Edit tour

Windows Analysis Report
lem.exe

Overview

General Information

Sample name:	lem.exe
Analysis ID:	1467834
MD5:	7aec38c6f23f36dbf2698d116efebca5
SHA1:	7094d6969973a686765978a661845078bbbf04c3
SHA256:	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected Powershell download and execute

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found stalling execution ending in API Sleep call

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lem.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\lem.exe" MD5: 7AEC38C6F23F36DBF2698D116EFEBCA5)

cmd.exe (PID: 2004 cmdline: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6356 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6372 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 2800 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3604 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6664 cmdline: cmd /c md 820565 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6568 cmdline: findstr /V "StudiedForeignTitansCircles" Eos MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4488 cmdline: cmd /c copy /b Bind + Dow 820565\n MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Refugees.pif (PID: 6232 cmdline: 820565\Refugees.pif 820565\n MD5: B06E67F9767E5023892D9698703AD098)

timeout.exe (PID: 6256 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199730044335", "https://t.me/bu77un"], "Botnet": "af416e6239a4ef1d4db364842c8da73c"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.2930884990.0000000001891000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.2931122159.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.2930762938.0000000001929000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Refugees.pif PID: 6232	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: Refugees.pif PID: 6232	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: Refugees.pif PID: 6232	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
10.2.Refugees.pif.46d0000.5.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.Refugees.pif.17677d0.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
10.2.Refugees.pif.17677d0.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 820565\Refugees.pif 820565\n, CommandLine: 820565\Refugees.pif 820565\n, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2004, ParentProcessName: cmd.exe, ProcessCommandLine: 820565\Refugees.pif 820565\n, ProcessId: 6232, ProcessName: Refugees.pif

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\lem.exe", ParentImage: C:\Users\user\Desktop\lem.exe, ParentProcessId: 6256, ParentProcessName: lem.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit, ProcessId: 2004, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2004, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 3604, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://t.me/bu77un	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199730044335	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199730044335", "https://t.me/bu77un"], "Botnet": "af416e6239a4ef1d4db364842c8da73c"}

Multi AV Scanner detection for submitted file

Source: lem.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.8% probability

Sample uses string decryption to hide its real strings

Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetProcAddress
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: LoadLibraryA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: lstrcatA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: OpenEventA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateEventA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CloseHandle
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Sleep
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: VirtualFree
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetSystemInfo
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: VirtualAlloc
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HeapAlloc
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetComputerNameA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: lstrcpyA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetProcessHeap
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: lstrlenA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ExitProcess
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetSystemTime
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: advapi32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: gdi32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: user32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: crypt32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ntdll.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetUserNameA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateDCA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ReleaseDC
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sscanf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: NtQueryInformationProcess
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: VMwareVMware
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HAL9TH
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: JohnDoe
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DISPLAY
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GlobalLock
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HeapFree
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetFileSize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GlobalSize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: IsWow64Process
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Process32Next
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetLocalTime
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: FreeLibrary
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Process32First
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DeleteFileA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: FindNextFileA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: LocalFree
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: FindClose
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: LocalAlloc
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ReadFile
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SetFilePointer
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: WriteFile
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateFileA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: FindFirstFileA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CopyFileA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: VirtualProtect
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetLastError
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: lstrcpynA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GlobalFree
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GlobalAlloc
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: OpenProcess
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: TerminateProcess
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: gdiplus.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ole32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: bcrypt.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: wininet.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: shlwapi.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: shell32.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: psapi.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SelectObject
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BitBlt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DeleteObject
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdiplusStartup
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GdipFree
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CoUninitialize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CoInitialize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CoCreateInstance
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetWindowRect
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetDC
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CloseWindow
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: wsprintfA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CharToOemW
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: wsprintfW
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RegCloseKey
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RegEnumValueA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetConnectA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetOpenA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetReadFile
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: StrCmpCA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: StrStrA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: StrCmpCW
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RmStartSession
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RmRegisterResources
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RmGetList
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: RmEndSession
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_open
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_step
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_column_text
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_finalize
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_close
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3_column_blob
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: encrypted_key
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PATH
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: NSS_Init
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: NSS_Shutdown
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PK11_FreeSlot
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PK11_Authenticate
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: C:\ProgramData\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Soft:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: profile:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Host:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Login:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Password:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Opera
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: OperaGX
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Network
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Cookies
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: .txt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: TRUE
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: FALSE
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Autofill
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: History
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Name:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Month:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Year:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Card:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Cookies
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Login Data
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Web Data
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: History
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: logins.json
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: formSubmitURL
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: usernameField
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: encryptedUsername
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: encryptedPassword
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: guid
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: cookies.sqlite
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: formhistory.sqlite
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: places.sqlite
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Plugins
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Local Extension Settings
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Sync Extension Settings
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: IndexedDB
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Opera Stable
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Opera GX Stable
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: CURRENT
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: chrome-extension_
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Local State
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: profiles.ini
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: chrome
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: opera
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: firefox
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Wallets
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ProductName
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ProcessorNameString
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DisplayName
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DisplayVersion
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: freebl3.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: mozglue.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: msvcp140.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: nss3.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: softokn3.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: vcruntime140.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Temp\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: .exe
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: runas
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: open
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: /c start
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %DESKTOP%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %APPDATA%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %USERPROFILE%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %DOCