe61b4a8e486d9c34ccdd
Instruction ID: a0616de847af782e24b0397b41e41742ef604653ea78ab855124962d15a15135
Opcode Fuzzy Hash: 9da9581d0b7b97286736f739827baaccf8dffda11fcbe61b4a8e486d9c34ccdd
Instruction Fuzzy Hash: 41010032910119DBCB06EBA4D841ABFB761AF80320F14852BE515BB3D2CF789E01CB88

Function 00409846 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040984D
std::_Lockit::_Lockit.LIBCPMT ref: 00409857

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 004098A8
std::_Lockit::~_Lockit.LIBCPMT ref: 004098C8

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: e021a4183a4d6a51c9a86f461114c3bd935f60fe9a80cc6a6d9e1dec23a70199
Instruction ID: fff9089c5da57cc43cd8a390c3014f1424484e176f4a0458313377d29e125c7f
Opcode Fuzzy Hash: e021a4183a4d6a51c9a86f461114c3bd935f60fe9a80cc6a6d9e1dec23a70199
Instruction Fuzzy Hash: 95010476900119DBCB06FBA4D8557BEB761AF80320F14842BF5196B3D2CF7C9E048B98

Function 00417801 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417808
std::_Lockit::_Lockit.LIBCPMT ref: 00417812

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00417863
std::_Lockit::~_Lockit.LIBCPMT ref: 00417883

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 635664989a476907a141e5f093ed9a9eccc1414bbb838d7d1ac424d53ec6e0e6
Instruction ID: f9fe9cd10136606b33c5f52acc221a2de26795a50c48ad938fc1d81cdbf3f0bf
Opcode Fuzzy Hash: 635664989a476907a141e5f093ed9a9eccc1414bbb838d7d1ac424d53ec6e0e6
Instruction Fuzzy Hash: 1B0104329441199BCB06FBA4C8457FEB771AF80310F14451AE515AB3D2CF789A45CB98

Function 004098DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004098E2
std::_Lockit::_Lockit.LIBCPMT ref: 004098EC

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 0040993D
std::_Lockit::~_Lockit.LIBCPMT ref: 0040995D

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: 9f55fbf905afb7e3e0258f10702b47596b2edb8ae54cd31f80974248cf7f254d
Instruction ID: 7ab08fc78382e803f3b41d2012399a8314e1e075562a15db3a25213af077f3bc
Opcode Fuzzy Hash: 9f55fbf905afb7e3e0258f10702b47596b2edb8ae54cd31f80974248cf7f254d
Instruction Fuzzy Hash: 2B01007190021AABCB02FBA4C841ABEB761AF84310F10452EE5197B3D2CF789E018B88

Function 00409A9A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409AA1
std::_Lockit::_Lockit.LIBCPMT ref: 00409AAB

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00409AFC
std::_Lockit::~_Lockit.LIBCPMT ref: 00409B1C

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: ff7911f25e1333a44fc020ba20a12bda1ed74b8da5431a96d8f0c5e769cb5f26
Instruction ID: a62e2980c5c1579b74527667938f25a21b39e4bb9a249f0fd8127c0e0499f8bb
Opcode Fuzzy Hash: ff7911f25e1333a44fc020ba20a12bda1ed74b8da5431a96d8f0c5e769cb5f26
Instruction Fuzzy Hash: B4012231900119DBCB06EBA4EC41ABEB771AF80320F24452BE5157B3D2CF789E01CB98

Function 00409B2F Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409B36
std::_Lockit::_Lockit.LIBCPMT ref: 00409B40

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00409B91
std::_Lockit::~_Lockit.LIBCPMT ref: 00409BB1

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: af71c8e0a787e129c3922abc7e445029941bf9ff09ac987e0b1a5de50b8fffe3
Instruction ID: 719dc2150be5196cddba55af7d0650b26526f515197a12d4fb3d4c861cf8bbb1
Opcode Fuzzy Hash: af71c8e0a787e129c3922abc7e445029941bf9ff09ac987e0b1a5de50b8fffe3
Instruction Fuzzy Hash: FA01C0319001199BCB06EBA4E841AFEB775BF80720F14452AE5157B3D2CF78AE058B88

Function 00409BC4 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409BCB
std::_Lockit::_Lockit.LIBCPMT ref: 00409BD5

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00409C26
std::_Lockit::~_Lockit.LIBCPMT ref: 00409C46

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: d3802a7f53451cbb195795dd65ba592578b401237ea9901e362e9d258f53c5ba
Instruction ID: ba032b302b7c3767394b48b8e9d5dd2d23f43621e096a7990745041024b70d65
Opcode Fuzzy Hash: d3802a7f53451cbb195795dd65ba592578b401237ea9901e362e9d258f53c5ba
Instruction Fuzzy Hash: 44010031900119EBDB06EBA0D9416BEB7A1AF90320F24452AE514AB3D2CF789E40CB98

Function 00409C59 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409C60
std::_Lockit::_Lockit.LIBCPMT ref: 00409C6A

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

std::_Facet_Register.LIBCPMT ref: 00409CBB
std::_Lockit::~_Lockit.LIBCPMT ref: 00409CDB

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID:
API String ID: 2854358121-0
Opcode ID: ba3efa1cd3a8c0edab29bfe4b59b91d87b9cc6e134491db8c7fe1caa7e12cb17
Instruction ID: e47fddde52b08d1682bef5668bef082b668b66254ec579a2a40b161c63cfbe47
Opcode Fuzzy Hash: ba3efa1cd3a8c0edab29bfe4b59b91d87b9cc6e134491db8c7fe1caa7e12cb17
Instruction Fuzzy Hash: D5012271900119DBCB06EBA8D8456FEB7A1AF80320F14452FE4157B3D2CF788E00CB98

Function 00409020 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409027
std::_Lockit::_Lockit.LIBCPMT ref: 00409031

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

ctype.LIBCPMT ref: 0040906B
std::_Lockit::~_Lockit.LIBCPMT ref: 004090A2

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
String ID:
API String ID: 3358926169-0
Opcode ID: 33d61f94bc3f345c7080ff29bb2da9dac65a7afe49e8179375978d0b347a7119
Instruction ID: f6dd6a4f0dd17ea97d2a480c73d2720e5ca8e54911eef9c81ceae2b1e21828f7
Opcode Fuzzy Hash: 33d61f94bc3f345c7080ff29bb2da9dac65a7afe49e8179375978d0b347a7119
Instruction Fuzzy Hash: 4AF0903194021EABDB06FBA4C842BBF7225AF50324F50492AF6157B2D2DF7D8E05C789

Function 004090B5 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004090BC
std::_Lockit::_Lockit.LIBCPMT ref: 004090C6

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

ctype.LIBCPMT ref: 00409100
std::_Lockit::~_Lockit.LIBCPMT ref: 00409137

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3ctype
String ID:
API String ID: 3358926169-0
Opcode ID: 27a852e07d0ed0f5c5fc039213fc87b0c3b337574fc85409fdb73d806f72feaf
Instruction ID: 8ec8076080fa4566934b2920a0059671b448cade1b54252dfc4d2b105df40c6e
Opcode Fuzzy Hash: 27a852e07d0ed0f5c5fc039213fc87b0c3b337574fc85409fdb73d806f72feaf
Instruction Fuzzy Hash: D1F0963194011EABDB06FBA0DC46BBF3221AF50714F50452AF5246F2D2DF3C8E088798

Function 0040914A Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409151
std::_Lockit::_Lockit.LIBCPMT ref: 0040915B

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

messages.LIBCPMT ref: 00409195
std::_Lockit::~_Lockit.LIBCPMT ref: 004091CC

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: b61e32995e15f1f4985625efcf3586603dffed9c720337406ce930bc24ceed30
Instruction ID: 7e9dee5ffd4c62991cbc15967ccd3aa59db6c04b97f516b4388d4229528e91fe
Opcode Fuzzy Hash: b61e32995e15f1f4985625efcf3586603dffed9c720337406ce930bc24ceed30
Instruction Fuzzy Hash: 6CF0903194021EABDB06F7A0C846BBF7225AF50714F60452AF6157F2D2DF3C9E088788

Function 004091DF Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004091E6
std::_Lockit::_Lockit.LIBCPMT ref: 004091F0

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

messages.LIBCPMT ref: 0040922A
std::_Lockit::~_Lockit.LIBCPMT ref: 00409261

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3messages
String ID:
API String ID: 50917705-0
Opcode ID: 10beacea46b4aefc3167c169c8840a161ce9f231ed3417057cfcba48cf248669
Instruction ID: ca3619d2b1bac6949c1463f8e298e2f0191cbd9cbdfe4b41ceba6da386be8a33
Opcode Fuzzy Hash: 10beacea46b4aefc3167c169c8840a161ce9f231ed3417057cfcba48cf248669
Instruction Fuzzy Hash: 18F06235940119AACB06FBA0D8427BE72259B50724F50496AF6156B2D2DF3C8E048798

Function 0047037B Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00470395
GetLastError.KERNEL32 ref: 004703A1

Part of subcall function 0047044A: CloseHandle.KERNEL32(FFFFFFFE,00470494,?,0046BF8F,00000010,00000001,00000010,?,?,0045DCCB,?,00000010,00000000,?,?), ref: 0047045A

___initconout.LIBCMT ref: 004703B1

Part of subcall function 0047040C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0047043B,0046BF7C,?,?,0045DCCB,?,00000010,00000000,?), ref: 0047041F

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004703C5

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d6e50a9dca69a58f631a250c5b76557231198a9c8f2d39f9c01a0a7a42e105ee
Instruction ID: f71021113f8a465a77b1ed9a1a2f13af96ac5ba92957d0417c7d3a142c164671
Opcode Fuzzy Hash: d6e50a9dca69a58f631a250c5b76557231198a9c8f2d39f9c01a0a7a42e105ee
Instruction Fuzzy Hash: 7BF08236101601EBCB222B96DC08D877FB6FFC8320710842EFA4D82531DB7198A1DB99

Function 00470461 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000010,00000000,00488210,00000000,00000010,?,0046BF8F,00000010,00000001,00000010,?,?,0045DCCB,?,00000010,00000000), ref: 00470478
GetLastError.KERNEL32(?,0046BF8F,00000010,00000001,00000010,?,?,0045DCCB,?,00000010,00000000,?,?,?,0045E29A,00000010), ref: 00470484

Part of subcall function 0047044A: CloseHandle.KERNEL32(FFFFFFFE,00470494,?,0046BF8F,00000010,00000001,00000010,?,?,0045DCCB,?,00000010,00000000,?,?), ref: 0047045A

___initconout.LIBCMT ref: 00470494

Part of subcall function 0047040C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0047043B,0046BF7C,?,?,0045DCCB,?,00000010,00000000,?), ref: 0047041F

WriteConsoleW.KERNEL32(00000010,00000000,00488210,00000000,?,0046BF8F,00000010,00000001,00000010,?,?,0045DCCB,?,00000010,00000000,?), ref: 004704A9

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3843ec8779c65fad743e79d6b467dc512e3adfff911dc11bc9ba712615aa7a72
Instruction ID: 1ebe5adf811e31578d286b2542e0242d03b56feba61295b25810b9de6d57fa01
Opcode Fuzzy Hash: 3843ec8779c65fad743e79d6b467dc512e3adfff911dc11bc9ba712615aa7a72
Instruction Fuzzy Hash: 10F01C36141225FBCF222F91DC089CA3F26FB083A4B408429FA0D95231DA768860DBD9

Function 004094C8 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004094CF
std::_Lockit::_Lockit.LIBCPMT ref: 004094D9

Part of subcall function 003F2220: std::_Lockit::_Lockit.LIBCPMT ref: 003F222F
Part of subcall function 003F2220: std::_Lockit::~_Lockit.LIBCPMT ref: 003F224A

moneypunct.LIBCPMT ref: 00409513
std::_Lockit::~_Lockit.LIBCPMT ref: 0040954A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3moneypunct
String ID:
API String ID: 3160146232-0
Opcode ID: d094151d7c84c10ab40ce635427787974411a8c81ac5efb164173f6447cab7ba
Instruction ID: 01a4a2272aea1c981d0dacae9e6e9a1298f3becd3589b95f8d0df6e91dff8feb
Opcode Fuzzy Hash: d094151d7c84c10ab40ce635427787974411a8c81ac5efb164173f6447cab7ba
Instruction Fuzzy Hash: C7F05E3194021DB7CB02FBA0CC42BFF7225AB90304F40442AB5146B2D2CB789E04CB98

Function 0044589D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00445A14

Strings

-, xrefs: 00445965
+, xrefs: 00445972

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: +$-
API String ID: 3732870572-2137968064
Opcode ID: 2aa0a1fdbdad134754cd3774889f26da487012c11bb058aa3aad14e1fe060bdc
Instruction ID: 218138463a48f8e104dbe51309dd0a7739c27e37855774a4cad35ffe4c1cc4f2
Opcode Fuzzy Hash: 2aa0a1fdbdad134754cd3774889f26da487012c11bb058aa3aad14e1fe060bdc
Instruction Fuzzy Hash: EAA1E870D40A58DFEF14CE65C8517EF7BA1EF45324F14865BE8A1EB382D2389902CB59

Function 004771F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

OffsetRect.USER32(00000000,00000000,00000000), ref: 004772E8

Strings

Zatlat, xrefs: 00477231
0, xrefs: 0047737A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: OffsetRect
String ID: 0$Zatlat
API String ID: 177026234-1547964091
Opcode ID: 75e49a921a13663d4a1c15516fd4770134de10fc5ffc5b7b7dc58d22444bc414
Instruction ID: 7cd403b66d5bba3dbf378f84fa681bd5096f5e06e9bcf2f2a070b00e8b819cb3
Opcode Fuzzy Hash: 75e49a921a13663d4a1c15516fd4770134de10fc5ffc5b7b7dc58d22444bc414
Instruction Fuzzy Hash: 519114715083805BE304DF25CC897AFBBE0AFC5308F54492EF9D98B292D779D8488B66

Function 00415A51 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00415A58
__cftoe.LIBCMT ref: 00415AEB

Strings

!%x, xrefs: 00415A66

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 896c238e10dba1e7f9eb88d110a733ddcd7668695e80f56e503d61ee0dd6bc3a
Instruction ID: 4910a529e5d57984444b8ab8d98bd85328caf16ca1f3c76a3f59d7176f2e67a2
Opcode Fuzzy Hash: 896c238e10dba1e7f9eb88d110a733ddcd7668695e80f56e503d61ee0dd6bc3a
Instruction Fuzzy Hash: BA717C71D00209EFDF14EFA8E881AEEB7B5EF48304F14452AF515A7351EB39A981CB58

Function 00415C6B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00415C72
__cftoe.LIBCMT ref: 00415D05

Strings

!%x, xrefs: 00415C80

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 5214e2e064ec55604ade760fb49ea90012d4f1880e3e4dde7be66d02913b5110
Instruction ID: c02dc20e1a9d20da1c8dbda38ad30d8ca9f50ca8e872ca446a76aa6bb66af18a
Opcode Fuzzy Hash: 5214e2e064ec55604ade760fb49ea90012d4f1880e3e4dde7be66d02913b5110
Instruction Fuzzy Hash: B3714E71D00209EFDF14EFA8E885AEEB7B5EF48304F10452AF515A7251EB39AA81CB54

Function 0041B2DB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0041B43E

Strings

-, xrefs: 0041B46C
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0041B39C, 0041B3D3, 0041B3D8

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 04f189a045be0e8ba7698d57dfc0a9a37a9111c417826018bc59e8d4154053c2
Instruction ID: 0a43d3ca93c6b755b990a56b25bcf6eff88a9b94a62e2ae78c373b2e59619954
Opcode Fuzzy Hash: 04f189a045be0e8ba7698d57dfc0a9a37a9111c417826018bc59e8d4154053c2
Instruction Fuzzy Hash: 9651D430A042589ACF25CEA984917FFBBB5EF45300F14845FE895D7342C37889D28B99

Function 0042265B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 00422680

Strings

MOC, xrefs: 00422692
RCC, xrefs: 0042269A

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: cb4b3a9696ecdef80fd3afce56382333f81cde124eec54d39bf01260e39fa056
Instruction ID: 878550cd544333cb34dba5bb3b7623e75e63b1f1aef057334b7847be9581ae6b
Opcode Fuzzy Hash: cb4b3a9696ecdef80fd3afce56382333f81cde124eec54d39bf01260e39fa056
Instruction Fuzzy Hash: B641BA72A00219BFCF15DF94DE81AEEBBB5BF48304F14809AF904A7221D3799950DB68

Function 0041420F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00414216

Part of subcall function 00409020: __EH_prolog3.LIBCMT ref: 00409027
Part of subcall function 00409020: std::_Lockit::_Lockit.LIBCPMT ref: 00409031

Strings

0123456789-, xrefs: 00414266
%.0Lf, xrefs: 00414261

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::_std::_
String ID: %.0Lf$0123456789-
API String ID: 79917597-3094241602
Opcode ID: bdc66482b15c8d824a69c4d16d839c582f027f0cc0613ddb4d36372962892ca9
Instruction ID: c76441a513f776d0e8c78e3885c6740a923229904bd8ce964ab7a06b14cf57e6
Opcode Fuzzy Hash: bdc66482b15c8d824a69c4d16d839c582f027f0cc0613ddb4d36372962892ca9
Instruction Fuzzy Hash: 2C416A71900119DFCF05EFE4C9819EE7BB5BF48314F10006AF915AB291DB389D96CB98

Function 0041453C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00414543

Part of subcall function 004090B5: __EH_prolog3.LIBCMT ref: 004090BC
Part of subcall function 004090B5: std::_Lockit::_Lockit.LIBCPMT ref: 004090C6

Strings

0123456789-, xrefs: 00414593
0123456789-, xrefs: 0041458E

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: H_prolog3H_prolog3_LockitLockit::_std::_
String ID: 0123456789-$0123456789-
API String ID: 79917597-2494171821
Opcode ID: 75acd2c97f63a05e880fbeebb1b8799dae985a552d8a556b69318f71fd240b7c
Instruction ID: 74853a2d94bb8ea05d74bfa8b8deb29fea9c58cdfaee9c502657e9890e934b1f
Opcode Fuzzy Hash: 75acd2c97f63a05e880fbeebb1b8799dae985a552d8a556b69318f71fd240b7c
Instruction Fuzzy Hash: 5A417C71900119EFCF05EFA4C9819EEBBB5FF48314F10406AE911AB291DB389D96CB99

Function 0041A830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041A837

Part of subcall function 003F59E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F59ED
Part of subcall function 003F59E0: std::_Lockit::_Lockit.LIBCPMT ref: 003F5A07
Part of subcall function 003F59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A28
Part of subcall function 003F59E0: std::_Lockit::~_Lockit.LIBCPMT ref: 003F5A54

Strings

0123456789-, xrefs: 0041A887
0123456789-, xrefs: 0041A882

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3_
String ID: 0123456789-$0123456789-
API String ID: 2088892359-2494171821
Opcode ID: 768ca265ce7a4c6597f4ada9baa2e3e83b00fae9a07aec98a59c3ff025c3a6d9
Instruction ID: 5dc1228feef890516719f7349d0e17e4eae940697df03d44ae61327872d6521f
Opcode Fuzzy Hash: 768ca265ce7a4c6597f4ada9baa2e3e83b00fae9a07aec98a59c3ff025c3a6d9
Instruction Fuzzy Hash: 9541AD31D01209EFCF06EFA4D8819EEBBB5AF08310F10405AF911AB252DB399E56DF59

Function 003F73E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F7429
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F747A

Strings

bad locale name, xrefs: 003F74A6

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 46d2e1771e53825ee0f654e623fc8eb47b986efb7ef754f4ce66130f2e1d4dce
Instruction ID: 7e80a8eb28c2e2b23eea15c9ffaba063a0b19bf738e6764e14bb31362f04765f
Opcode Fuzzy Hash: 46d2e1771e53825ee0f654e623fc8eb47b986efb7ef754f4ce66130f2e1d4dce
Instruction Fuzzy Hash: A321BB705093449FD312DF29C840B6BBFF0AF94704F18885EF6889B241D3BAC80ACB92

Function 00426CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00426D10
DName::DName.LIBVCRUNTIME ref: 00426D95

Strings

A, xrefs: 00426D75

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: 28a211898a6e07c77dd1159ae5f62e734e0a41320836a3bfb55ea7dad1118e7a
Instruction ID: fa546840a5276ebb6c482e5a5a0c4948ad4eddefca6547fd74bacaecb3e9d336
Opcode Fuzzy Hash: 28a211898a6e07c77dd1159ae5f62e734e0a41320836a3bfb55ea7dad1118e7a
Instruction Fuzzy Hash: 5821ACB5B00128EEDF10DF54E815AAD7BB1EB44304F91809EE405AB251C7389E86CF49

Function 003F2070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003F2075
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 003F20BA

Part of subcall function 003FB724: _Yarn.LIBCPMT ref: 003FB743
Part of subcall function 003FB724: _Yarn.LIBCPMT ref: 003FB767

Strings

bad locale name, xrefs: 003F20C8

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: a6aba1eff4cae0b7e209b68ac50a776a54394ddbc85280954fa0d1fe87c5516a
Instruction ID: e12e53d2b2e405dab77fb967af16be843ffd29bf7fdd21867df52cc4931a2159
Opcode Fuzzy Hash: a6aba1eff4cae0b7e209b68ac50a776a54394ddbc85280954fa0d1fe87c5516a
Instruction Fuzzy Hash: C3F01D61101B409ED371DF368505757BEE4AF25310F048E1ED6CAC7A51D375E508CBA5

Function 0041B5A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,003FF361,?,00000000,00000000,?,003FF2A9,?,?,?,?,003FEE2C,?,?), ref: 0041B5D8
GetSystemTimeAsFileTime.KERNEL32(?,CC824C46,?,?,0047634B,000000FF,?,003FF361,?,00000000,00000000,?,003FF2A9,?,?), ref: 0041B5DC

Strings

,?, xrefs: 0041B5BA, 0041B5E2

Memory Dump Source

Source File: 00000000.00000002.2136125171.00000000003F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true

Associated: 00000000.00000002.2136104661.00000000003F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136236821.0000000000478000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.000000000048A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136268298.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2136311348.00000000004C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3f0000_file.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID: ,?
API String ID: 743729956-1694507155
Opcode ID: d3d76a689d58b587d1dc2022a2b04e6dd282885324ac0f14848571cbe51b1335
Instruction ID: b024b9f2366c2c8b13c12f36b6783ccff10a4680abf421fc8a7080da201f2e5b
Opcode Fuzzy Hash: d3d76a689d58b587d1dc2022a2b04e6dd282885324ac0f14848571cbe51b1335
Instruction Fuzzy Hash: 62F0E572A44954EFC7018F44DC04B9DBBA9F708B14F10423BEC1793390DB78A8008BC8

Analysis Process: RegAsm.exePID: 6188, Parent PID: 6132COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0.7%
Signature Coverage:	12%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 0041B050 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 507
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(?,0041922C), ref: 0041B06C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B083
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B09A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0B1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0C8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0DF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B0F6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B10D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B124
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B13B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B152
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B169
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B180
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B197
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1AE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B1F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B20A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B221
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B238
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B24F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B266
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B27D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B294
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2AB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2C2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2D9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B2F0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B307
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B31E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B335
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B34C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B363
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B37A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B391
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3A8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3BF
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3D6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B3ED
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B404
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B41B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B432
GetProcAddress.KERNEL32(CreateProcessA), ref: 0041B448
GetProcAddress.KERNEL32(GetThreadContext), ref: 0041B45E
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 0041B474
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 0041B48A
GetProcAddress.KERNEL32(ResumeThread), ref: 0041B4A0
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 0041B4B6
GetProcAddress.KERNEL32(SetThreadContext), ref: 0041B4CC
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B4DD
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B4EE
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B4FF
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B510
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B521
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B532
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B543
LoadLibraryA.KERNEL32(?,0041922C), ref: 0041B554
LoadLibraryA.KERNEL32(dbghelp.dll,?,0041922C), ref: 0041B564
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B584
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B59B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5B2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5C9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B5E0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B604
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B61B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B632
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B649
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B660
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B677
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B68E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6A5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6C5
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B6F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B70A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B721
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B745
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B75C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B773
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B78A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7A1
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7B8
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7DC
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B7F3
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B80A
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B821
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B838
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B84F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B866
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B87D
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B894
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8B4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8CB
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8E2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B8F9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B910
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B930
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B947
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B967
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B97E
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9A2
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9B9
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9D0
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9E7
GetProcAddress.KERNEL32(?,0041922C), ref: 0041B9FE
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA15
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA2C
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA43
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 0041BA59
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0041BA6F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BA8F
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAA6
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BABD
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAD4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BAF4
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB14
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB2B
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB42
GetProcAddress.KERNEL32(?,0041922C), ref: 0041BB59
GetProcAddress.KERNEL32(SymMatchString), ref: 0041BB78

Strings

HttpQueryInfoA, xrefs: 0041BA4E
GetThreadContext, xrefs: 0041B453
WriteProcessMemory, xrefs: 0041B4AB
ResumeThread, xrefs: 0041B495
ReadProcessMemory, xrefs: 0041B469
VirtualAllocEx, xrefs: 0041B47F
CreateProcessA, xrefs: 0041B43D
SymMatchString, xrefs: 0041BB6D
dbghelp.dll, xrefs: 0041B55F
SetThreadContext, xrefs: 0041B4C1
InternetSetOptionA, xrefs: 0041BA64

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction ID: 64df46d759b3a8e539eb425d674754a75b55508f076e1d27ec912ac7423ac894
Opcode Fuzzy Hash: a4580aef7196ab40cac15de4e3c6625ffa806c5fa5d16c7cc0568451c0f19aac
Instruction Fuzzy Hash: 9552C57D481214EFEB025F61FE19AA43FB3F70B3417197129E91289671E77648A8EF80

Function 004058C4 Relevance: 42.6, APIs: 20, Strings: 4, Instructions: 565
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
StrCmpCA.SHLWAPI(?), ref: 00405975
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405AEF
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405B4C
lstrlenA.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,mode,00000000,?,00000000,?,00428D7C,00000000), ref: 00405F2B
lstrlenA.KERNEL32(00000000), ref: 00405F3C
GetProcessHeap.KERNEL32(00000000,?), ref: 00405F4C
HeapAlloc.KERNEL32(00000000), ref: 00405F53
lstrlenA.KERNEL32(00000000), ref: 00405F68
memcpy.MSVCRT ref: 00405F7E
lstrlenA.KERNEL32(00000000), ref: 00405F8F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405FA8
memcpy.MSVCRT ref: 00405FB5
lstrlenA.KERNEL32(00000000,?,?), ref: 00405FCF
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405FE2
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405FFE
InternetCloseHandle.WININET(00000000), ref: 00406061
InternetCloseHandle.WININET(00000000), ref: 0040606D
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00405B84

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

InternetCloseHandle.WININET(00000000), ref: 00406076

Strings

------, xrefs: 004059F7, 00405B8A, 00405CCA, 00405E0B
mode, xrefs: 00405EAB
", xrefs: 00405C53, 00405D92, 00405ED3
build_id, xrefs: 00405D6A

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileOptionProcessReadSend
String ID: "$------$build_id$mode
API String ID: 487080699-3829489455
Opcode ID: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction ID: c3a436f612394fb5ea9af5c3dff246c6ebafd40c3fbf54516d0a2530dbd512cc
Opcode Fuzzy Hash: 99e7d839f9470243f8a500febddaa2585a4ce8104e375d9646ee5b01df51d87c
Instruction Fuzzy Hash: 0632EB71920118AADB15FBA1DC96FDEB379BF14305F5001AAF216B21B1DF386B88CE54

Function 00409FC0 Relevance: 41.0, APIs: 18, Strings: 5, Instructions: 760
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

FindFirstFileA.KERNEL32(00000000,?,00425200,00425200,00000000,?,?,?,00428F3C,00425200), ref: 0040A045
StrCmpCA.SHLWAPI(?,00425240), ref: 0040A0A0
StrCmpCA.SHLWAPI(?,0042523C), ref: 0040A0B6
FindNextFileA.KERNEL32(000000FF,?), ref: 0040AB2C
FindClose.KERNEL32(000000FF), ref: 0040AB3D

Strings

Opera GX, xrefs: 0040A144
Preferences, xrefs: 0040A318
\BraveWallet\Preferences, xrefs: 0040A40E
Google Chrome, xrefs: 0040A834
Brave, xrefs: 0040A2F9

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 3334442632-1189830961
Opcode ID: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction ID: 263e58a2a74b46f478eabfba2e73a67f6604dac1ca14d90e5786d28d1d592fab
Opcode Fuzzy Hash: b6171a64cfc6ab4f13282320838a7735dbd279b900ab7de6f694e87253319736
Instruction Fuzzy Hash: 225241719002089BDF24FBB1DC56EED737DAF15304F40416AF61AA21A1EE399B88CF59

Function 1FC64CF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 461fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 1FC64EE1

Strings

psow, xrefs: 1FC651F5
delayed %dms for lock/sharing conflict at line %d, xrefs: 1FC64FB5
winOpen, xrefs: 1FC65110
exclusive, xrefs: 1FC64E81

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
API String ID: 823142352-3829269058
Opcode ID: 519a7ed0f3584e3789f176b6548f5854ea26f70b6ab1ce16b7ba6fbdf4a1afa1
Instruction ID: aff8db933b69acb78cdb755998635e3489435436830e8c86cf7f449c69a58ea2
Opcode Fuzzy Hash: 519a7ed0f3584e3789f176b6548f5854ea26f70b6ab1ce16b7ba6fbdf4a1afa1
Instruction Fuzzy Hash: BFF1F272A083108FDB18DF24C8C875BB7E5FB95324F50092AF945C6391EB36E954DBA2

Function 004129BF Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 142comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65
VariantInit.OLEAUT32(?), ref: 00412AC6
VariantClear.OLEAUT32(?), ref: 00412AFC

Strings

root\SecurityCenter2, xrefs: 00412A27
Select * From AntiVirusProduct, xrefs: 00412A6B
Unknown, xrefs: 00412B0E, 00412B22, 00412B44
WQL, xrefs: 00412A81
displayName, xrefs: 00412AD6

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeVariant$BlanketClearCreateInitInstanceProxySecurity
String ID: Select * From AntiVirusProduct$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 3243281124-2561087649
Opcode ID: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction ID: cc2f9b12050fb50489b4dacd928ba9f1606622a753a49b6d6fc2a760caa5f7a5
Opcode Fuzzy Hash: 01e7d32d45ff0252796b17b99a1afcd933ba27ea36f00a65b271f1c55a8e973d
Instruction Fuzzy Hash: 01512971A44208AFEB10CF94DD46FEDBBB8EB08711F604116F611FA1E0C7B8A951CB69

Function 00411D31 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

GetKeyboardLayoutList.USER32(00000000,00000000,00425200), ref: 00411D59
LocalAlloc.KERNEL32(00000040,?), ref: 00411D71
GetKeyboardLayoutList.USER32(?,00000000), ref: 00411D83
GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 00411DD3
LocalFree.KERNEL32(00000000), ref: 00411E90

Strings

/ , xrefs: 00411DF0

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 15a7ab0f5f0475079f1a4d254d2fab6afe80d822c98d4419e6fd3bbb7ed8be85
Instruction ID: c70b1ae06e32fba280522d5ae6b93e050f7c05b062ce08c862d254046d427c6b
Opcode Fuzzy Hash: 15a7ab0f5f0475079f1a4d254d2fab6afe80d822c98d4419e6fd3bbb7ed8be85
Instruction Fuzzy Hash: 8C410E7594021CEBDB20EB90DC89BEDB3B8EB14305F2041DAE61AA61A1DB785FC5CF54

Function 004138BA Relevance: 7.6, APIs: 5, Instructions: 51processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Process32First.KERNEL32(00429888,00000128), ref: 00413908
Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
FindCloseChangeNotification.KERNEL32(00429888), ref: 00413943

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction ID: c76ae2ebba4cdfdbec52cc22ef4db84e697ee2aab148ee9ae3442f35c02f241c
Opcode Fuzzy Hash: 2a4b200a08ed556fe0b76f61f99fc73be8100933646605b45de0898bc31b2ca7
Instruction Fuzzy Hash: 2B11C2B5900249EFDF118F91CD09BEFBBBDFB06791F00016AE505A62A0D7B88B40CB65

Function 0041246A Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Process32Next.KERNEL32(00000000,00000128), ref: 004124B8

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CloseHandle.KERNEL32(00000000), ref: 00412525

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction ID: 2c0229d212547161a0eb93f3d0d5d82303ca8f07f9ab92fbeb1aaa96aca691bd
Opcode Fuzzy Hash: 977ae0b600e9dfa5c8bb5876995a90588de119cf502625faec0d1e404a198b9a
Instruction Fuzzy Hash: CC212935900118EBCB11EB60DD56AEDB379AF15309F5041EAA60AB61A0EF349FC8CF94

Function 00407E41 Relevance: 4.5, APIs: 3, Instructions: 43memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
LocalFree.KERNEL32(?), ref: 00407EAB

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction ID: c73416beba9d1fde4238afde8a7e84a4d4aa4311c1f55aef6ad3ec00fa4115b4
Opcode Fuzzy Hash: ec7d2c3964d9433e1bd8db3b7e97589d228e91b9e021ed9bd7c00834a8d4e7c8
Instruction Fuzzy Hash: 72019279900209EFCB01DF98D945A9E7BF5FB09300F0000A5F901AB2A0D774AE50DF61

Function 00411BEC Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction ID: 6ad48150bf72aad5a6046b0908b1c33b434ec51fc494a64bf18a9d81697ab1ea
Opcode Fuzzy Hash: cdb89f3b8d2170a32c4f5d9c7d109af83218dd3f9df08350fd3753d412c9dc7b
Instruction Fuzzy Hash: B3E04CB4A00608FFDB10DBD4DC49FADBBB8FB04749F904065F601E2160D7B45A459B64

Function 00411F21 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 00411F2E
wsprintfA.USER32 ref: 00411F43

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction ID: 9caa33327a18f9dae679d202d2ba32c4f74d5e180e33a6cc9dfb65b88a9d38f3
Opcode Fuzzy Hash: 2f2772df9e2289074dc65a3b003ee837af4eb9d8d63b789a1da4cf5f031d46f7
Instruction Fuzzy Hash: F6D05EB180011CABCB00DBE0FC499D977BCBB09208F4408B1E614E2040E3B8EAD88BA8

Function 0041A76B Relevance: 257.6, APIs: 139, Strings: 8, Instructions: 337
sleepstringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A776
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A781
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A78C
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A797
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A7A2
LoadLibraryA.KERNEL32(kernel32.dll), ref: 0041A7AD
GetProcAddress.KERNEL32(00000000,Sleep), ref: 0041A7C4
GetProcAddress.KERNEL32(00000000,GetSystemTime), ref: 0041A7D7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Sleep.KERNEL32(00000014), ref: 0041A7E4
Sleep.KERNEL32(00000014), ref: 0041A7EC
Sleep.KERNEL32(00000014), ref: 0041A7F4
Sleep.KERNEL32(00000014), ref: 0041A7FC
Sleep.KERNEL32(00000014), ref: 0041A804
Sleep.KERNEL32(00000014), ref: 0041A80C
lstrlenW.KERNEL32(Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea), ref: 0041A817
lstrlenW.KERNEL32(The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On), ref: 0041A822
lstrlenW.KERNEL32(Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l), ref: 0041A82D
lstrlenW.KERNEL32(The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia), ref: 0041A838
lstrlenW.KERNEL32(I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and), ref: 0041A843
Sleep.KERNEL32(00000014), ref: 0041A84B
Sleep.KERNEL32(00000014), ref: 0041A853
Sleep.KERNEL32(00000014), ref: 0041A85B
Sleep.KERNEL32(00000014), ref: 0041A863
Sleep.KERNEL32(00000014), ref: 0041A86B
Sleep.KERNEL32(00000014), ref: 0041A873
Sleep.KERNEL32(00000014), ref: 0041A880
Sleep.KERNEL32(00000014), ref: 0041A888
Sleep.KERNEL32(00000014), ref: 0041A890
Sleep.KERNEL32(00000014), ref: 0041A898
Sleep.KERNEL32(00000014), ref: 0041A8A0
Sleep.KERNEL32(00000014), ref: 0041A8A8
Sleep.KERNEL32(00000014), ref: 0041A8B5
Sleep.KERNEL32(00000014), ref: 0041A8BD
Sleep.KERNEL32(00000014), ref: 0041A8C5
Sleep.KERNEL32(00000014), ref: 0041A8CD
Sleep.KERNEL32(00000014), ref: 0041A8D5
Sleep.KERNEL32(00000014), ref: 0041A8DD
Sleep.KERNEL32(00000014), ref: 0041A8E5
Sleep.KERNEL32(00000014), ref: 0041A8ED
Sleep.KERNEL32(00000014), ref: 0041A8F5
Sleep.KERNEL32(00000014), ref: 0041A8FD
Sleep.KERNEL32(00000014), ref: 0041A905
Sleep.KERNEL32(00000014), ref: 0041A90D
Sleep.KERNEL32(00000014,00425200), ref: 0041A922
Sleep.KERNEL32(00000014), ref: 0041A92A
Sleep.KERNEL32(00000014), ref: 0041A932
Sleep.KERNEL32(00000014), ref: 0041A93A
Sleep.KERNEL32(00000014), ref: 0041A942
Sleep.KERNEL32(00000014), ref: 0041A94A
Sleep.KERNEL32(00000014,00000000,?,?,00428E5C,?,00000000), ref: 0041A9A6
Sleep.KERNEL32(00000014), ref: 0041A9AE
Sleep.KERNEL32(00000014), ref: 0041A9B6
Sleep.KERNEL32(00000014), ref: 0041A9BE
Sleep.KERNEL32(00000014), ref: 0041A9C6
Sleep.KERNEL32(00000014), ref: 0041A9CE
Sleep.KERNEL32(00000014), ref: 0041A9D6
Sleep.KERNEL32(00000014), ref: 0041A9DE
Sleep.KERNEL32(00000014), ref: 0041A9E6
Sleep.KERNEL32(00000014), ref: 0041A9EE
Sleep.KERNEL32(00000014), ref: 0041A9F6
Sleep.KERNEL32(00000014), ref: 0041A9FE
Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Strings

The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia, xrefs: 0041A792, 0041A833
I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and, xrefs: 0041A79D, 0041A83E
kernel32.dll, xrefs: 0041A7A8
Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l, xrefs: 0041A787, 0041A828
Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea, xrefs: 0041A771, 0041A812
GetSystemTime, xrefs: 0041A7CF
Sleep, xrefs: 0041A7BC
The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On, xrefs: 0041A77C, 0041A81D

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$lstrlen$AddressCloseEventHandleProclstrcpy$CreateExitLibraryLoadOpenProcesslstrcat
String ID: GetSystemTime$I-11 was an Imperial Japanese Navy Type A1 submarine that served during World War II. Designed as a submarine aircraft carrier and$Oregon Ballot Measure 56 or House Joint Resolution 15 (HJR 15) is a legislatively referred constitutional amendment that enacted l$Sleep$Taxonomic sequence (also known as systematic, phyletic or taxonomic order) is a sequence followed in listing of taxa which aids ea$The 1967 October Revolution Parade is the parade on Moscow's Red Square devoted to the 50th anniversary of the Great October Socia$The 1999 Rushmoor Council election took place on 6 May 1999 to elect members of Rushmoor Borough Council in Hampshire, England. On$kernel32.dll
API String ID: 1968030747-1157189060
Opcode ID: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction ID: d0fc9c7f70cd4d74f070b5276f1611ca398b8472acf39be3ffb0404d49fc07f7
Opcode Fuzzy Hash: 54532dd25730401e9619ccf941eb7a63a5c16019b915d8d70357fc5f908c5c95
Instruction Fuzzy Hash: 40D1AB356E121DEFDB006BE0AC2EBE87A6AAB17702F551125B30E9D0F0DAB444C19F75

Function 0041AAD6 Relevance: 105.2, APIs: 70, Instructions: 160
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000014), ref: 0041AA0F
Sleep.KERNEL32(00000014), ref: 0041AA17
Sleep.KERNEL32(00000014), ref: 0041AA1F
Sleep.KERNEL32(00000014), ref: 0041AA27
Sleep.KERNEL32(00000014), ref: 0041AA2F
Sleep.KERNEL32(00000014), ref: 0041AA37
OpenEventA.KERNEL32(001F0003,00000000,00000000), ref: 0041AA4D
Sleep.KERNEL32(00000014), ref: 0041AA5E
Sleep.KERNEL32(00000014), ref: 0041AA66
Sleep.KERNEL32(00000014), ref: 0041AA6E
Sleep.KERNEL32(00000014), ref: 0041AA76
Sleep.KERNEL32(00000014), ref: 0041AA7E
Sleep.KERNEL32(00000014), ref: 0041AA86
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0041AA9B
Sleep.KERNEL32(00000014), ref: 0041AAA6
Sleep.KERNEL32(00000014), ref: 0041AAAE
Sleep.KERNEL32(00000014), ref: 0041AAB6
Sleep.KERNEL32(00000014), ref: 0041AABE
Sleep.KERNEL32(00000014), ref: 0041AAC6
Sleep.KERNEL32(00000014), ref: 0041AACE
Sleep.KERNEL32(00000014), ref: 0041AADA
Sleep.KERNEL32(00000014), ref: 0041AAE2
Sleep.KERNEL32(00000014), ref: 0041AAEA
Sleep.KERNEL32(00000014), ref: 0041AAF2
Sleep.KERNEL32(00000014), ref: 0041AAFA
Sleep.KERNEL32(00000014), ref: 0041AB02
CloseHandle.KERNEL32(00000000), ref: 0041AB0B
Sleep.KERNEL32(00001B58), ref: 0041AB16
Sleep.KERNEL32(00000014), ref: 0041AB1E
Sleep.KERNEL32(00000014), ref: 0041AB26
Sleep.KERNEL32(00000014), ref: 0041AB2E
Sleep.KERNEL32(00000014), ref: 0041AB36
Sleep.KERNEL32(00000014), ref: 0041AB3E
Sleep.KERNEL32(00000014), ref: 0041AB46
Sleep.KERNEL32(00000014), ref: 0041AB53
Sleep.KERNEL32(00000014), ref: 0041AB5B
Sleep.KERNEL32(00000014), ref: 0041AB63
Sleep.KERNEL32(00000014), ref: 0041AB6B
Sleep.KERNEL32(00000014), ref: 0041AB73
Sleep.KERNEL32(00000014), ref: 0041AB7B
Sleep.KERNEL32(00000014), ref: 0041AB83
Sleep.KERNEL32(00000014), ref: 0041AB8B
Sleep.KERNEL32(00000014), ref: 0041AB93
Sleep.KERNEL32(00000014), ref: 0041AB9B
Sleep.KERNEL32(00000014), ref: 0041ABA3
Sleep.KERNEL32(00000014), ref: 0041ABAB
Sleep.KERNEL32(00000014), ref: 0041ABB8
Sleep.KERNEL32(00000014), ref: 0041ABC0
Sleep.KERNEL32(00000014), ref: 0041ABC8
Sleep.KERNEL32(00000014), ref: 0041ABD0
Sleep.KERNEL32(00000014), ref: 0041ABD8
Sleep.KERNEL32(00000014), ref: 0041ABE0
Sleep.KERNEL32(00000014), ref: 0041ABE8
Sleep.KERNEL32(00000014), ref: 0041ABF0
Sleep.KERNEL32(00000014), ref: 0041ABF8
Sleep.KERNEL32(00000014), ref: 0041AC00
Sleep.KERNEL32(00000014), ref: 0041AC08
Sleep.KERNEL32(00000014), ref: 0041AC10
CloseHandle.KERNEL32(?), ref: 0041AC19
Sleep.KERNEL32(00000014), ref: 0041AC21
Sleep.KERNEL32(00000014), ref: 0041AC29
Sleep.KERNEL32(00000014), ref: 0041AC31
Sleep.KERNEL32(00000014), ref: 0041AC39
Sleep.KERNEL32(00000014), ref: 0041AC41
Sleep.KERNEL32(00000014), ref: 0041AC49
Sleep.KERNEL32(00000014), ref: 0041AC51
Sleep.KERNEL32(00000014), ref: 0041AC59
Sleep.KERNEL32(00000014), ref: 0041AC61
Sleep.KERNEL32(00000014), ref: 0041AC69
Sleep.KERNEL32(00000014), ref: 0041AC71
Sleep.KERNEL32(00000014), ref: 0041AC79
Sleep.KERNEL32(00000014), ref: 0041AC81
Sleep.KERNEL32(00000014), ref: 0041AC89
Sleep.KERNEL32(00000014), ref: 0041AC91
Sleep.KERNEL32(00000014), ref: 0041AC99
Sleep.KERNEL32(00000014), ref: 0041ACA1
Sleep.KERNEL32(00000014), ref: 0041ACA9
ExitProcess.KERNEL32 ref: 0041ACB1

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CloseEventHandle$CreateExitOpenProcess
String ID:
API String ID: 3990214622-0
Opcode ID: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction ID: 010346d2f35c5d2b6dfb22c7d70376198b9011b0162d7776d674804ad5e558a3
Opcode Fuzzy Hash: 939382f14eacfc35bc189caa75c6057b8e340a7325aef0680f6e940db5972843
Instruction Fuzzy Hash: AC5157395E620DEFEB006BE09D1EBE83666AB17706F151015B30E9C0F0CA7444C59F36

Function 00404E03 Relevance: 58.5, APIs: 25, Strings: 8, Instructions: 713
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

lstrlenA.KERNEL32(00000000), ref: 00404E8B

Part of subcall function 0041302D: CryptBinaryToStringA.CRYPT32(00000000,00404E7F,40000001,00000000,00000000), ref: 0041304A

StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405025
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00405082
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004050BA

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,file_data,00000000,?,00000000,?,00428D7C,00000000,?,00000000,00000000), ref: 00405579
lstrlenA.KERNEL32(00000000), ref: 0040558D
GetProcessHeap.KERNEL32(00000000,?), ref: 0040559D
HeapAlloc.KERNEL32(00000000), ref: 004055A4
lstrlenA.KERNEL32(00000000), ref: 004055B9
memcpy.MSVCRT ref: 004055CF
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 004055E6
memcpy.MSVCRT ref: 004055F3
lstrlenA.KERNEL32(00000000), ref: 00405604
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 0040561D
memcpy.MSVCRT ref: 0040562D
lstrlenA.KERNEL32(00000000,?,?), ref: 00405647
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 0040565A
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040568D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405730
StrCmpCA.SHLWAPI(00000000,block), ref: 004057A1
ExitProcess.KERNEL32 ref: 004057AD
InternetCloseHandle.WININET(00000000), ref: 00405824

Strings

--, xrefs: 00404F69
------, xrefs: 004050C0, 00405200, 00405341, 00405480
", xrefs: 00405189, 004052C8, 0040540A, 00405548
------, xrefs: 00404F80
ERROR, xrefs: 00405697, 004057B5
build_id, xrefs: 004052A0
block, xrefs: 00405790
file_data, xrefs: 00405520

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$Httpmemcpy$HeapOpenProcessRequestlstrcat$AllocBinaryCloseConnectCrackCryptExitFileHandleInfoOptionQueryReadSendString
String ID: ------$"$--$------$ERROR$block$build_id$file_data
API String ID: 291296625-1063948816
Opcode ID: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction ID: 347b2e4d89f66f0c0c6539a9aa54472735362a414d5b47530b2be4bc622c77f0
Opcode Fuzzy Hash: 941268b52b4c2f1080921e961083cd3901daec87e8b66a8e899ed6db65051c96
Instruction Fuzzy Hash: 76520E729101189ADB14FBA1EC96FDE7379AF15305F5080AAF216B21F1DF386A88CF54

Function 0041AD16 Relevance: 49.7, APIs: 33, Instructions: 151
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 0041AD54
GetProcAddress.KERNEL32 ref: 0041AD6B
GetProcAddress.KERNEL32 ref: 0041AD82
GetProcAddress.KERNEL32 ref: 0041AD99
GetProcAddress.KERNEL32 ref: 0041ADB0
GetProcAddress.KERNEL32 ref: 0041ADC7
GetProcAddress.KERNEL32 ref: 0041ADDE
GetProcAddress.KERNEL32 ref: 0041ADF5
GetProcAddress.KERNEL32 ref: 0041AE0C
GetProcAddress.KERNEL32 ref: 0041AE23
GetProcAddress.KERNEL32 ref: 0041AE3A
GetProcAddress.KERNEL32 ref: 0041AE51
GetProcAddress.KERNEL32 ref: 0041AE68
GetProcAddress.KERNEL32 ref: 0041AE7F
GetProcAddress.KERNEL32 ref: 0041AE96
GetProcAddress.KERNEL32 ref: 0041AEAD
GetProcAddress.KERNEL32 ref: 0041AEC4
GetProcAddress.KERNEL32 ref: 0041AEDB
GetProcAddress.KERNEL32 ref: 0041AEF2
GetProcAddress.KERNEL32 ref: 0041AF09
GetProcAddress.KERNEL32 ref: 0041AF20
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF31
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF42
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF53
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF64
LoadLibraryA.KERNEL32(?,0041A8B3), ref: 0041AF75
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AF95
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFB5
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFCC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041AFEC
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B00C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B02C
GetProcAddress.KERNEL32(?,0041A8B3), ref: 0041B043

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction ID: e6d1e2ba0aaa9db7fee79aa5ca47b6abfb0ed3e486351d87d65decbaef8ebfc5
Opcode Fuzzy Hash: 8ed0b4f8c3e954e1fc1dc6971364bbe040f0f26000e4905d9b82ffd922f5bdfa
Instruction Fuzzy Hash: DD81C679481214EFEB026F60FE19AA43FA3F70B345715712AE90689670E77648A8EF40

Function 004151E4 Relevance: 48.1, APIs: 2, Strings: 25, Instructions: 830
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 00411C63: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,Version: ,00425200), ref: 00411C70
Part of subcall function 00411C63: HeapAlloc.KERNEL32(00000000), ref: 00411C77
Part of subcall function 00411C63: GetLocalTime.KERNEL32(?), ref: 00411C84
Part of subcall function 00411C63: wsprintfA.USER32 ref: 00411CB1

Part of subcall function 004125CA: memset.MSVCRT ref: 004125F2
Part of subcall function 004125CA: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
Part of subcall function 004125CA: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
Part of subcall function 004125CA: CharToOemA.USER32(00000000,?), ref: 00412659

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

GetCurrentProcessId.KERNEL32(00000000,?,Path: ,00000000,?,00428FE4,00000000,?,00000000,00000000,?,HWID: ,00000000,?,00428E48,00000000), ref: 00415497

Part of subcall function 00413563: OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
Part of subcall function 00413563: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
Part of subcall function 00413563: CloseHandle.KERNEL32(00000000), ref: 0041359F

Part of subcall function 00411ADD: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
Part of subcall function 00411ADD: HeapAlloc.KERNEL32(00000000), ref: 00411AF8

Part of subcall function 004127AF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
Part of subcall function 004127AF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
Part of subcall function 004127AF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
Part of subcall function 004127AF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855

Part of subcall function 004129BF: CoInitializeEx.OLE32(00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory,00000000,?,00428E48,00000000), ref: 004129E9
Part of subcall function 004129BF: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4), ref: 00412A01
Part of subcall function 004129BF: CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000,?), ref: 00412A1D
Part of subcall function 004129BF: CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,Windows: ,00000000,?,00428FE4,00000000), ref: 00412A65

Part of subcall function 00411C21: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411C2D
Part of subcall function 00411C21: HeapAlloc.KERNEL32(00000000,?,?,?,00415711,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000,?), ref: 00411C34
Part of subcall function 00411C21: GetComputerNameA.KERNEL32(00000000,00000104), ref: 00411C4B

Part of subcall function 00411BEC: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,0041A955), ref: 00411BF8
Part of subcall function 00411BEC: HeapAlloc.KERNEL32(00000000,?,?,?,0041A955), ref: 00411BFF
Part of subcall function 00411BEC: GetUserNameA.ADVAPI32(?,00000104), ref: 00411C16

Part of subcall function 0041254A: CreateDCA.GDI32(00000000,00000000,00000000,?), ref: 0041255C
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,00000008), ref: 0041256A
Part of subcall function 0041254A: GetDeviceCaps.GDI32(?,0000000A), ref: 00412578
Part of subcall function 0041254A: ReleaseDC.USER32(00000000,?), ref: 00412586
Part of subcall function 0041254A: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00412593
Part of subcall function 0041254A: HeapAlloc.KERNEL32(00000000), ref: 0041259A
Part of subcall function 0041254A: wsprintfA.USER32 ref: 004125B1

Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(00000000,00000000,00425200), ref: 00411D59
Part of subcall function 00411D31: LocalAlloc.KERNEL32(00000040,?), ref: 00411D71
Part of subcall function 00411D31: GetKeyboardLayoutList.USER32(?,00000000), ref: 00411D83
Part of subcall function 00411D31: GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000200), ref: 00411DD3
Part of subcall function 00411D31: LocalFree.KERNEL32(00000000), ref: 00411E90

Part of subcall function 00411CBF: GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
Part of subcall function 00411CBF: HeapAlloc.KERNEL32(00000000), ref: 00411CD6
Part of subcall function 00411CBF: GetTimeZoneInformation.KERNEL32(?), ref: 00411CE9

Part of subcall function 00411EB5: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
Part of subcall function 00411EB5: HeapAlloc.KERNEL32(00000000), ref: 00411ED0
Part of subcall function 00411EB5: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000), ref: 00411EEF
Part of subcall function 00411EB5: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D

Part of subcall function 00411F54: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00411F87
Part of subcall function 00411F54: GetLastError.KERNEL32 ref: 00411F96

Part of subcall function 00411F21: GetSystemInfo.KERNEL32(00000000), ref: 00411F2E
Part of subcall function 00411F21: wsprintfA.USER32 ref: 00411F43

Part of subcall function 00412081: GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
Part of subcall function 00412081: HeapAlloc.KERNEL32(00000000), ref: 00412095
Part of subcall function 00412081: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 004120B6
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120CE
Part of subcall function 00412081: __aulldiv.LIBCMT ref: 004120DC
Part of subcall function 00412081: wsprintfA.USER32 ref: 004120FF

Part of subcall function 0041210D: EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000001), ref: 00412148

Part of subcall function 0041246A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412491
Part of subcall function 0041246A: Process32First.KERNEL32(00000000,00000128), ref: 004124A4
Part of subcall function 0041246A: Process32Next.KERNEL32(00000000,00000128), ref: 004124B8
Part of subcall function 0041246A: CloseHandle.KERNEL32(00000000), ref: 00412525

Part of subcall function 0041218B: RegOpenKeyExA.KERNEL32(00000000,00000000,00020019,00000000,00425200), ref: 004121DE

Part of subcall function 0041218B: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
Part of subcall function 0041218B: wsprintfA.USER32 ref: 0041228B
Part of subcall function 0041218B: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 004122AC

lstrlenA.KERNEL32(00000000,00000000,?,00428FE4,00000000,?,00000000,00000000,?,00000000,00000000,?,[Software],00000000,?,00428FE4), ref: 00415DE1

Part of subcall function 00418DB9: _MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
Part of subcall function 00418DB9: CreateThread.KERNEL32(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
Part of subcall function 00418DB9: WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Strings

RAM: , xrefs: 00415B73
[Processes], xrefs: 00415C78
VideoCard: , xrefs: 00415BEC
MachineID: , xrefs: 004152EA
TimeZone: , xrefs: 00415967
information.txt, xrefs: 00415DF6
[Hardware], xrefs: 004159E0
Keyboard Languages: , xrefs: 00415862
Windows: , xrefs: 00415553
Processor: , xrefs: 00415A08
AV: , xrefs: 00415658
Local Time: , xrefs: 004158EE
Cores: , xrefs: 00415A81
Computer Name: , xrefs: 004156E4
GUID: , xrefs: 00415357
HWID: , xrefs: 004153E3
Threads: , xrefs: 00415AFA
User Name: , xrefs: 0041575D
Date: , xrefs: 00415283
Display Resolution: , xrefs: 004157D6
Work Dir: In memory, xrefs: 00415503
Install Date: , xrefs: 004155CC
[Software], xrefs: 00415D04
Path: , xrefs: 0041546F
Version: , xrefs: 004151FA

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Open$Createwsprintf$Initializelstrcpy$InformationLocalName$BlanketCapsCloseCurrentDeviceEnumHandleInfoInstanceKeyboardLayoutListProcess32ProxyQuerySecurityTimeValue__aulldivlstrcatlstrlen$CharComputerDevicesDirectoryDisplayErrorFileFirstFreeGlobalLastLocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZonememset
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 4242084749-1014693891
Opcode ID: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction ID: 98b063b3ea0cf676e7d3c9db5d6b4e855844e07ef84fbbd767ca72325addcb2a
Opcode Fuzzy Hash: ec29a3163d9d18987f0e179795c7a0416d16bd3ffa26116ace8d5c82db2c5aaf
Instruction Fuzzy Hash: BC629172900118AACB15F7A1DD96DDE7379AF14305F5042AFF226B21B1EF346B88CE58

Function 004083A6 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 265
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00412D64: GetSystemTime.KERNEL32(00000000,00425200), ref: 00412D8A

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,004251E8,?,00000000,00425200), ref: 00408450
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 004084C9
RtlAllocateHeap.NTDLL(00000000), ref: 004084D0
lstrlenA.KERNEL32(00000000,00000000), ref: 0040856A
lstrcatA.KERNEL32(?), ref: 0040858F
lstrcatA.KERNEL32(?,00000000), ref: 004085A1
lstrcatA.KERNEL32(?,00428E50), ref: 004085AF
lstrcatA.KERNEL32(?,00000000), ref: 004085C1
lstrcatA.KERNEL32(?,00428E4C), ref: 004085CF
lstrcatA.KERNEL32(?), ref: 004085DE
lstrcatA.KERNEL32(?,00000000), ref: 004085F0
lstrcatA.KERNEL32(?,00428E48), ref: 004085FE
lstrcatA.KERNEL32(?), ref: 0040860D
lstrcatA.KERNEL32(?,00000000), ref: 0040861F
lstrcatA.KERNEL32(?,00428E48), ref: 0040862D
lstrcatA.KERNEL32(?), ref: 0040863C
lstrcatA.KERNEL32(?,00000000), ref: 0040864E
lstrcatA.KERNEL32(?,00428E48), ref: 0040865C
lstrcatA.KERNEL32(?,00428E48), ref: 0040866A
lstrlenA.KERNEL32(?), ref: 00408688
memset.MSVCRT ref: 004086D4
DeleteFileA.KERNEL32(00000000), ref: 00408701

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 004135B9: memset.MSVCRT ref: 004135D4
Part of subcall function 004135B9: OpenProcess.KERNEL32(00001001,00000000,?), ref: 0041368A
Part of subcall function 004135B9: TerminateProcess.KERNEL32(00000000,00000000), ref: 004136A7
Part of subcall function 004135B9: CloseHandle.KERNEL32(00000000), ref: 004136B3

Strings

passwords.txt, xrefs: 00408697

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$Processlstrlen$FileHeapmemset$AllocateCloseCopyDeleteHandleOpenSystemTerminateTime
String ID: passwords.txt
API String ID: 1737540870-347816968
Opcode ID: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction ID: 4868cb4a0c5d8df9b0255056c1bbdf5f8baa826a61240bfbc382e0845978a72e
Opcode Fuzzy Hash: e7516f4a65ce10130fd093f07ba65f7fdb76d7e0e32bba32449652ac384407af
Instruction Fuzzy Hash: 00A11972900108AFDF05EBA1ED5AAED7B79FF15305F60502AF112B10B1EF3A5A44CB69

Function 00418FD9 Relevance: 34.5, APIs: 4, Strings: 15, Instructions: 1237
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004138BA: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004138F5
Part of subcall function 004138BA: Process32First.KERNEL32(00429888,00000128), ref: 00413908
Part of subcall function 004138BA: Process32Next.KERNEL32(00429888,00000128), ref: 0041391C
Part of subcall function 004138BA: StrCmpCA.SHLWAPI(?,0042988C), ref: 00413930
Part of subcall function 004138BA: FindCloseChangeNotification.KERNEL32(00429888), ref: 00413943

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,?,?,?,00425200,00000000), ref: 00419657
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041972D
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419747

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00411948: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
Part of subcall function 00411948: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
Part of subcall function 00411948: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
Part of subcall function 00411948: HeapAlloc.KERNEL32(00000000), ref: 00411A1F

Part of subcall function 004043FA: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
Part of subcall function 004043FA: StrCmpCA.SHLWAPI(?), ref: 004044B2

Part of subcall function 00414F8C: StrCmpCA.SHLWAPI(00000000,block), ref: 00414FB1
Part of subcall function 00414F8C: ExitProcess.KERNEL32 ref: 00414FBD

Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
Part of subcall function 0040F99F: StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75

Part of subcall function 004058C4: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040595F
Part of subcall function 004058C4: StrCmpCA.SHLWAPI(?), ref: 00405975

Part of subcall function 0041497B: strtok_s.MSVCRT ref: 004149A3
Part of subcall function 0041497B: strtok_s.MSVCRT ref: 00414A94

Part of subcall function 00417B07: lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00417B40
Part of subcall function 00417B07: lstrcatA.KERNEL32(?), ref: 00417B5E

Sleep.KERNEL32(000003E8), ref: 00419AFA

Part of subcall function 00417C93: memset.MSVCRT ref: 00417CAA
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417CD1
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.azure\), ref: 00417CEE
Part of subcall function 00417C93: memset.MSVCRT ref: 00417D2E
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417D55
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.aws\), ref: 00417D72
Part of subcall function 00417C93: memset.MSVCRT ref: 00417DB2
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,00000000), ref: 00417DD9
Part of subcall function 00417C93: lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00417DF6

Part of subcall function 00404E03: lstrlenA.KERNEL32(00000000), ref: 00404E8B
Part of subcall function 00404E03: StrCmpCA.SHLWAPI(?,00425200,00425200,00425200,00425200), ref: 00404EEF
Part of subcall function 00404E03: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404F17

Strings

arp, xrefs: 00419FF8
d, xrefs: 00419147
dabl, xrefs: 0041A026
tea, xrefs: 00419F9C
d, xrefs: 00419188
2, xrefs: 0041A169
2, xrefs: 004191C9
d, xrefs: 0041A217
d, xrefs: 0041A1C0
http://, xrefs: 00419F6E
_DEBUG.zip, xrefs: 0041A0C1
org, xrefs: 0041A082
d, xrefs: 00419106
.exe, xrefs: 00419557, 00419EF7
d, xrefs: 0041A26E

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$InternetOpenlstrcpy$lstrlenmemset$CreateDirectoryHeapProcessProcess32strtok_s$AllocChangeCloseExitFindFirstInformationNextNotificationSleepSnapshotToolhelp32VolumeWindows
String ID: .exe$2$2$_DEBUG.zip$arp$d$d$d$d$d$d$dabl$http://$org$tea
API String ID: 4021577771-4025179836
Opcode ID: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction ID: 114828df09490f9f1d13115ca2c7a84a7d1e175cc6150afb538a57f6698be508
Opcode Fuzzy Hash: d8ddd20c65dbe4accbe59cdc2a04e807221df0d548ce8610666dd4a4d36cae5e
Instruction Fuzzy Hash: 93B22F71D041289ADB14FB61DC96ADDB778AB11304F5440EAE50EA21A1DF3C6FC8CF69

Function 00408741 Relevance: 32.0, APIs: 21, Instructions: 471
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004118F6: StrCmpCA.SHLWAPI(?,?), ref: 00411913

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00408A97
RtlAllocateHeap.NTDLL(00000000), ref: 00408A9E
CopyFileA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,?,004251E8,?,00000000,00425200), ref: 00408885

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

lstrcatA.KERNEL32(?,00000000,00000000,00428E58,00428E58,00000000), ref: 00408BCD
lstrcatA.KERNEL32(?,00428E54), ref: 00408BDB
lstrcatA.KERNEL32(?,00000000), ref: 00408BED
lstrcatA.KERNEL32(?,00428E54), ref: 00408BFB
lstrcatA.KERNEL32(?,00000000), ref: 00408C0D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C1B
lstrcatA.KERNEL32(?,00000000), ref: 00408C2D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C3B
lstrcatA.KERNEL32(?,00000000), ref: 00408C4D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C5B
lstrcatA.KERNEL32(?,00000000), ref: 00408C6D
lstrcatA.KERNEL32(?,00428E54), ref: 00408C7B
lstrcatA.KERNEL32(?,00000000), ref: 00408CBD
lstrcatA.KERNEL32(?,00428E48), ref: 00408CD6
lstrlenA.KERNEL32(?), ref: 00408D14
lstrlenA.KERNEL32(?), ref: 00408D22
memset.MSVCRT ref: 00408D6D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

DeleteFileA.KERNEL32(00000000), ref: 00408D92

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemset
String ID:
API String ID: 1498849721-0
Opcode ID: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction ID: 75b67620860664da6d1f04eed94d7d10b36c4f27a8908ca0f5e9c5d632b00ffa
Opcode Fuzzy Hash: 9e96b593e49dfbaf82baf5f3f7b14edd2bd44551348f714d62c2555fbf218532
Instruction Fuzzy Hash: 02021D71900109AADB05FBA1ED56EEE7779EF11309F50406AF216B10F1EF395A88CB68

Function 0042095B Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 617
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

T, xrefs: 00420CE3
U, xrefs: 00420CDC

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: T$U
API String ID: 0-2115836835
Opcode ID: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction ID: 4e7ab3bbaac243ee1ce136935939dafd3e3fd9ddb02e4ea4b8407d5d40478ec4
Opcode Fuzzy Hash: 10f69da23589928bea78b6bdb87915afbf723c228a04615c940d6145975852ec
Instruction Fuzzy Hash: 626218B4A042A9CFDB20CF54D884BE9B7B4AF14305F5440DBEA09A7252D7389E89CF59

Function 004043FA Relevance: 28.5, APIs: 12, Strings: 4, Instructions: 451
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404492
StrCmpCA.SHLWAPI(?), ref: 004044B2
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040462C
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,00400100,00000000), ref: 00404682
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004046BA

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00425200,00000000,?,?,00000000,?,",00000000,?,build_id), ref: 0040497C
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404998
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004049AB
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004049D5
InternetCloseHandle.WININET(00000000), ref: 00404A38
InternetCloseHandle.WININET(00000000), ref: 00404A4F
InternetCloseHandle.WININET(00000000), ref: 00404A58

Strings

------, xrefs: 00404534, 004046C0, 004047FF
", xrefs: 00404788, 004048C7
hwid, xrefs: 00404760
build_id, xrefs: 0040489F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$------$build_id$hwid
API String ID: 3006978581-50533134
Opcode ID: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction ID: 067cb1f7702ceabbac9578a1173a021fc80b9e748851ef74f8b32e742b117f95
Opcode Fuzzy Hash: cceb3a196459d883b403675918582489495ab2fed22875715751cb834377af79
Instruction Fuzzy Hash: 22124E71900218AADB15EBA1DD92FDEB379BF15305F5000AAF216B21E1DF386B88CF54

Function 004127AF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4), ref: 004127D9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,00428E48,00000000,?), ref: 004127F1
CoCreateInstance.OLE32(0042AE78,00000000,00000001,0042ADA8,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ), ref: 0041280D
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,?,?,00428E48,00000000,?,00000000), ref: 00412855
VariantInit.OLEAUT32(?), ref: 004128C1
FileTimeToSystemTime.KERNEL32(?,00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 004128FA
GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 00412907
HeapAlloc.KERNEL32(00000000,?,?,?,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000), ref: 0041290E
wsprintfA.USER32 ref: 0041293D
VariantClear.OLEAUT32(?), ref: 00412955

Strings

InstallDate, xrefs: 004128D1
ROOT\CIMV2, xrefs: 00412817
Select * From Win32_OperatingSystem, xrefs: 0041285F
Unknown, xrefs: 0041296A, 0041297E, 004129A0
WQL, xrefs: 00412871
%d/%d/%d %d:%d:%d, xrefs: 00412935

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapInitializeTimeVariant$AllocBlanketClearCreateFileInitInstanceProcessProxySecuritySystemwsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$WQL
API String ID: 1977436990-271508173
Opcode ID: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction ID: b87b7ae96d8d1a7714e06012ec36ed585f0f60198b44980e8310200412a3d949
Opcode Fuzzy Hash: ba33cfd2da918b761e9130eb7da6f96fb9872cbbfcfe80a5cabb4ca5af105773
Instruction Fuzzy Hash: B561F671A40218BFDB10DB94DD46FEDBBB8BB08B11F604116F611FA1D0C7B8A991CB69

Function 00404239 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0040234D,004257D0,AVAI4Z1EK55HX1Z,0000000F,?,0041A87E), ref: 00404246
wcslen.MSVCRT ref: 00404272
wcslen.MSVCRT ref: 0040427D
wcslen.MSVCRT ref: 00404288
wcslen.MSVCRT ref: 00404293
strlen.MSVCRT ref: 004042A5
wcslen.MSVCRT ref: 004042CA
wcslen.MSVCRT ref: 004042D5
wcslen.MSVCRT ref: 004042E2
wcslen.MSVCRT ref: 004042ED
wcslen.MSVCRT ref: 004042F8
wcslen.MSVCRT ref: 00404303

Strings

Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre, xrefs: 0040428E, 004042FE
Niedert is an Ortsgemeinde , xrefs: 00404283, 004042F3
Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856., xrefs: 0040426D, 004042DD
Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c, xrefs: 00404278, 004042E8
GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re, xrefs: 004042D0
The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser, xrefs: 004042C5

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wcslen$AllocLocalstrlen
String ID: Chrysorabdia bivitta is a moth of the subfamily Arctiinae first described by Francis Walker in 1856.$GAS5 noncoding RNA, which accumulates in growth arrested cells, acts as a decoy hormone response element for the glucocorticoid re$Ici Radio-Canada Tl (stylized as ICI Radio-Canada Tl, and sometimes abbreviated as Ici Tl) is a Canadian French-language fre$Niedert is an Ortsgemeinde $Organ perforation is a complete penetration of the wall of a hollow organ in the body, such as the gastrointestinal tract in the c$The KLW SE10B is a low-emissions diesel switcher locomotive built by Knoxville Locomotive Works. It is powered by a single MTU Ser
API String ID: 224765317-2971033767
Opcode ID: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction ID: 15c8a1cfb45bc9c132fd9fd4faededd5fc4f4c62c30039555f1f88a1b54c1e58
Opcode Fuzzy Hash: b2908c616810051979d5b7c1935cb1d71aeefb77bac9279ab48edbe17b9693c0
Instruction Fuzzy Hash: 9A213071785268AFDB04EBE9F8C7B5CBBE4EFD4714FA0006FF40496191DEB869408619

Function 00404AD5 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 197networkmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404B22
RtlAllocateHeap.NTDLL(00000000), ref: 00404B29
InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404B54
StrCmpCA.SHLWAPI(?), ref: 00404B6D
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BA1
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 00404C00
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00404C38
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404C49
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00404C74
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00404D05
InternetCloseHandle.WININET(00000000), ref: 00404D9B
InternetCloseHandle.WININET(00000000), ref: 00404DA7
InternetCloseHandle.WININET(00000000), ref: 00404DC5

Strings

GET, xrefs: 00404BF5

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET
API String ID: 442264750-1805413626
Opcode ID: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction ID: d037288fe89579f4ab5843d1a5928f681561e61fb867290b5a494df79b11f7d7
Opcode Fuzzy Hash: f16c31e6c77223db1b221cad6f523a7c8a9ce9fa98b564ab69779ee6bb960051
Instruction Fuzzy Hash: 769115B4900228AFDF20DF50DC45BEEB7B5BB45306F1040EAE609B6291DB796AC4DF49

Function 00406312 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
StrCmpCA.SHLWAPI(?), ref: 00406390
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 0040647E
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 004064F3
InternetCloseHandle.WININET(00000000), ref: 0040657C
InternetCloseHandle.WININET(00000000), ref: 00406585
InternetCloseHandle.WININET(00000000), ref: 0040658E

Strings

ERROR, xrefs: 00406488, 0040654F
GET, xrefs: 00406402

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$GET
API String ID: 3749127164-3591763792
Opcode ID: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction ID: 51cd531d8c454c4eabdc451ce72ca3cccbe2bef7883915b0542a7032e80e54d3
Opcode Fuzzy Hash: 963ac1e056751af433d780a8216807e69140fad55e256c3b4c315ddae2ff65c2
Instruction Fuzzy Hash: 9E710871900218EFDF21EFA0DC45BDD7B75AB05305F6040AAF606BA1E0DBB96A94CF49

Function 00418167 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 749COMMON

Download Yara Rule

APIs

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004182BD
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418321

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00417E48: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Part of subcall function 00417F35: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FAD
Part of subcall function 00417F35: StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 00417FF9
Part of subcall function 00417F35: lstrlenA.KERNEL32(00000000), ref: 0041801F

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041840E
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418519
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418606
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418711
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 004187FE
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418909
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00418B01

Strings

ERROR, xrefs: 004182AF, 00418313, 00418400, 0041850B, 004185F8, 00418703, 004187F0, 004188FB, 004189E8, 00418AF3

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: ERROR
API String ID: 2001356338-2861137601
Opcode ID: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction ID: 2f695ca300a8a73312befe9c8800e9116e76318d555d5372ca32ba18f7f60556
Opcode Fuzzy Hash: 601a58bd0b0876066a53ea39e9bf7ef070bc13c226733b0f19d5a4e6bce83ed6
Instruction Fuzzy Hash: 2D4232719001085ACB14FBF1ED5B9EE7378AF10305F90416FF516A61E2EF7C9A88CA99

Function 00411948 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 116memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00411964
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004119A1
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411A18
HeapAlloc.KERNEL32(00000000), ref: 00411A1F
wsprintfA.USER32 ref: 00411A54
lstrcatA.KERNEL32(00000000,00429270), ref: 00411A65

Part of subcall function 00412667: GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

lstrlenA.KERNEL32(00000000), ref: 00411A7E

Part of subcall function 004136CE: malloc.MSVCRT ref: 004136D5
Part of subcall function 004136CE: strncpy.MSVCRT ref: 004136EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00411AAC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

C, xrefs: 0041196E
\, xrefs: 00411982
:, xrefs: 0041197E

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heaplstrcat$AllocCurrentDirectoryInformationProcessProfileVolumeWindowslstrcpylstrlenmallocstrncpywsprintf
String ID: :$C$\
API String ID: 2389002695-3809124531
Opcode ID: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction ID: b4310f208fa9535f9906633d23b413fd942b8933ce9b069d1c57af1ba558f1c2
Opcode Fuzzy Hash: 23f1d57f010f06b3a3b0b73a3a18805c0e588e37821cf8b5f81c9e51efc94560
Instruction Fuzzy Hash: EC417E71D0024CAFDF10EBA0DD59BED7BB8AF05305F10009AF219A61A1DB799BC4CB68

Function 0041218B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 164registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

RegOpenKeyExA.KERNEL32(00000000,00000000,00020019,00000000,00425200), ref: 004121DE
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 004122AC

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Strings

?, xrefs: 004121B9
- , xrefs: 004123D0
%s\%s, xrefs: 0041227F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Openlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 2731306069-3278919252
Opcode ID: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction ID: 317e1264205bd673c815d3a78023c7176152d2c53d3ea0851a7731e254f809d5
Opcode Fuzzy Hash: db84e063afdd8ab9a369cff0a91b897787bc4edace59e265c4489125e3bbefbc
Instruction Fuzzy Hash: 1C71F47290012CABEB64EB50DD45FD973B9BF04305F5086EAE209A20A1DF746BC9CF94

Function 0040613F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404373
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 00404387
Part of subcall function 0040430F: ??_U@YAPAXI@Z.MSVCRT ref: 0040439B
Part of subcall function 0040430F: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
Part of subcall function 0040430F: InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004061A8
StrCmpCA.SHLWAPI(?,?,?,?,?,?,?,?), ref: 004061E6
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00406229
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?), ref: 0040624D
InternetReadFile.WININET(8cA,?,00000400,?), ref: 00406271
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?), ref: 0040629D
CloseHandle.KERNEL32(?,?,00000400,?,?,?,?,?,?,?), ref: 004062DB
InternetCloseHandle.WININET(8cA), ref: 004062E4
InternetCloseHandle.WININET(?), ref: 004062F0

Strings

8cA, xrefs: 004062E1, 0040626E

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: 8cA
API String ID: 2507841554-2586977368
Opcode ID: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction ID: 322e9e665ac9740ae3a6c79426317fb00e7d6d1b0345a24b3972b26df0cd3c85
Opcode Fuzzy Hash: 23bbd80859a5ae626456c0e29d0c535548952ba2e1dd46435b22cc47d41a132e
Instruction Fuzzy Hash: BC515CB190021CABDF20EF60DC45BED7779FB01305F1050AAE616BA1E1DB786A99CF58

Function 0040F99F Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

firefox, xrefs: 0040FDE2
Stable\, xrefs: 0040FA90, 0040FCF8

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$firefox
API String ID: 3722407311-3160656979
Opcode ID: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction ID: 87d147e04e3a24980a39275aa9b0abb6dd5f2e96552c08bd51d602dc9e077d04
Opcode Fuzzy Hash: 4574c3fe41a2655a61f88f0eef0b3d3de2eb2ac0277edcd828de38c39bfa1635
Instruction Fuzzy Hash: 18D16772A001099BCF24FBB5DD96FDD77B9BB50304F10402AE906EB1A1EE35DA48C795

Function 00412081 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00428E48,00000000,?,00000000,00000000,?,Windows: ,00000000,?,00428FE4,00000000,?,Work Dir: In memory), ref: 0041208E
HeapAlloc.KERNEL32(00000000), ref: 00412095
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 004120B6
__aulldiv.LIBCMT ref: 004120CE
__aulldiv.LIBCMT ref: 004120DC
wsprintfA.USER32 ref: 004120FF

Strings

@, xrefs: 004120AB
%d MB, xrefs: 004120F7

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction ID: da943534dc948d73dd967abc6d37c718adf03b454bdf056c0f5a7879574b1967
Opcode Fuzzy Hash: e44640eb945edcdb330fccb508c3ea3b329ff7572ab2c3ac08101b3669067511
Instruction Fuzzy Hash: 71015EB0E40218BFEF00AFE0DC0ABADBBB9FB05749F104409F314B9090C7B866519B58

Function 0040430F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00404373
??_U@YAPAXI@Z.MSVCRT ref: 00404387
??_U@YAPAXI@Z.MSVCRT ref: 0040439B
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 004043B9
InternetCrackUrlA.WININET(00000000,00000000), ref: 004043C9

Strings

<, xrefs: 0040435B
<, xrefs: 0040431A

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <$<
API String ID: 1274457161-213342407
Opcode ID: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction ID: 01f5d62e614e23a6b162f059a70a9e0953d43a02f97c16b9683ed6508c4b1ff7
Opcode Fuzzy Hash: 94d81e5e955a971915de60a229a9877af64f0f003ab4a34939c35b93bd59b886
Instruction Fuzzy Hash: 48214771D00218AFDB10DFA9E881BCDBBB4BB04324F10815AE669F72A0DB345A85CF10

Function 00417F35 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00417F96
lstrlenA.KERNEL32(00000000), ref: 00417FAD

Part of subcall function 00412FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,00000000), ref: 00417FDD
lstrlenA.KERNEL32(00000000), ref: 00417FF9
lstrlenA.KERNEL32(00000000), ref: 0041801F

Strings

ERROR, xrefs: 00417F88, 0041802A, 0041809C, 004180D6, 0041810D

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR
API String ID: 3240024479-2861137601
Opcode ID: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction ID: 82a00ccf74cc6928f093117e63f16261f372f6c033bbdc91f1bb176def9d3ff2
Opcode Fuzzy Hash: e56dbd6892063ce075c71f30584f65b6369d35785078b77fb4a32cfd08f74c49
Instruction Fuzzy Hash: 24511A71910108ABCB04FFA1D956AED7774BF11309F60402EF916A61F2DF39AA89CA48

Function 004125CA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125F2
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?), ref: 00412612
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,00000000,000000FF), ref: 00412639
CharToOemA.USER32(00000000,?), ref: 00412659

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00412608
MachineGuid, xrefs: 0041262E

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CharOpenQueryValuememset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 1728412123-1211650757
Opcode ID: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction ID: 19f088c07c09de6674c761c0d1b751acc79a05fefe0ca058460f00b60f9401a7
Opcode Fuzzy Hash: 195b74b0a96cc35dac2f772ac61cfb819d8275be74710b7e5bc2e41235a95a6e
Instruction Fuzzy Hash: 1B016275A4022DBBDB209B50DD4AFDA777CEB14704F5001E1B688F6091DBF46AC48F54

Function 00407CDF Relevance: 9.1, APIs: 6, Instructions: 74filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
ReadFile.KERNEL32(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
LocalFree.KERNEL32(00000000), ref: 00407DA0
CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction ID: 20c10e672a0f3402bfbef9d3d1be989891e350540804f4a5b6ad44830b3c41ef
Opcode Fuzzy Hash: b0c26b6f574b650b3bbe433578a167a4ae74d057130e38fdececdba59a5ca05d
Instruction Fuzzy Hash: 6C31F174E00209EFDF11DFA4D849BEE7BB5BF0A301F104065E911AB2A0D778AA91CF55

Function 00411ADD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411AF1
HeapAlloc.KERNEL32(00000000), ref: 00411AF8
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000), ref: 00411B29
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,?,000000FF), ref: 00411B47

Strings

Windows 11, xrefs: 00411B0A

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: Windows 11
API String ID: 3676486918-2517555085
Opcode ID: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction ID: 3f27d459ef3b4295677ace20887899c1ffae7c715c4ca525cf07eb428eb26eef
Opcode Fuzzy Hash: 346f3f4664875a4ea084d75b8818ec132410f9d5b334d0546c756ba2ab9ffa29
Instruction Fuzzy Hash: 84013C34A44208FBEB10ABE0EC0AB9D7B7AFB06744F1050A5F701AA1A1E7749A94DB14

Function 00411B5B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00411B6F
HeapAlloc.KERNEL32(00000000), ref: 00411B76
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00411B06), ref: 00411B95
RegQueryValueExA.KERNEL32(00411B06,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00411BB2

Strings

CurrentBuildNumber, xrefs: 00411BAA

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3676486918-1022791448
Opcode ID: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction ID: 29d7a5e80dbd030fd5711505aedc04f660bf528dc6b38352957baa02463c1007
Opcode Fuzzy Hash: 6763c454cfa2fbe29bba7aff6e2c919a48f957ef8388f20bd06a009583ecdfc3
Instruction Fuzzy Hash: 42F04F75A40209FFEB00AFE0EC0AFEDBBB9FB05704F101095F200A90A1D7B05690DB54

Function 0041FD2C Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001), ref: 0041FD9F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction ID: 5f3c8af357893ed153ccb181933e0c92fd25f58187f5847643f7a6c701f82d74
Opcode Fuzzy Hash: 28e4449246bdff4538dfa03a6f885fd424cd5e53fb953e1d424f3e4a8a48cfb0
Instruction Fuzzy Hash: D561CE70A00209DFDB10CF54D948BAEB7F1BB04725F258166E515AB391C3B4DE86CB6A

Function 00407F8E Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00407CDF: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00407D05
Part of subcall function 00407CDF: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00407D29
Part of subcall function 00407CDF: LocalAlloc.KERNEL32(00000040,?), ref: 00407D48
Part of subcall function 00407CDF: ReadFile.KERNEL32(000000FF,00000000,?,0040F582,00000000), ref: 00407D6E
Part of subcall function 00407CDF: LocalFree.KERNEL32(00000000), ref: 00407DA0
Part of subcall function 00407CDF: CloseHandle.KERNEL32(000000FF), ref: 00407DA9

Part of subcall function 00412FD6: LocalAlloc.KERNEL32(00000040,00000001), ref: 00412FF2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF

Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407DE6
Part of subcall function 00407DC2: LocalAlloc.KERNEL32(00000040,00406095,?,?,00406095,00000000,?), ref: 00407DF7
Part of subcall function 00407DC2: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00406095,00000000,00000000), ref: 00407E1D
Part of subcall function 00407DC2: LocalFree.KERNEL32(00000000,?,?,00406095,00000000,?), ref: 00407E31

memcmp.MSVCRT ref: 00408034

Part of subcall function 00407E41: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00407E65
Part of subcall function 00407E41: LocalAlloc.KERNEL32(00000040,00000000), ref: 00407E83
Part of subcall function 00407E41: LocalFree.KERNEL32(?), ref: 00407EAB

Strings

DPAPI, xrefs: 0040802C
, xrefs: 00408062
"encrypted_key":", xrefs: 00407FD7

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmp
String ID: $"encrypted_key":"$DPAPI
API String ID: 1204593910-738592651
Opcode ID: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction ID: 8d589a117900b415cc4759a7c5c28772ff61d9ce457947e60a2fc3858aeb04fe
Opcode Fuzzy Hash: cb5a7b3697549c6f230e63b8f069386ffd445f3a9418a1f9903da71664ec03a3
Instruction Fuzzy Hash: 74310E71D0010DABDF11DBA5DD45BEEBBB8AF04304F14012AE840B2291EB799A58DB99

Function 004126A3 Relevance: 7.6, APIs: 5, Instructions: 84commemoryCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0042AC28,00000000,00000001,004292EC,00000000,?,?,?,?,004128EF), ref: 004126EA
SysAllocString.OLEAUT32(?), ref: 00412700
_wtoi64.MSVCRT ref: 0041274D
SysFreeString.OLEAUT32(?), ref: 00412771
SysFreeString.OLEAUT32(00000000), ref: 0041277A

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateInstance_wtoi64
String ID:
API String ID: 1817501562-0
Opcode ID: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction ID: 58adf380e0662d1b76d21edb75c8d821cdd3313fccb4f2387b68fcf25dfbec8a
Opcode Fuzzy Hash: f48b06c7123509e446c0da83949f76becdf3deb21f21affda6d357694f029a8c
Instruction Fuzzy Hash: 2E310575E04219EFCB05DFA9D849BEEBBB4FB08315F00416AE911E32A0C7795951CFA4

Function 0040F9BD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040F9EF
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FA75
StrCmpCA.SHLWAPI(00000000,?,?), ref: 0040FB84

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

StrCmpCA.SHLWAPI(00000000), ref: 0040FC57
StrCmpCA.SHLWAPI(00000000), ref: 0040FCDD

Strings

Stable\, xrefs: 0040FA90

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\
API String ID: 3722407311-272486606
Opcode ID: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction ID: 7cd2c182165b9fee31fd49b72ff1b8ad9c7a36b01791bf89c52de0b726780448
Opcode Fuzzy Hash: b1a1266439bdf2a0e8ec9dc9193cdc2636f5054d60504534493cfb04d58e2737
Instruction Fuzzy Hash: CD511271A00109ABCF14FBB5DD96BDD77B9BB60304F10402AE906EB1A1EE35DB49CB85

Function 1FC5FD40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?), ref: 1FC5FE03

Strings

winRead, xrefs: 1FC5FE3D
delayed %dms for lock/sharing conflict at line %d, xrefs: 1FC5FE78

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: ee82b5eccdcd1d03fc98e4ef6335a402bfda51c90b5ba10eab2b1662226fa1fe
Instruction ID: 07fda47375d9a9d13fd0634b15fcd11b250b2f368ef844f3c432058dbd0a5619
Opcode Fuzzy Hash: ee82b5eccdcd1d03fc98e4ef6335a402bfda51c90b5ba10eab2b1662226fa1fe
Instruction Fuzzy Hash: A9410472B043066BC308DE64CD819ABB7A8FFC4210F84092DF944C7661E771F919DBA6

Function 00408203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF), ref: 00408220
LoadLibraryA.KERNEL32 ref: 004082A8

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Part of subcall function 00411715: lstrlenA.KERNEL32(?,?,?,00419018,00425200,00425200,?,?,?,0041ABB6), ref: 0041171F
Part of subcall function 00411715: lstrcpyA.KERNEL32(0041ABB6,00000000,?,00419018,00425200,00425200), ref: 0041176D

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,00428E34,?,?,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,00425200), ref: 00408294

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00408215, 00408229, 0040823F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-4027016359
Opcode ID: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction ID: 84292c169819be5b53b0aa043c90a357ac7ef937680942749e622d56a9f64c6e
Opcode Fuzzy Hash: 33191907c34fe30b91932b9d02352948c94fa74ece7802ec8efd6249ff31ed7f
Instruction Fuzzy Hash: 91413931905245DFEB05EBA1FD66AE937B6FB04305F20612EE901A12F1DF395988CF98

Function 00412213 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00412259
wsprintfA.USER32 ref: 0041228B
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 004122AC
RegQueryValueExA.KERNEL32(00000000,00000000,000F003F,?,00000400), ref: 0041231A
lstrlenA.KERNEL32(?), ref: 0041232F
RegQueryValueExA.KERNEL32(00000000,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00428E48), ref: 004123C6

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Strings

%s\%s, xrefs: 0041227F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3471882850-4073750446
Opcode ID: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction ID: d7cee1983acf12d4360d724bf4cc3a4c29cf8c0d886bd7a19f0679c37ebee969
Opcode Fuzzy Hash: c05b9aeffa2524c3aa9bcda23acaed7832a6b4e564aa8b15d5e8c89861718145
Instruction Fuzzy Hash: 1721F27590012CAFEB609B50DD45BD9B7B9FF08304F4094E5E649A60A0CF749AD98F94

Function 004073D6 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(;q@,;q@,00003000,00000040), ref: 00407474
VirtualAlloc.KERNEL32(00000000,;q@,00003000,00000040), ref: 004074BF

Strings

;q@, xrefs: 004073DC
;q@, xrefs: 00407466, 00407470, 004074B9, 004074D7, 0040742C, 00407469, 00407473, 004074BC

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: ;q@$;q@
API String ID: 4275171209-3893597124
Opcode ID: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction ID: d3bad8f71399132065eca503ffa06903ce5ef1b7e5e995e1b9bcc650a41b767e
Opcode Fuzzy Hash: ce50d067a10a9d200ba21eaef60b552f8d4fc485bf38c75f1e0756368e75d6fe
Instruction Fuzzy Hash: D941B535A04209EFCB50CF98C485FADBBF0EB08364F1484A5E959EB391D734EA81CB45

Function 00418DB9 Relevance: 6.1, APIs: 4, Instructions: 85synchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNEL32(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleThreadWait
String ID:
API String ID: 4234577939-0
Opcode ID: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction ID: 4c5e3d0133d6e9f2eae60e2625ec9d3b543f1cf41f80d31bea27500df29b833e
Opcode Fuzzy Hash: f43b621d675ccc337efc39be0cc282dc91ce5b12264d272aea3fd1cbd3d3afdf
Instruction Fuzzy Hash: 4F315C75900208AFDB10EF61DC45BED3BB5BF15305F54412AF9159A1A1EF349A86CF88

Function 00411EB5 Relevance: 6.0, APIs: 4, Instructions: 32memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00411EC9
HeapAlloc.KERNEL32(00000000), ref: 00411ED0
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,00000000), ref: 00411EEF
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,000000FF,000000FF), ref: 00411F0D

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction ID: 2ba135963ef3e1c949db86b07d2e2a79437377d0b90cfecc595d9e25d7200812
Opcode Fuzzy Hash: dd008c8d00355dc8994383d20b0c3b1a5372c3a3245a183f1dace59f39d50ce9
Instruction Fuzzy Hash: C2F03A79A40208FFEB10AFE0EC0AF9DBBBAFB06745F105064F701A91A0D77156949F40

Function 00411CBF Relevance: 6.0, APIs: 4, Instructions: 31memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00428E48,00000000,?,00000000,00000000,?,Computer Name: ,00000000,?,00428E48,00000000,?,00000000,00000000), ref: 00411CCF
HeapAlloc.KERNEL32(00000000), ref: 00411CD6
GetTimeZoneInformation.KERNEL32(?), ref: 00411CE9
wsprintfA.USER32 ref: 00411D20

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction ID: daf70193e9c0513ecb3072794c83a438d37f7fdfa3376bc861271b49892c1553
Opcode Fuzzy Hash: 203e413fed742de3b00b513deca226d0cff61aa8e2789412112a4631cc96891a
Instruction Fuzzy Hash: 2BF0BE70A003289FDB20AB24FC0AB9977BBBB02345F1001D5F209AA2E0D7749EC0CF02

Function 004070D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

ez@, xrefs: 004072B1

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ez@
API String ID: 0-307298357
Opcode ID: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction ID: a860d7bb49b00275ae4f9f6a4a51eaec01057512aeaaa0d5d6857e8719e4b74b
Opcode Fuzzy Hash: 3bbf64017ccec70b43ef0a4a85a6baf18d8732ef2f27285e686f093308f930eb
Instruction Fuzzy Hash: FA61D270C08209EFCF14DF94D948BEEB7B0AB04315F2044AAE405B7291D779AE94DF6A

Function 00418C65 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 00418C99
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00418D4B

Strings

ERROR, xrefs: 00418D3D

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: ERROR
API String ID: 1659193697-2861137601
Opcode ID: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction ID: 4cb9426ee5e73f282c12afd8d592c338adc4812851f741afb7acd22160182d69
Opcode Fuzzy Hash: 63e6eed9abdabe16e44a68f7f9864da067214aca1ca454f7c695c55e2f80d023
Instruction Fuzzy Hash: 6B3184B1E10204ABCF00EBA5DD46AEE7778FB15318F10051AF502E73A1DB389940CBA9

Function 00418E9E Relevance: 4.5, APIs: 3, Instructions: 45sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

_MSFOpenExW.MSPDB140-MSVCRT ref: 00418E6C
CreateThread.KERNEL32(00000000,00000000,00418C65,?,00000000,00000000), ref: 00418E85
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00418E96
Sleep.KERNEL32(000003E8,?,00000000,?,?), ref: 00418EA5

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectOpenSingleSleepThreadWait
String ID:
API String ID: 1990444757-0
Opcode ID: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction ID: 5657c23587d86dbe871ff5d5566c82c5f00d4f8eb17df63da99cc315ca23b86c
Opcode Fuzzy Hash: db982492dfe86fd64df0525366e688e2b4b5a29edeeaa01de3fa1648289cf0de
Instruction Fuzzy Hash: 52011774640204EBDB21EF21DC46BEC3B65BB11709F54412AF9169A1B1DB399A82CF89

Function 00413563 Relevance: 4.5, APIs: 3, Instructions: 25COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,004154AA), ref: 00413576
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00413596
CloseHandle.KERNEL32(00000000), ref: 0041359F

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction ID: 648301d2c24216510959a40647cebe15a857575c5a4660e0673f59272e1cdbeb
Opcode Fuzzy Hash: 424327ca4c3cbaa72694fe0256f2ae6f23efaf6e2f470c7a486978a51854163c
Instruction Fuzzy Hash: 68F0F27890120CFFDB11EFA0DC0AFDC7BB9AB09709F1444A5B615AA1A0D7B1ABD4DB44

Function 0040D1C6 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

StrCmpCA.SHLWAPI(00000000,Opera GX,00425200,00425200,?,?), ref: 0040D201

Part of subcall function 00412F92: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 004117E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 0041182C
Part of subcall function 004117E0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041183A

Part of subcall function 0041177A: lstrcpyA.KERNEL32(00000000,?,?,?,0041A98C,00000000,?,?,00428E5C,?,00000000), ref: 004117D3

Part of subcall function 0041185B: lstrlenA.KERNEL32(00428E5C,?,00428E5C,?,00000000), ref: 0041186F
Part of subcall function 0041185B: lstrcpyA.KERNEL32(00000000,?), ref: 004118A8
Part of subcall function 0041185B: lstrcatA.KERNEL32(00000000,00000000), ref: 004118B4

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00412F4C: GetFileAttributesA.KERNEL32(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Part of subcall function 00407F8E: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00407FDF
Part of subcall function 00407F8E: memcmp.MSVCRT ref: 00408034

Strings

Opera GX, xrefs: 0040D1F3

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AttributesFileFolderPathlstrlenmemcmp
String ID: Opera GX
API String ID: 1439182418-3280151751
Opcode ID: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction ID: fb3989cb2523bfc062273a9d11041c6471dda5227b0977fe00502919fff50608
Opcode Fuzzy Hash: 0fb77b7b81ea3809c0307192b11be850f65fcb2790e200c338288ed7b6fd4c59
Instruction Fuzzy Hash: 4BD113729001089ADF14FBF1DD56EEE737CAF14305F50412BF616A21E1EE39AB88CA59

Function 00407902 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00EBE9FC,458B0874,00000002,00000002), ref: 004079D0

Strings

@, xrefs: 004079AC

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction ID: 108c03afaf6488205a77675aa431fcd5872e35c29fe2ccaab908e516a6f44892
Opcode Fuzzy Hash: 287ad8346a7fe6e5c9c93bd88e2f49757a3d10b5b68bd008e028ca123d1bf971
Instruction Fuzzy Hash: 2D31CBB5D08209EFEB10CF98C545BADBBF1FB04304F1485A6D455AB391D378AA81DF46

Function 00417E48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 004116B4: lstrcpyA.KERNEL32(?,?,?,?,004118C6,00000000), ref: 004116F4

Part of subcall function 00406312: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00406373
Part of subcall function 00406312: StrCmpCA.SHLWAPI(?), ref: 00406390
Part of subcall function 00406312: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 004063BE
Part of subcall function 00406312: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00400100,00000000), ref: 0040640A
Part of subcall function 00406312: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00406442
Part of subcall function 00406312: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00406453

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00417E8B

Strings

ERROR, xrefs: 00417E7D, 00417EDB

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR
API String ID: 3287882509-2861137601
Opcode ID: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction ID: b6725acd924a18acdeaf76a85a33531c260c99ef83c6fe063ac976ef0ea738d9
Opcode Fuzzy Hash: bb33d87117d8667f9c5c7158566ed321b33361f7c494144e9eddfb2cb9a39704
Instruction Fuzzy Hash: 4B11D0319101089BCB14FFA2E8569DD7378AF50309F50412EF916971F2EF39AB48C788

Function 00412F4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E526,?,00425200,?,?), ref: 00412F5B

Strings

&@, xrefs: 00412F52

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: &@
API String ID: 3188754299-4010431647
Opcode ID: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction ID: 5a9ed636e313f6a7dd176774e2c6308ea72efcd30315a16af32adb4bfda7ee87
Opcode Fuzzy Hash: c554d616c374e849fdf741f0e5d4d7b9930fb9937f03e0365571ee75c380a818
Instruction Fuzzy Hash: 4CF0C074C1020CEBCB00DFA5D5456DDB774AB11359F108156E522E72A0E7789B96DF44

Function 00412667 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(?), ref: 00412674

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Strings

Unknown, xrefs: 00412691

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProfilelstrcpy
String ID: Unknown
API String ID: 2831436455-1654365787
Opcode ID: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction ID: 79ae12f52d30196ee2c5170817a78a3de43ea3cd72a751e4cea9930dc4e20eb0
Opcode Fuzzy Hash: 6f65f47d843f5c38b1e0a66190c485fb9fc1308ec2868120a4b7116f04a99c60
Instruction Fuzzy Hash: 0CE04F30600108EFCF10EF65D881EDD37ACBB04788F50402AF905D7190DB74E995CB98

Function 1FC804D1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 1FC804E7

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: c9d068098f7ee5d9974a77dd0dafe5942655208f6e21150a814f6a09a35a7885
Instruction ID: cc936eb8ec9fb9f9cd727eacc2cc5ed6481df1596f5f80b3aa39a1379eece508
Opcode Fuzzy Hash: c9d068098f7ee5d9974a77dd0dafe5942655208f6e21150a814f6a09a35a7885
Instruction Fuzzy Hash: A8C01226FC832263C6121590EC01ECA7A415BD05A1F054134FD5C5A230D955A85567C6

Function 00412F92 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00412FBC

Part of subcall function 00411668: lstrcpyA.KERNEL32(00425200,00000000,?), ref: 004116A7

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction ID: aa325d3f94b7a9653be548765aa3873853a6de89a1716966dfff1a03a5bef2b1
Opcode Fuzzy Hash: 47392e84d6d6294a81bee49d13ce944e3ea666f2a03f2c076f629e9461e68349
Instruction Fuzzy Hash: 7DE04F3094034DBBDB51EF50CC92FCD376C9B04B05F404191B60CAA0D0DA70EB858B54

Function 00412FD6 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001), ref: 00412FF2

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 23ddd831960a07a4baf59c42516714ef093421010defdf0cacab57d0b5a2c2c6
Instruction ID: d6433807a1b8db94d6cb6db165d9c0c75de4d80c94e6a7adbc32009b6d90f099
Opcode Fuzzy Hash: 23ddd831960a07a4baf59c42516714ef093421010defdf0cacab57d0b5a2c2c6
Instruction Fuzzy Hash: 2F019274900208FFDB05CF98C585BED7FF4EB0931AF248089E505AB294C279AF84DB15

Function 00412B6B Relevance: 1.3, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B72

Memory Dump Source

Source File: 00000001.00000002.3366822659.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.3366822659.0000000000439000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000445000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A6000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004A9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004B1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004D1000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004DD000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000004E0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000502000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000050E000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.000000000052D000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000539000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.00000000005C8000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000641000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3366822659.0000000000643000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction ID: 52e30e3b9de2c83f9cf9caa13978d237713c2858ae44fde087075dd4632ce1ce
Opcode Fuzzy Hash: e9ef69333db613a216edd2c8bf2b23955e04f01125ce089b17a326d4bede4d29
Instruction Fuzzy Hash: ABC04C70A1411DBB8B04EB59E94284DBBE89A04298B504069F40896151D671AE419658

Non-executed Functions

Function 1FD7D9E0 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 564COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD7DACC, 1FD7DE2F
%s at line %d of [%.10s], xrefs: 1FD7DADB, 1FD7DE3E
misuse, xrefs: 1FD7DAD6, 1FD7DE39
API called with NULL prepared statement, xrefs: 1FD7DA9B, 1FD7DDFE
API called with finalized prepared statement, xrefs: 1FD7DAB0, 1FD7DE13

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 3f9ef4f87d4446f43aca0d0ab9be1a4ea6fca40e9ae67156cf3ead7158a78f44
Instruction ID: f81fbee6a0ae378ae06ca86f00f7bf0c934a48b0003bf73ba345a8d10eb2e967
Opcode Fuzzy Hash: 3f9ef4f87d4446f43aca0d0ab9be1a4ea6fca40e9ae67156cf3ead7158a78f44
Instruction Fuzzy Hash: 6512D4B69047419BE7608F34CC54B67B6E4BF4531CF04072CE9999F282EB76F4198BA2

Function 1FC7B400 Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 367COMMON

Download Yara Rule

Strings

SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s, xrefs: 1FC7B696
SELECT %s ORDER BY rowid %s, xrefs: 1FC7B665
DESC, xrefs: 1FC7B656, 1FC7B65E, 1FC7B67D, 1FC7B685
ASC, xrefs: 1FC7B651, 1FC7B678

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: ASC$DESC$SELECT %s ORDER BY rowid %s$SELECT %s WHERE rowid BETWEEN %lld AND %lld ORDER BY rowid %s
API String ID: 0-3496276579
Opcode ID: 44cbec97ce709bad11ce890eda43cf198d9fb32b91aaa4d63a4e8b63e5493384
Instruction ID: fd6287dc3b5b35a999bd6cbbae142bcdc496d82cfcb3bc36a8a00bde740472a3
Opcode Fuzzy Hash: 44cbec97ce709bad11ce890eda43cf198d9fb32b91aaa4d63a4e8b63e5493384
Instruction Fuzzy Hash: 40C166769007458FC7118F25C8417A7B7E0FF84310F080A2EEA8A8A655EF36F549EBA1

Function 1FCCDB10 Relevance: 18.3, APIs: 12, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078567f79af2949c7bce4a714284c2a89ea77bd887808b63c7c4672c0d9546ac
Instruction ID: 6cc30918fcdb98093f4b1ebb4cee470e031f29d108ffe80778ea655c7782ea4a
Opcode Fuzzy Hash: 078567f79af2949c7bce4a714284c2a89ea77bd887808b63c7c4672c0d9546ac
Instruction Fuzzy Hash: 4E81E276A04301ABD714DF68CC90B6BB3E9EF84314F04082CF9959B251EB76F94697A2

Function 1FCCDFC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

%lld %lld, xrefs: 1FCCE055

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %lld %lld
API String ID: 0-3794783949
Opcode ID: cf3b399df216ac808f918b5f6173bc623130c854d93d600334cdfab902d77f64
Instruction ID: c96b491e89d5bcd3463c4775c5b8becb5ea85cc5f43b8c20bed9e3b5e57e78da
Opcode Fuzzy Hash: cf3b399df216ac808f918b5f6173bc623130c854d93d600334cdfab902d77f64
Instruction Fuzzy Hash: FC3106B67003007FE6115B688C45F6B77AADFC1710F11441CF681972A2EB72E811ABA6

Function 1FD714D0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 360COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD715A2
%s at line %d of [%.10s], xrefs: 1FD715B1
misuse, xrefs: 1FD715AC
API called with NULL prepared statement, xrefs: 1FD71571
API called with finalized prepared statement, xrefs: 1FD71586

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: 384e2999b2f153858e2effce777961c6b31e7b32f2b9a601b60935dc09107a8c
Instruction ID: 8de9bba9125e805100f675c05c561539016399ad6727a41726734eecf1a42a8c
Opcode Fuzzy Hash: 384e2999b2f153858e2effce777961c6b31e7b32f2b9a601b60935dc09107a8c
Instruction Fuzzy Hash: 2DC1C5B59007419BE7608F34C84576777E6BF4131CF04072DE89A9F282EB76F44987A2

Function 1FD7D4F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 310COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD7D5DD
%s at line %d of [%.10s], xrefs: 1FD7D5EC
misuse, xrefs: 1FD7D5E7
API called with NULL prepared statement, xrefs: 1FD7D5AC
API called with finalized prepared statement, xrefs: 1FD7D5C1

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: ce5534108e73824ab76613df33c4dbf52a8043bb5b2fe2441de66733fe856b9c
Instruction ID: 832438a443f3c7b2f0af1e2c2b64b93f45541c6a0587372237260e980fc18b46
Opcode Fuzzy Hash: ce5534108e73824ab76613df33c4dbf52a8043bb5b2fe2441de66733fe856b9c
Instruction Fuzzy Hash: 82B19DB69007419FE7518F24D894B67B7E4BB45318F044A2CE89A8F241EB76F449CBA2

Function 1FD05940 Relevance: 12.4, APIs: 8, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e60aae8eb6154ba49a36719d725283ae84224f17f6467aa2df405f40ab5e49
Instruction ID: 2aa72e2f0eb6f2983aa8443c94c3bf68893404204dab2d644994d212c2f171af
Opcode Fuzzy Hash: 89e60aae8eb6154ba49a36719d725283ae84224f17f6467aa2df405f40ab5e49
Instruction Fuzzy Hash: 96C13976E583419FE740AA28CC817FF7791EFD1310FD8066EE88587292F225B549C792

Function 1FC87810 Relevance: 10.9, APIs: 7, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4347e41fe6709e6e6ffc372ecb9b640dd104ba6108e72c78dde41931eb8732
Instruction ID: d06bbc0a2ef6cf4fc5658371e8a85e16ad1c27b886a626800c037c3ed695a619
Opcode Fuzzy Hash: ba4347e41fe6709e6e6ffc372ecb9b640dd104ba6108e72c78dde41931eb8732
Instruction Fuzzy Hash: 90E116729047429FC701DF35C880A6BB7E4BF86358F044A5EF845AB251F735E864DBA2

Function 1FD2D610 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction ID: 2a53d681cea5518bc81f3cfec3681e48a81af73a5980d29b2366bcccac84a817
Opcode Fuzzy Hash: 8fd5a444f62547b55e1c478906cffc6cc5e8d8fd97acf4dcf33dab7dbce9423b
Instruction Fuzzy Hash: F141E4B5600706AFD700AF24CC80A6BB7E5FF45315F40062CF8588A260EB72F919CBE5

Function 1FC65C70 Relevance: 9.1, APIs: 6, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction ID: b80a7ecc0bf1bfa20604cd56c56e3f375a267241b2f34baf7bfcf034f3c72610
Opcode Fuzzy Hash: 43830c2c14d87b3ae716c7a1980d3d4f048575f12cac28b556fe9d979f0dcba0
Instruction Fuzzy Hash: C541E4B63083019FDB14DF14C884EA6B7E5FF98320F204969E9418B791E772F854EB60

Function 1FCD1FE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?), xrefs: 1FCD2001

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: REPLACE INTO '%q'.'%q_data'(id, block) VALUES(?,?)
API String ID: 0-914542581
Opcode ID: 5e62ef00a51a1957d84feade1c15eb3ce65ea1aad7045430f379a16199032ecb
Instruction ID: 502b619609c558b225d2e360cb6f7f07fb3056c0d15a30049945f8e61fc374fa
Opcode Fuzzy Hash: 5e62ef00a51a1957d84feade1c15eb3ce65ea1aad7045430f379a16199032ecb
Instruction Fuzzy Hash: 4621CEB6500305AFDB10AF68DC84FAA77AAFF04324F044418F6449B162E762F864EBA5

Function 1FC81C50 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

RtreeMatchArg, xrefs: 1FC81F83

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: RtreeMatchArg
API String ID: 0-1459067757
Opcode ID: a85ab162abcf7360a2f04fbb8eb39c42d6c5bdbe758752552deb36fd3ea4c0c6
Instruction ID: 780ac4a51eb5cc75cf47478c8cbc9dfa45740207ce705b69872d2cc555187b86
Opcode Fuzzy Hash: a85ab162abcf7360a2f04fbb8eb39c42d6c5bdbe758752552deb36fd3ea4c0c6
Instruction Fuzzy Hash: 1D02EFB5A047428FC710CF24C884A9BBBF2BF89318F14461DF9859B251E735F994DBA2

Function 1FD337E0 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction ID: 2a3fab871b5e9f89abee02f96bfd6084269225f25ec4209301797b0630210e41
Opcode Fuzzy Hash: 163b20eed04c21f543b465dbf508e26d1b36e382aec2e71a79acdea727c2a907
Instruction Fuzzy Hash: 55E0B67A104780ABCB225F51DC49E8BBFA6AF88314F050C1CF58565471CBB3B8A9BB45

Function 1FD13770 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction ID: 863af34ae36626ed59478e3165f6677f5874db92d8cbf04c4f28921a6ec0ea25
Opcode Fuzzy Hash: f4ccdf9b743d75f8252b2851f4553c50142fb9d6052622b86404dbf4ff0d5e94
Instruction Fuzzy Hash: 7FE0B67A104700ABCA225F50DE4AE8BBFA6BF88710F050C1CF5C525671CB73B868BB45

Function 1FCF5910 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?), xrefs: 1FCF597E

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: INSERT INTO '%q'.'%q_idx'(segid,term,pgno) VALUES(?,?,?)
API String ID: 0-143322027
Opcode ID: f77438eab57716de0447c85dde8caab78c8feadf1447ccec586b7d53b29d3b55
Instruction ID: 11c86e20d45588cd5a61e0ed9c2674c3aafcb49b1c6cdc07daa07b865110342c
Opcode Fuzzy Hash: f77438eab57716de0447c85dde8caab78c8feadf1447ccec586b7d53b29d3b55
Instruction Fuzzy Hash: 2A115CB6500206BFD7109F54CC84F96FBADFF45314F004554FA085B252CBB2B5A9CBA0

Function 1FD0D3B0 Relevance: 4.6, APIs: 3, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5343cc64292bdf1c36b1a2a2739a32fd695f0973e406a150f03f26d0f6ed9dd2
Instruction ID: 2555f3d48e7a19b258bfd6f929348493dc35f16704bb6a1914ae61f62a50e3ac
Opcode Fuzzy Hash: 5343cc64292bdf1c36b1a2a2739a32fd695f0973e406a150f03f26d0f6ed9dd2
Instruction Fuzzy Hash: 4F314CB4600301AFEB44EF69DC84A6AB3E9FF48214F048529F949C7251EB71F921CAA1

Function 1FCF55B0 Relevance: 4.6, APIs: 3, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07db288ff6a0437546216470d8691138bdab0c61dd15d2fa4b20eca8cfba00e0
Instruction ID: 12e65173034c363127f4f2ecfbbc915190efaed4fc1a6d47103b5417387fa1ad
Opcode Fuzzy Hash: 07db288ff6a0437546216470d8691138bdab0c61dd15d2fa4b20eca8cfba00e0
Instruction Fuzzy Hash: 60319EB6600301AFEB949F25DC84B6AB7E9EF94314F104828F9468B291E772F854DB61

Function 1FD35660 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 452COMMON

Download Yara Rule

Strings

CREATE TABLE x(%.*s INT, xrefs: 1FD357CA
_node, xrefs: 1FD3579E
,%.*s, xrefs: 1FD35804, 1FD35835
Auxiliary rtree columns must be last, xrefs: 1FD356B3, 1FD358B3

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: ,%.*s$Auxiliary rtree columns must be last$CREATE TABLE x(%.*s INT$_node
API String ID: 0-209218429
Opcode ID: 9801714492fcc67b5a6da6442e77fb54240f1ae39ef55bc3d254dc6b490cbdd3
Instruction ID: d96c75170513f2ca9c702c1e4b43f6025bdfa827f114879618b9528e3b5c5988
Opcode Fuzzy Hash: 9801714492fcc67b5a6da6442e77fb54240f1ae39ef55bc3d254dc6b490cbdd3
Instruction Fuzzy Hash: 6FF1F6B4A003029FC7109F25CC84B6AB7E5BF85315F840529E98A87211EB37F959DBB6

Function 1FC6D820 Relevance: 35.2, APIs: 8, Strings: 12, Instructions: 223COMMON

Download Yara Rule

Strings

matchinfo, xrefs: 1FC6D970, 1FC6D98A
porter, xrefs: 1FC6D8EE
fts4aux, xrefs: 1FC6D840
fts3tokenize, xrefs: 1FC6DA27
offsets, xrefs: 1FC6D956
optimize, xrefs: 1FC6D9A4
unicode61, xrefs: 1FC6D90B
snippet, xrefs: 1FC6D93C
simple, xrefs: 1FC6D8A9
fts3, xrefs: 1FC6D9CA
fts4, xrefs: 1FC6D9F0
fts3_tokenizer, xrefs: 1FC6D921

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: fts3$fts3_tokenizer$fts3tokenize$fts4$fts4aux$matchinfo$offsets$optimize$porter$simple$snippet$unicode61
API String ID: 0-449611708
Opcode ID: 1dfbe89080e95e922182b47afe470aeefa02a722f8529ca46519c24dd8c838f4
Instruction ID: ac6560ca0cb9e7cc220d9158c0e627b2e84ce2ba8d0b13bbecc5208e1c41cf5c
Opcode Fuzzy Hash: 1dfbe89080e95e922182b47afe470aeefa02a722f8529ca46519c24dd8c838f4
Instruction Fuzzy Hash: 60514B75B0C31167D7106A656CD4F9B76A46F01738F040135FE08A5343EB6EF699A3E2

Function 1FDE7FB0 Relevance: 33.6, APIs: 14, Strings: 5, Instructions: 342COMMON

Download Yara Rule

Strings

winGetTempname1, xrefs: 1FDE817B
winGetTempname5, xrefs: 1FDE8233
winGetTempname4, xrefs: 1FDE8355
winGetTempname2, xrefs: 1FDE8094
etilqs_, xrefs: 1FDE824C

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: ff3936276d283d7162f5b7604672d9778c297779de25635c0ce8d3c2440b1950
Instruction ID: 0103156497ec72f3030acab42343321105f95fd37b0149e047c50d76bbea523e
Opcode Fuzzy Hash: ff3936276d283d7162f5b7604672d9778c297779de25635c0ce8d3c2440b1950
Instruction Fuzzy Hash: B9A18E75A403515BD700DB24AC86BFA779AAF42321F480166FC849B183EA2BF11FD7B1

Function 1FD75D70 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 266COMMON

Download Yara Rule

Strings

secure-delete, xrefs: 1FD76031
crisismerge, xrefs: 1FD75EF7
automerge, xrefs: 1FD75E59
deletemerge, xrefs: 1FD75F64
rank, xrefs: 1FD75FBB
pgsz, xrefs: 1FD75D81
usermerge, xrefs: 1FD75EAD
hashsize, xrefs: 1FD75DF0

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: automerge$crisismerge$deletemerge$hashsize$pgsz$rank$secure-delete$usermerge
API String ID: 0-3330941169
Opcode ID: cb8d2eda2bc37051ed628aeedf7b002459ff1b2dd253e1d58b3f3e48b3a6dede
Instruction ID: 9635bcb841c5d938c02d7d6be6961a906f7d559e5098e62f291544bed9c0094a
Opcode Fuzzy Hash: cb8d2eda2bc37051ed628aeedf7b002459ff1b2dd253e1d58b3f3e48b3a6dede
Instruction Fuzzy Hash: 4E7138BAB003514BC7419E19AC00AAE77D1AFC5216F04097EF942CB251FF26F94A97E3

Function 1FC65E20 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 496COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC65F2B, 1FC66253, 1FC66385
%s at line %d of [%.10s], xrefs: 1FC65F3A, 1FC66262, 1FC66394
SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id', xrefs: 1FC65E6F
recursive definition for %s.%s, xrefs: 1FC65E4C
misuse, xrefs: 1FC65F35, 1FC6625D, 1FC6638F
API called with finalized prepared statement, xrefs: 1FC65F1F, 1FC66247, 1FC66379
no such fts5 table: %s.%s, xrefs: 1FC662EA

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$SELECT t.%Q FROM %Q.%Q AS t WHERE t.%Q MATCH '*id'$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such fts5 table: %s.%s$recursive definition for %s.%s
API String ID: 0-1070437968
Opcode ID: 945afd677f056119c44a11bfbcba5d937e0001bc0cd7f7100d9c4fee655a52d1
Instruction ID: 208c0c94bec2dbceda96a4c3b985ad4bbea4c5fe49a74b04c151feb5131c17d0
Opcode Fuzzy Hash: 945afd677f056119c44a11bfbcba5d937e0001bc0cd7f7100d9c4fee655a52d1
Instruction Fuzzy Hash: 3502E5B5A083419BD7109F25CC84B9B77E4BF84328F040529E9498F342EB76F558EBA2

Function 1FCD9980 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 429COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FCD9A35, 1FCD9D90
SELECT %s, xrefs: 1FCD99B1
%s at line %d of [%.10s], xrefs: 1FCD9A44, 1FCD9D9F
misuse, xrefs: 1FCD9A3F, 1FCD9D9A
API called with NULL prepared statement, xrefs: 1FCD9A04
API called with finalized prepared statement, xrefs: 1FCD9A19, 1FCD9D84
no such function: %s, xrefs: 1FCD9E8C

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$SELECT %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$no such function: %s
API String ID: 0-3900766660
Opcode ID: da5d49b1d76355535a827596f71c890d7169366227718c00df1eeb823ee24c96
Instruction ID: 80b7ce949275a3394c8c5ceea2cba53b850be1fddf7b3ea126224b60fa6ea492
Opcode Fuzzy Hash: da5d49b1d76355535a827596f71c890d7169366227718c00df1eeb823ee24c96
Instruction Fuzzy Hash: 8CE1E4BAA047419BD7148F25C884B9F77E6BF85314F04052CFA8A9B641EB35F809D7E2

Function 1FC93800 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 184COMMON

Download Yara Rule

Strings

null, xrefs: 1FC938E7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC93930
cannot open value of type %s, xrefs: 1FC938ED
%s at line %d of [%.10s], xrefs: 1FC9393F
real, xrefs: 1FC93895, 1FC938EC
no such rowid: %lld, xrefs: 1FC939F8
misuse, xrefs: 1FC9393A
integer, xrefs: 1FC9389A
API called with finalized prepared statement, xrefs: 1FC93924

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$cannot open value of type %s$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$integer$misuse$no such rowid: %lld$null$real
API String ID: 0-1477268580
Opcode ID: e6ca15e35b0d57d575edb309a95c5487f7aea9fefb5a3d11500a004246f3d908
Instruction ID: 76636cebe5a60174283bf54b16a2671bcf5209f3ac2cafce0452636f34601ad7
Opcode Fuzzy Hash: e6ca15e35b0d57d575edb309a95c5487f7aea9fefb5a3d11500a004246f3d908
Instruction Fuzzy Hash: FE5124B56003059FD7109F28CC40B66B7E8FF80315F04096DE9568B752EB72F408DBA5

Function 1FC63420 Relevance: 21.4, APIs: 6, Strings: 6, Instructions: 392COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC63548, 1FC63594
%s at line %d of [%.10s], xrefs: 1FC63557, 1FC635A3
ATTACH x AS %Q, xrefs: 1FC6346F
misuse, xrefs: 1FC63552, 1FC6359E
API called with NULL prepared statement, xrefs: 1FC63517
API called with finalized prepared statement, xrefs: 1FC6352C, 1FC63588

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2988319395
Opcode ID: 405f3cdcf661ee382b150d07b667e683428016ff5ece9718cb4e95dc57a213b1
Instruction ID: 421395cb96c7b21186b844a8c43f3142dd590d2fb1a69cee65bf71527687e93d
Opcode Fuzzy Hash: 405f3cdcf661ee382b150d07b667e683428016ff5ece9718cb4e95dc57a213b1
Instruction Fuzzy Hash: 8CD1F4B1A083419BEB009F25CCC9B9B77E4BF45325F04452DE8498B352EB36F558DBA2

Function 1FDE7C10 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

winFullPathname1, xrefs: 1FDE7CC9
winFullPathname2, xrefs: 1FDE7D35
%s%c%s, xrefs: 1FDE7C7A

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%c%s$winFullPathname1$winFullPathname2
API String ID: 0-2846052723
Opcode ID: f5586532957a2326d9ee5a8028241b17232f1518e323ac8c23488556a4642cab
Instruction ID: a17d1466bf1583c394c0ea8219b64ca1654f88fafb672e0bd63421beda18b553
Opcode Fuzzy Hash: f5586532957a2326d9ee5a8028241b17232f1518e323ac8c23488556a4642cab
Instruction Fuzzy Hash: C8419E61B443552BE7D09B20BC45FBF379EAF81620F06062DF49A5A083EA57F446D362

Function 1FD05470 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 1FD054D2
%lld, xrefs: 1FD0550D
JSON cannot hold BLOB values, xrefs: 1FD05697

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$%lld$JSON cannot hold BLOB values
API String ID: 0-1047910854
Opcode ID: 0a7463edbba2f3f66c7f11f492253bb23db275693c73f8c6e028a437765e68e8
Instruction ID: 59acb9ec005d8a81fb22c3aa2c3ed7a41bbd3fe885b8b60a433ec43dc5250144
Opcode Fuzzy Hash: 0a7463edbba2f3f66c7f11f492253bb23db275693c73f8c6e028a437765e68e8
Instruction Fuzzy Hash: 1D51A87A6043006AE3217E28EC05FBB37A6DFC2325F54024DFD425B2D2EB6BB55542B2

Function 1FC83D20 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 223COMMON

Download Yara Rule

Strings

=%Q, xrefs: 1FC83E7F
%Q., xrefs: 1FC83E11
PRAGMA , xrefs: 1FC83DC5

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %Q.$=%Q$PRAGMA
API String ID: 0-2099833060
Opcode ID: 85d2b796f2ab34b2fd3696977274263f76d185bb8c2653d0c3856b449663eb73
Instruction ID: 9ee6842ea89fec6fcbf8c7e731538857dab8aa17c23bdba8bcf46ad947ebe2b7
Opcode Fuzzy Hash: 85d2b796f2ab34b2fd3696977274263f76d185bb8c2653d0c3856b449663eb73
Instruction Fuzzy Hash: 9071F576A043119BDB04DF24CC84B5BB7E4BF84318F04066AFC459B262E736F919DBA2

Function 1FC6B980 Relevance: 16.7, APIs: 11, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95232483e0b365ddbbe7a1d35cf600948122bc9461b4b58a00fe94640792ca13
Instruction ID: 48ea5a3cbece5bf7e9c9d642531560133b6581f46dcada9cb19b35323542d64d
Opcode Fuzzy Hash: 95232483e0b365ddbbe7a1d35cf600948122bc9461b4b58a00fe94640792ca13
Instruction Fuzzy Hash: 5E81487690C3829BD7018F20C8D076ABBA0BFC5220F4C0668E8D51B356EB35F955E7D2

Function 1FCAF600 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction ID: 8a4372541bba62c5251b653ead2b0a91a44efdfc5f6dfdeee69074b62eb7c5e1
Opcode Fuzzy Hash: a70c7127cf5330d89c7d45b3115e672d80e76ffd15e8db3879d2d7a1d690e5da
Instruction Fuzzy Hash: BC51C276A043036BD700CE14DC80BABB7E8EF84714F40056DF94496251EB36BA5EE796

Function 1FCD1940 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 345COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FCD1B17
%s at line %d of [%.10s], xrefs: 1FCD1B26
misuse, xrefs: 1FCD1B21
block, xrefs: 1FCD1A90

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$block$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-4016964285
Opcode ID: 2458d0ee0926dd1bff1be2090e40e86beff9b9c9699d0fd4ea282a5fae5a1f6f
Instruction ID: 8f08db451a8c90aa75bf79ed5d0b256807a813f85b5af27c528a28ba059242e3
Opcode Fuzzy Hash: 2458d0ee0926dd1bff1be2090e40e86beff9b9c9699d0fd4ea282a5fae5a1f6f
Instruction Fuzzy Hash: C6C101B29003509FEB14DF25CC84A9E77A4BF85324F04422AFE499B211E732E914DBE2

Function 1FC7FED0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

%llu, xrefs: 1FC7FF3C
another row available, xrefs: 1FC80076, 1FC80081
no more rows available, xrefs: 1FC8006F
abort due to ROLLBACK, xrefs: 1FC80068
unknown error, xrefs: 1FC8003E
%llu, xrefs: 1FC7FFF7

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %llu$%llu$abort due to ROLLBACK$another row available$no more rows available$unknown error
API String ID: 0-1539118790
Opcode ID: 383eac1edb3679407803c042a8b74dcc9ae04b993ae511512efcdbc6731573a9
Instruction ID: a39900f66a19171f5b5ad4d4f0f904746a4134235ee4e96a48b0096943a8e420
Opcode Fuzzy Hash: 383eac1edb3679407803c042a8b74dcc9ae04b993ae511512efcdbc6731573a9
Instruction Fuzzy Hash: 7C91E6326443009BDB04DE18CC847AA7BE1BF85328F44462DF95D9B351EB37E846DB92

Function 1FC73A50 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 172COMMON

Download Yara Rule

Strings

read-only, xrefs: 1FC73A71
bad page value, xrefs: 1FC73BDC
cannot insert, xrefs: 1FC73BF1, 1FC73C52
bad page number, xrefs: 1FC73BE3
no such schema, xrefs: 1FC73BEA
cannot delete, xrefs: 1FC73A82

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: bad page number$bad page value$cannot delete$cannot insert$no such schema$read-only
API String ID: 0-1499782803
Opcode ID: f9f2ac1bfb79fd1cfbfa17642ba90129be05ca32b45bcc8384e5421a50da9f68
Instruction ID: 4c735a279f7ad0d5d648438a64c2ae51eece605c6aa9f866a7b2b771571023d9
Opcode Fuzzy Hash: f9f2ac1bfb79fd1cfbfa17642ba90129be05ca32b45bcc8384e5421a50da9f68
Instruction Fuzzy Hash: BA511672A00301DBDB04DF24CC87B5677A8AF80324F15466AEC898B251EF37F955E7A1

Function 1FCAF4B0 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction ID: 4d4f0d716f628082912631aedc12111ced9e87acd1b66cac53094c4049d21e02
Opcode Fuzzy Hash: d47789057f54d3d5d235375a09c406a209fee87bea1c44866fc0f5d3bf2f426b
Instruction Fuzzy Hash: 0C21B4BBE003433AE3029A205C05FAF229C5F81606F054818FD94A9091FB36F60EE2E7

Function 1FD6FB30 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 324COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD6FB96
%s at line %d of [%.10s], xrefs: 1FD6FBA5
misuse, xrefs: 1FD6FBA0
API called with NULL prepared statement, xrefs: 1FD6FB65
API called with finalized prepared statement, xrefs: 1FD6FB7A

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-860711957
Opcode ID: a37649bf357c3ba8e6822119797aa7c85ddc875cfdaab778b3b74eb72d3939fc
Instruction ID: 8cd158f228e1f5b933f370fc1d1bb0755f906c62bb5bef9b7a1b011b781bb84d
Opcode Fuzzy Hash: a37649bf357c3ba8e6822119797aa7c85ddc875cfdaab778b3b74eb72d3939fc
Instruction Fuzzy Hash: A2B1D4B5A04B419BD7508F34DC45B6B77E5BF45328F44096CE88A8B242F776F40ACBA2

Function 1FCE1710 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

%z%s%Q, xrefs: 1FCE180D
rank, xrefs: 1FCE1824
%z, %Q HIDDEN, %s HIDDEN), xrefs: 1FCE1831
CREATE TABLE x(, xrefs: 1FCE17D9

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%Q$%z, %Q HIDDEN, %s HIDDEN)$CREATE TABLE x($rank
API String ID: 0-3324442540
Opcode ID: a3f598140a26e98059b6e3bcc7bc3f378d7b5a55bb78131c13f30c00a6adfe7f
Instruction ID: a81e42925fdedb83bc5c684154c1cc86130b1140dff56dedbf54fe359f5c8f47
Opcode Fuzzy Hash: a3f598140a26e98059b6e3bcc7bc3f378d7b5a55bb78131c13f30c00a6adfe7f
Instruction Fuzzy Hash: 57811772A00311DFDB019F24DC44A9B7BE5FF85369F04062AFC459B221EB36E964D7A2

Function 1FD574A0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 175COMMON

Download Yara Rule

Strings

invalid, xrefs: 1FD574BC
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD574CD
%s at line %d of [%.10s], xrefs: 1FD574DC
unable to close due to unfinalized statements or unfinished backups, xrefs: 1FD575D1
misuse, xrefs: 1FD574D7
API call with %s database connection pointer, xrefs: 1FD574C1

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 0-3800776574
Opcode ID: b4ba7eab85460d0287798684d677a4efb53e7d33f6568143f7f0cb8242fb3481
Instruction ID: 933baf6cdb5b930389e5e27441b68e3971ebd26fcff42800761d3afcae4c0e76
Opcode Fuzzy Hash: b4ba7eab85460d0287798684d677a4efb53e7d33f6568143f7f0cb8242fb3481
Instruction Fuzzy Hash: D0519774A00704ABDF529B24AC48BA777B5BF41324F260019E85A97221FB32F555C2B2

Function 1FCFBCF0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 103COMMON

Download Yara Rule

Strings

PRAGMA %Q.page_size, xrefs: 1FCFBD03
undersize RTree blobs in "%q_node", xrefs: 1FCFBDA1
SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1, xrefs: 1FCFBD67

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: PRAGMA %Q.page_size$SELECT length(data) FROM '%q'.'%q_node' WHERE nodeno = 1$undersize RTree blobs in "%q_node"
API String ID: 0-3485589083
Opcode ID: c199cc8e4c377a6155993707fde475bbed78f8aa9a4745552dd510bf15ecfa5e
Instruction ID: ca489c5f2a0801571c4a33b61e9f0dd57269616dbefa331a4d381afcd6d5d55a
Opcode Fuzzy Hash: c199cc8e4c377a6155993707fde475bbed78f8aa9a4745552dd510bf15ecfa5e
Instruction Fuzzy Hash: D131D6B1A00212ABD7089B25CC84A56F7A9FF44365F044226FC4596211DB37FD68DBF2

Function 1FC69700 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

(FK), xrefs: 1FC698D3

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: (FK)
API String ID: 0-1642768157
Opcode ID: 22d466069852b2b51f286d7245100f26f1acdb370a522cd90aefe992009c5a04
Instruction ID: 00ef0e4e99def084a93180f0b2b4485875798aec245c389e59a56f976187d9a4
Opcode Fuzzy Hash: 22d466069852b2b51f286d7245100f26f1acdb370a522cd90aefe992009c5a04
Instruction Fuzzy Hash: 5981D7777092009FD7009F18EC80BA6F3A1FB85235F24476EE54A8B6A1E732E515E751

Function 1FC59DA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

[%!g,%!g]], xrefs: 1FC59EC0
[%!g,%!g],, xrefs: 1FC59E7E

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: [%!g,%!g],$[%!g,%!g]]
API String ID: 0-3388633204
Opcode ID: 028c5c29823b0fc9bfebfd04e24eca3417f045eb31f1345cbfac4831ee3a2113
Instruction ID: 0c9f8228e3d7e73c5721dc956f6fb072e99037cc5c28982fae074f198659ba66
Opcode Fuzzy Hash: 028c5c29823b0fc9bfebfd04e24eca3417f045eb31f1345cbfac4831ee3a2113
Instruction Fuzzy Hash: 10510331A007118BD700DF29CCC4B96B7B4BF43310F004769F84A9A661F776E559DBA6

Function 1FC6B6E0 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cded44841165ea6e7c1e801605b973714da163fffc6de681e56899324174838
Instruction ID: 8ed4803aa563a4313f63ec9fd0ec72d26a7f44c81fd3df5bdc35f97121ea8635
Opcode Fuzzy Hash: 7cded44841165ea6e7c1e801605b973714da163fffc6de681e56899324174838
Instruction Fuzzy Hash: 3611B9F9E043107FD704AB14EC44E6B77A9EFD1610F8405A4F8458B271EB36E91DE2A6

Function 1FCC7920 Relevance: 10.8, APIs: 7, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction ID: 136f23fe362dbffd3c1ae4d690dde78ad92a9cd804cc16edccbdc950cfdc7c1a
Opcode Fuzzy Hash: d7c0a64c567377825aa826e38cd61e7aab24cd6bc2d57a6723dcf8eefeade29f
Instruction Fuzzy Hash: B6B1AEB6B04302ABC744CF29CC80A5AB7E9FF88264F444639F949D7711E735F9249BA1

Function 1FC65930 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

unknown tokenizer: %s, xrefs: 1FC65B28
CREATE TABLE x(input, token, start, end, position), xrefs: 1FC65933
simple, xrefs: 1FC65A38, 1FC65A84, 1FC65A95, 1FC65B27

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(input, token, start, end, position)$simple$unknown tokenizer: %s
API String ID: 0-2679805236
Opcode ID: 23e6187d07829a3b73f474bf158628dfb0a132206e59ec580987b608849e227d
Instruction ID: f5e6d963c27d7f378671f46ad753120562d49641c91203b2a54afbee34d3df0c
Opcode Fuzzy Hash: 23e6187d07829a3b73f474bf158628dfb0a132206e59ec580987b608849e227d
Instruction Fuzzy Hash: 1E71C2729083068FC704DF28CC84A5AB7E5FFD5224F180A69E849D7311EB76F909DBA1

Function 1FC73F30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 169COMMON

Download Yara Rule

Strings

remove_diacritics=0, xrefs: 1FC73FE1
remove_diacritics=2, xrefs: 1FC74021
remove_diacritics=1, xrefs: 1FC73FA2
separators=, xrefs: 1FC740A3
tokenchars=, xrefs: 1FC7406A

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 0-131617836
Opcode ID: 4992c489bcb7071eca1cbf45a841b17dbf642d1b6cf8e0591f87ed807ab4aa4f
Instruction ID: ced3907856b29af95f9c60b3a64f1904aed7f41fe5e8f066280cfc3f89a899b9
Opcode Fuzzy Hash: 4992c489bcb7071eca1cbf45a841b17dbf642d1b6cf8e0591f87ed807ab4aa4f
Instruction Fuzzy Hash: EE51C376A04282CBD301DF24D4417AAF7B1BB42324F8583A8E8465F645DF32FD8AEB51

Function 1FD015C0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

%!0.15g, xrefs: 1FD0160A
null, xrefs: 1FD015EE
JSON cannot hold BLOB values, xrefs: 1FD016D9

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %!0.15g$JSON cannot hold BLOB values$null
API String ID: 0-3074873597
Opcode ID: 03fbb611f1a7c1b8f5dbd602d6abcce5acfed26b7742d9dc2aaf4eb309533656
Instruction ID: 16a1f252a086f934c06225d93e4c8d4f1f4fb06414e1e7118b61c27d9e8c0d4a
Opcode Fuzzy Hash: 03fbb611f1a7c1b8f5dbd602d6abcce5acfed26b7742d9dc2aaf4eb309533656
Instruction Fuzzy Hash: 19419EB9600701BFE3507B74DC81BBB77A4DB42329F080629F191C65D2D3AAB59883F1

Function 1FC71D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

no such database: %s, xrefs: 1FC71E05
CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN), xrefs: 1FC71E2C

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x( name TEXT, path TEXT, pageno INTEGER, pagetype TEXT, ncell INTEGER, payload INTEGER, unused INTEGER, mx_payload INTEGER, pgoffset INTEGER, pgsize INTEGER, schema TEXT HIDDEN, aggregate BOOLEAN HIDDEN)$no such database: %s
API String ID: 0-1404816483
Opcode ID: 3c5edeae97c3ee019cce0fff35d07332b9d57abd38e07a2a9f57876e8dd005f9
Instruction ID: e644c18f3ec2a7cdfb7b917db12cfc7fdca4787072aa49797c87f4b3a45a3371
Opcode Fuzzy Hash: 3c5edeae97c3ee019cce0fff35d07332b9d57abd38e07a2a9f57876e8dd005f9
Instruction Fuzzy Hash: 843137766043096BC3115F6ACC00BABB7EDEF85225F010669FD589B241EE7AF9058BF0

Function 1FC89CD0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 74COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC89CF1
%s at line %d of [%.10s], xrefs: 1FC89D00
misuse, xrefs: 1FC89CFB
API called with finalized prepared statement, xrefs: 1FC89CE5

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3620335220
Opcode ID: accf9ffa4a1d8c30964b34e1fa328e26677dfee6b718f6340981e6a6123cdffa
Instruction ID: c0672a7efbd54c057005d5839b59d3991d1cf3d4a3f378734f31db7542473582
Opcode Fuzzy Hash: accf9ffa4a1d8c30964b34e1fa328e26677dfee6b718f6340981e6a6123cdffa
Instruction Fuzzy Hash: C1113A6BF0076176DA115628BC44BDB7358EFC192EF04013AF90B9A601FB15B88963F7

Function 1FD873E0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

sqlite_temp_master, xrefs: 1FD873F2
sqlite_master, xrefs: 1FD873FD
ase, xrefs: 1FD8768D
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 1FD8776D

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master
API String ID: 0-231581592
Opcode ID: 123ee649261fad299baecd60cfd2267c5311b3fa5495f2ac9b3e269d2c849b79
Instruction ID: b517a0e92ed10b16d9281771141b809df712936c72243300b525d31712667202
Opcode Fuzzy Hash: 123ee649261fad299baecd60cfd2267c5311b3fa5495f2ac9b3e269d2c849b79
Instruction Fuzzy Hash: 3EE1E6B4A043419FD751CF28C880B7ABBF4BF95314F05465CE9889B251E771F964CBA2

Function 1FD7BF00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMON

Download Yara Rule

Strings

NEAR, xrefs: 1FD7C03A
phrase, xrefs: 1FD7C035, 1FD7C042
fts5 expression tree is too large (maximum depth %d), xrefs: 1FD7C070
fts5: %s queries are not supported (detail!=full), xrefs: 1FD7C043

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: NEAR$fts5 expression tree is too large (maximum depth %d)$fts5: %s queries are not supported (detail!=full)$phrase
API String ID: 0-593389478
Opcode ID: eb8fc2588604d962ef3065f09901c2284ddbbb432ca843ad275ee969e0728b5f
Instruction ID: d2a6e16b9201dd2aa00dd2ee9e77bef26210affb3f7b1dfa881917b9c04d27d1
Opcode Fuzzy Hash: eb8fc2588604d962ef3065f09901c2284ddbbb432ca843ad275ee969e0728b5f
Instruction Fuzzy Hash: 7D41EC35A007569FC7548E24C880B7AF3A4EF85628F14476AEA428F251EF72F885DBD1

Function 1FC9F490 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC9F4B0
%s at line %d of [%.10s], xrefs: 1FC9F4BF
misuse, xrefs: 1FC9F4BA
unable to delete/modify collation sequence due to active statements, xrefs: 1FC9F533

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-3348720253
Opcode ID: f941e51bcd57cf37ad29f73868cdbf387e4cae4c6415158e7cd04091c4f88672
Instruction ID: 84684d50c55e5d8dbce025f0ad3887df804a9eb0983ef92eed949b2210e6cb39
Opcode Fuzzy Hash: f941e51bcd57cf37ad29f73868cdbf387e4cae4c6415158e7cd04091c4f88672
Instruction Fuzzy Hash: 4A412877A003429BD7008F24EC80BAAB7E4FF81325F14456EF5549B282E736F516DBA1

Function 1FD093A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD09446, 1FD0948A
%s at line %d of [%.10s], xrefs: 1FD09455, 1FD09499
database corruption, xrefs: 1FD09450, 1FD09494

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: c92b97a8b4ef61ac089f3ecffe7c6b250023b0b3fae16b4517210f026968c75a
Instruction ID: efb8b722f6771316954e6107d3310043ec15df02b11da226cd85003f36b396ca
Opcode Fuzzy Hash: c92b97a8b4ef61ac089f3ecffe7c6b250023b0b3fae16b4517210f026968c75a
Instruction Fuzzy Hash: CA314639600B904BC324EF29C890AB3BBF2DF85701B54845CE6C74B786E722E842CB91

Function 1FC61C60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC61D3C
%s at line %d of [%.10s], xrefs: 1FC61D4B
misuse, xrefs: 1FC61D46
unknown database: %s, xrefs: 1FC61CBD

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse$unknown database: %s
API String ID: 0-142545749
Opcode ID: 23cfcda3a5d24fa4d59da86f7a669c3f5189b3cdbed4e0840a0a072b8d6cdfed
Instruction ID: 8582aae474895719469a21626e47e58001fbb87dfc42bfc8d211edc68ee62041
Opcode Fuzzy Hash: 23cfcda3a5d24fa4d59da86f7a669c3f5189b3cdbed4e0840a0a072b8d6cdfed
Instruction Fuzzy Hash: E92147B65047807BDB119A259C84FDB7BA99FC2B3AF10012CF85956381E731A405D7B2

Function 1FC93FF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC9407D, 1FC940A8
%s at line %d of [%.10s], xrefs: 1FC9408C, 1FC940B7
database corruption, xrefs: 1FC94087, 1FC940B2

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b1701ac0b7c81b5765bb9bfa12d37539760a6a549fd47d338b8d2a10260f1bf1
Instruction ID: 680b66ce1e74151e7a3aa9503f0be54eb72078a082cd596c332ef9d634c634b4
Opcode Fuzzy Hash: b1701ac0b7c81b5765bb9bfa12d37539760a6a549fd47d338b8d2a10260f1bf1
Instruction Fuzzy Hash: 6A21F5B7A003115BCB00DE19DC81AEBBBE0FB84651F468126FD48D7341EB29E65997E2

Function 1FC733C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN), xrefs: 1FC733D6

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(pgno INTEGER PRIMARY KEY, data BLOB, schema HIDDEN)
API String ID: 0-1935849370
Opcode ID: b7b751b6931be316ee138ae2d0dcabefacb8b0af325ad9358d1fb960f082c1f1
Instruction ID: b70e73affc897a08a4b7906f3e9992c2a739981db2917ff7336ee664e86bc19f
Opcode Fuzzy Hash: b7b751b6931be316ee138ae2d0dcabefacb8b0af325ad9358d1fb960f082c1f1
Instruction Fuzzy Hash: A10196397043169AD302DF19D80178AB7D6EFC5311F05817AF5049B250EFB4B44B97A1

Function 1FD33E10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

Strings

Wrong number of entries in %%%s table - expected %lld, actual %lld, xrefs: 1FD33E6C
SELECT count(*) FROM %Q.'%q%s', xrefs: 1FD33E26

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT count(*) FROM %Q.'%q%s'$Wrong number of entries in %%%s table - expected %lld, actual %lld
API String ID: 0-3026403748
Opcode ID: 7526a57e97e441f57c2616452e32cafb0f873b198af8bf34dd7f67bcea9e163a
Instruction ID: 1733200b5acb4c8b5a106dfdd092d65f40fd1bf9d6b07f0c820498a5d38fef66
Opcode Fuzzy Hash: 7526a57e97e441f57c2616452e32cafb0f873b198af8bf34dd7f67bcea9e163a
Instruction Fuzzy Hash: 21F044F6D043416BCB125B00AD40E7F76E9AFC5A12F050A2CF28A75210EF2BF554A7A7

Function 1FE05BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2FE34BC9,?,?,00000000,1FE5D1CB,000000FF,?,1FE05B30,?,?,1FE05ADF,?), ref: 1FE05BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 1FE05C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,1FE5D1CB,000000FF,?,1FE05B30,?,?,1FE05ADF,?), ref: 1FE05C2A

Strings

mscoree.dll, xrefs: 1FE05BEF
CorExitProcess, xrefs: 1FE05C00

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a17782e161a780c845089c5b84d34797ccc59aefe490f161916238397a0e1288
Instruction ID: 1bb97f20847dd9ae91501b1c0112f1376ecccfa8226e8765938db6a07c955d30
Opcode Fuzzy Hash: a17782e161a780c845089c5b84d34797ccc59aefe490f161916238397a0e1288
Instruction Fuzzy Hash: EB01AC72914629AFCF05AF50CD48BED77B9FB45724F000926E811A1290DB3A9810CA50

Function 1FD773C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

fts5: syntax error near "%.*s", xrefs: 1FD7751C

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: fts5: syntax error near "%.*s"
API String ID: 0-498961494
Opcode ID: 662679298f70de80744ac8fca0bb24235dbb893d761ef54b611be8aa0c9bb629
Instruction ID: 082a22e97ad5e7f4b61082fd28303d37e8bff09053e959780b942a53a0e81a8e
Opcode Fuzzy Hash: 662679298f70de80744ac8fca0bb24235dbb893d761ef54b611be8aa0c9bb629
Instruction Fuzzy Hash: F1B1BEB4904341CFD791CF24C884B6ABBE4BF85318F154E1EF8858B250EB76E585CBA6

Function 1FC913A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC91459
%s at line %d of [%.10s], xrefs: 1FC91468
database corruption, xrefs: 1FC91463

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: e2e31fceb102eb7565333f85d3eeaf8c84d5e0aec991d5e639d7c59afba54e96
Instruction ID: 3526094c259f309d302e3d643a167f9b4f552ed43af7e0c80414d9960200bc28
Opcode Fuzzy Hash: e2e31fceb102eb7565333f85d3eeaf8c84d5e0aec991d5e639d7c59afba54e96
Instruction Fuzzy Hash: 957117B6A043009FC705CF25C881A677BE4BFC8310F154A9DF8999B252E731F945CBA2

Function 1FC67D30 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

winShmMap3, xrefs: 1FC67F1D
winShmMap1, xrefs: 1FC67DC5
winShmMap2, xrefs: 1FC67E1F

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: winShmMap1$winShmMap2$winShmMap3
API String ID: 0-3826999013
Opcode ID: 4b58db9665e8379cfbf55c3598ed43aad706b3be9aa971f31dd11cf25d5e3af2
Instruction ID: f1498f8af489b04d08b398bf09e64d81566689396a446f09102a9d4c7ba5c3a9
Opcode Fuzzy Hash: 4b58db9665e8379cfbf55c3598ed43aad706b3be9aa971f31dd11cf25d5e3af2
Instruction Fuzzy Hash: 1261BC725083019FDB14DF25CC85A67B7E5AF84724F01496DF98297392EB36F818CB62

Function 1FC5DE5A Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

(join-%u), xrefs: 1FC5DFA1
(subquery-%u), xrefs: 1FC5DFB3

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: (join-%u)$(subquery-%u)
API String ID: 0-2916047017
Opcode ID: 69e2ff3f9888cfc5808a3dac2f5ed6f9f8c39cb63b274e5a7d8dfa55720a2194
Instruction ID: 01280a14c36f9b62506e7d7a58a6cc2343c0a779a8c560ffabfc4f7de2ac76f1
Opcode Fuzzy Hash: 69e2ff3f9888cfc5808a3dac2f5ed6f9f8c39cb63b274e5a7d8dfa55720a2194
Instruction Fuzzy Hash: E751D476B0C3418BCB18CF24D8A0A6BB7E1AF85314F04875DEC5A4B226E631F816DB95

Function 1FC935E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC935EA
%s at line %d of [%.10s], xrefs: 1FC935F9
misuse, xrefs: 1FC935F4

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: ce47aa3c27d62078c52abeada6e5caa96569ee747818ae4acc569b126c4cb88f
Instruction ID: 848f919e51a9e734ac7089e0d588cb888664bb87b640ca5d44d0aeea7ce396ab
Opcode Fuzzy Hash: ce47aa3c27d62078c52abeada6e5caa96569ee747818ae4acc569b126c4cb88f
Instruction Fuzzy Hash: BC5106F6A00311AFDB148F24CC84A56BBA9FF44724F05565CF8699B252E732F814DBE2

Function 1FD096B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FD097E0
%s at line %d of [%.10s], xrefs: 1FD097EF
database corruption, xrefs: 1FD097EA

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 518111b4395eb417831dca84c2f834759a924e368d4f9b822152ff97d04e1d21
Instruction ID: 5fa19d5363c05643fe7b2f44b7b012f697f67c26d4500fc9900c629d9ca4969c
Opcode Fuzzy Hash: 518111b4395eb417831dca84c2f834759a924e368d4f9b822152ff97d04e1d21
Instruction Fuzzy Hash: 4C41287A2047908FD7219F7C94406E6FFE09F81251F0809AED2DA8B752E262F485D762

Function 1FDD5960 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FDD5976
%s at line %d of [%.10s], xrefs: 1FDD5985
misuse, xrefs: 1FDD5980

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: cac2c714e6c630c1ae32b0d7cadb4f3583fe70bf3798dea6b09c45843513b6f2
Instruction ID: a2652ad392f054552292ee15e6b0ef7fda439c33f7890241d97268bdc3282ef8
Opcode Fuzzy Hash: cac2c714e6c630c1ae32b0d7cadb4f3583fe70bf3798dea6b09c45843513b6f2
Instruction Fuzzy Hash: 394117759003619BD754CB14CC80BFAB7E4AFC5320FC41629F8445B281E739F994C7A2

Function 1FC95390 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC953FE
%s at line %d of [%.10s], xrefs: 1FC9540D
database corruption, xrefs: 1FC95408

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 02cf01364aec0a3c7322e8cbe03fc26f0a9e56be66b2f336023941532d6b0cbd
Instruction ID: f591923b9e779e721321db7e1650af3a5c7d60cf5a3501ddc4a1547dfe5e6eba
Opcode Fuzzy Hash: 02cf01364aec0a3c7322e8cbe03fc26f0a9e56be66b2f336023941532d6b0cbd
Instruction Fuzzy Hash: D8315B2A64079146D7219F3998407E6B7E0BFE1712F44086EE9C9C7681F316F492E3A2

Function 1FD77ED0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

error in tokenizer constructor, xrefs: 1FD77F92
no such tokenizer: %s, xrefs: 1FD77F1B

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: error in tokenizer constructor$no such tokenizer: %s
API String ID: 0-815501780
Opcode ID: d5fe16cf0c2c5bf7f7d705ec2354e1495a781b8dfd0b7c76f65d9a134988969d
Instruction ID: f951ad5af1e8f40259ea41c7b7e2487e4cf1aef6fdb9bdf2236476b720b5a53e
Opcode Fuzzy Hash: d5fe16cf0c2c5bf7f7d705ec2354e1495a781b8dfd0b7c76f65d9a134988969d
Instruction Fuzzy Hash: 5D317C767013558FC760CE19D840AAAB3E5EF84629F160A6DE9899F200EB32F805CB61

Function 1FCA1420 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FCA146B
%s at line %d of [%.10s], xrefs: 1FCA147A
database corruption, xrefs: 1FCA1475

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 05c6c0f3e4a98d334c89cce057a1549ea0d613d7f88e8b5976d42b7052621625
Instruction ID: d2e6801b7562ed29bfed555725c40d195da3832a90eb6c1cb2e0fe9e2958a7ba
Opcode Fuzzy Hash: 05c6c0f3e4a98d334c89cce057a1549ea0d613d7f88e8b5976d42b7052621625
Instruction Fuzzy Hash: 7131B1766093928FC320CF29D940967FBF0EF85215B04869EE4868BA53D731F549DBA1

Function 1FC9FD60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC9FDE6, 1FC9FE61
%s at line %d of [%.10s], xrefs: 1FC9FE82
database corruption, xrefs: 1FC9FE7D

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: ee3e1f231b201532023c28c4fb9657ca816b1e864160aa7635ec2966bec7b57d
Instruction ID: 6544c1835c9375b8761425f38eed7859e3d825072dfd71cb1e023d3f8c5ed556
Opcode Fuzzy Hash: ee3e1f231b201532023c28c4fb9657ca816b1e864160aa7635ec2966bec7b57d
Instruction Fuzzy Hash: 51312BA96243818AD3148F28C400766BBA1BF55308F64D5CDE4498F793E37BC4C7EB96

Function 1FCAD6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

%s%s, xrefs: 1FCAD725

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s%s
API String ID: 0-3252725368
Opcode ID: 04e4e631754afa916a0327980bcc0de61fa1e10295d286f8e4f147312d952cfe
Instruction ID: ce65704b696a004f20d3b1573472684f0ac4385315b81da4006e4240b5b0968b
Opcode Fuzzy Hash: 04e4e631754afa916a0327980bcc0de61fa1e10295d286f8e4f147312d952cfe
Instruction Fuzzy Hash: CD11A2769002259BDB05AB15DC88A9633A9FF8136AF040126FD08C6214F737B624D7B2

Function 1FC6F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

integer overflow, xrefs: 1FC6F8ED

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: integer overflow
API String ID: 0-1678498654
Opcode ID: 7ec5f5eb4f2c51cde5f2f6b592ffae9d50141941d3c39dfbbae22680f1f9da61
Instruction ID: 63bc57301e4fd95fd450490d22cc0ce0647c17f9edb08aba91d570e7eef571f3
Opcode Fuzzy Hash: 7ec5f5eb4f2c51cde5f2f6b592ffae9d50141941d3c39dfbbae22680f1f9da61
Instruction Fuzzy Hash: BF11B27AC087126ADB01AF24AC41B8A37A16F17334F050399F4551A2F6FB71A5CAE3D2

Function 1FD01F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

JSON path error near '%q', xrefs: 1FD01F92

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: JSON path error near '%q'
API String ID: 0-481711382
Opcode ID: dce7f482696871505d177cb160f5d6479c30ad94ec65e732f61d8e7aaf3fb993
Instruction ID: ce652c6ae59a3a1f27913a1229389415c331ed734f1405796dbf74fd19d13217
Opcode Fuzzy Hash: dce7f482696871505d177cb160f5d6479c30ad94ec65e732f61d8e7aaf3fb993
Instruction Fuzzy Hash: 2801C4727093116FDB24AA649C01BAB7BD5DF41360F10076CF895962D1EB76F80193E2

Function 1FC61DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

Strings

ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 1FC61E53
%s at line %d of [%.10s], xrefs: 1FC61E63
misuse, xrefs: 1FC61E59

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-3564305576
Opcode ID: d0e63bf59ecf9ac3e8e5d5c26cea923d3a0f3d0da92f82a2998da75a61d8f72f
Instruction ID: 8bd72cb617c386ffebcda9d86c25124d34573d00fb977fe8f495859233a463b7
Opcode Fuzzy Hash: d0e63bf59ecf9ac3e8e5d5c26cea923d3a0f3d0da92f82a2998da75a61d8f72f
Instruction Fuzzy Hash: 8E11E33470CA509FD714CE3AD88CA96BBB8AF82B26F044559F005CB322D335E515D7E2

Function 1FC77F70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN), xrefs: 1FC77F76

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: CREATE TABLE x(key,value,type,atom,id,parent,fullkey,path,json HIDDEN,root HIDDEN)
API String ID: 0-3072645960
Opcode ID: f3db3880b69257458c3ff59cef51839cb7d8dfe1637f1bf2ddb338c77a10a878
Instruction ID: a081c410b2c7389e6c42d8ccf2a3e6ac8fef5722042bdd0f1a3206667e4165e0
Opcode Fuzzy Hash: f3db3880b69257458c3ff59cef51839cb7d8dfe1637f1bf2ddb338c77a10a878
Instruction Fuzzy Hash: BAF0F63B70434246D7015F58FC01BC9B7D1AFC1311F190679F8449A1A0FB60E88997A1

Function 1FC77DA0 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554031d1474c899e9372e104042577ae0e22fb1a1031532e9918dbc1a6465a11
Instruction ID: dbc0bc16a71b41e577a58ee282c745fe1dbedf0dcbda4159fa15e466d7ba45e7
Opcode Fuzzy Hash: 554031d1474c899e9372e104042577ae0e22fb1a1031532e9918dbc1a6465a11
Instruction Fuzzy Hash: D041FD766007059FD314CF18D980A52F7E1FF84324F148A6EE9468BA62EB72FC55DB90

Function 1FE4F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 1FE4F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 1FE4F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 1FE4F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 1FE4F539

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: ca4c869b9ecad418cef9cf1f5b374512f0e6699937c99b611c2a24209ea3b8eb
Instruction ID: 3fd7d7c132ba95cae622bcbfdd839511e6a5ea5f621a57fb4216c429a183aabb
Opcode Fuzzy Hash: ca4c869b9ecad418cef9cf1f5b374512f0e6699937c99b611c2a24209ea3b8eb
Instruction Fuzzy Hash: 45112771900269BBDF109FA5DC4C9DF3F79FF41B64F204149F824A61A0DB32AA51DBA0

Function 1FC6BE80 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

string or blob too big, xrefs: 1FC6C1B5

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: string or blob too big
API String ID: 0-2803948771
Opcode ID: 701b26f4e1f44a92fe1319e38cf1405ef1ad42ef933c977e825bd6717f256b1e
Instruction ID: 29c02b2e055537fdcf3d7f85cdf46a7f0fdcc1c4f297b0aaf140e326857e02cb
Opcode Fuzzy Hash: 701b26f4e1f44a92fe1319e38cf1405ef1ad42ef933c977e825bd6717f256b1e
Instruction Fuzzy Hash: 6DA1F576E0CB868FD704DE28C8D0756B7D1AF89231F180B5DE8A1573E1E770E485AB82

Function 1FD778F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

*, xrefs: 1FD77982
?, xrefs: 1FD7794A

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: *$?
API String ID: 0-2367018687
Opcode ID: c024cb30170bdaae31df024a3af1167493005580149d4967af63f9f7d8b1f564
Instruction ID: 29f2c361d5b607dc1595d1872fc5b8972dcb0a9a9f67710a9be133160e2d51c3
Opcode Fuzzy Hash: c024cb30170bdaae31df024a3af1167493005580149d4967af63f9f7d8b1f564
Instruction Fuzzy Hash: 48711C70A043518FE7558F28C88072BBBE6FF85218F454E6DE8C98F211EB76E94587A1

Function 1FC655D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

Strings

winDelete, xrefs: 1FC6569C
delayed %dms for lock/sharing conflict at line %d, xrefs: 1FC656D1

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 0-1405699761
Opcode ID: ededf2ff98d109fe99ff90a31b0316e362838c50730a53c0c5b16bd5d42bccbf
Instruction ID: 49ae4ca3fab7fe3b6f0d47c9f08c87712186995d5a498d22025817c600d14edd
Opcode Fuzzy Hash: ededf2ff98d109fe99ff90a31b0316e362838c50730a53c0c5b16bd5d42bccbf
Instruction Fuzzy Hash: B3316BB3E052218BDB143A389DCC49A7719B7A2235F210933ED17C6391E623E464E7F1

Function 1FD4DEE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

sqlite_stat1, xrefs: 1FD4DF30
SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 1FD4DF4F

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1
API String ID: 0-3572622772
Opcode ID: f2017594a70d762a95c1f4c0998821e3b8c25851ac195498f8e3f719082bf068
Instruction ID: 6ad577f797afa56c05587fdc935615a826d6431329c6fe50c877ed20678bbb4a
Opcode Fuzzy Hash: f2017594a70d762a95c1f4c0998821e3b8c25851ac195498f8e3f719082bf068
Instruction Fuzzy Hash: 9321E175A013865FCB60DE25DC90E7AB3B4AF81624F65066CFC849B6A1E321FC05CBA1

Function 1FDE7E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

OsError 0x%lx (%lu), xrefs: 1FDE7ED9

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: OsError 0x%lx (%lu)
API String ID: 0-3720535092
Opcode ID: 8f72aa112ee5e736bd96db4145f0f7558c0360a34be785119a142079cd59574c
Instruction ID: d424b83f05984a38726528745cc9bd680c32576f8a41a98b5257bbae05890be9
Opcode Fuzzy Hash: 8f72aa112ee5e736bd96db4145f0f7558c0360a34be785119a142079cd59574c
Instruction Fuzzy Hash: 7B21D371600321ABEB48AB64DC4CFAB37A5FF41B65F000526F945D1160EB37EA24D7B2

Function 1FC7F740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';, xrefs: 1FC7F752

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: DROP TABLE '%q'.'%q_node';DROP TABLE '%q'.'%q_rowid';DROP TABLE '%q'.'%q_parent';
API String ID: 0-2071071404
Opcode ID: c3b6390ccda5548a3855188cd82caf1da00f75b5f981c68d413a8fb51f50b793
Instruction ID: 5a9f2efb7fea4bccc84df53d53a685468dd7151359792a5e1c823e95a50b9c6a
Opcode Fuzzy Hash: c3b6390ccda5548a3855188cd82caf1da00f75b5f981c68d413a8fb51f50b793
Instruction Fuzzy Hash: B211C4B5600211AFE604A729DCCDFAB33ADFB81325F00022AF905D2150EB67B965D6B1

Function 1FC5141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 1FE30E34
InitializeCriticalSectionEx, xrefs: 1FE30E84

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: d5a0b6e4397a604dcfb7cca6c3e0435b85f2075d67941da6cac87d7db8d08eb2
Instruction ID: 84228471c3f821994bb9b94d6db8512ae38d28c180a6e73d136ba27bdd508853
Opcode Fuzzy Hash: d5a0b6e4397a604dcfb7cca6c3e0435b85f2075d67941da6cac87d7db8d08eb2
Instruction Fuzzy Hash: DD018F3294122877CF113AA68C09ECE7F16EF407B6F014122FE1E29220EA769830D7D0

Function 1FD33C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

%z%s%z, xrefs: 1FD33C6B

Memory Dump Source

Source File: 00000001.00000002.3374485220.000000001FC58000.00000020.00001000.00020000.00000000.sdmp, Offset: 1FC50000, based on PE: true

Associated: 00000001.00000002.3374461624.000000001FC50000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FC51000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FDB6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374485220.000000001FE5D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE5F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3374990292.000000001FE68000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375067781.000000001FE92000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3375092275.000000001FE9F000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1fc50000_RegAsm.jbxd

Similarity

API ID:
String ID: %z%s%z
API String ID: 0-3434679432
Opcode ID: 121b5ff51a16aa90288717f288932f737c6d7c8d4dd3954501bc7276f7b16caa
Instruction ID: 1ce3dcfb4e26ed9f0f453b165d51f1685056c20214dbbdeeb4e4042f63f8375e
Opcode Fuzzy Hash: 121b5ff51a16aa90288717f288932f737c6d7c8d4dd3954501bc7276f7b16caa
Instruction Fuzzy Hash: FAF0A7F09147069FDB508B15DD4177BB2D9FF84211F44492DEC86C6650EB31F945CB51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\GIIIECBGDHJJ\CAEHJE

C:\ProgramData\GIIIECBGDHJJ\EBKEHJ

C:\ProgramData\GIIIECBGDHJJ\GHDHJE

C:\ProgramData\GIIIECBGDHJJ\GIIIEC

C:\ProgramData\GIIIECBGDHJJ\IJKKEH

C:\ProgramData\GIIIECBGDHJJ\JJJKFB

C:\ProgramData\GIIIECBGDHJJ\KEGCBK

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_50842b9be826d8ed7939945d23cf3e974f7f0c4_56460358_2c7f8a6a-34e8-4b3b-a34b-55f9ed7afc39\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF16E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF269.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF299.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqlt[1].dll

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
file.exe

Function 00FF018D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 004778F0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 319
memoryCOMMON

Function 0045A686 Relevance: .0, Instructions: 29
COMMON

Function 00458BA9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 0041C181 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Function 00477D70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79
threadCOMMON

Function 0042AEBA Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMONLIBRARYCODE

Function 00477B30 Relevance: 3.1, APIs: 2, Instructions: 93
memoryCOMMON

Function 0042AC01 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00458C74 Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre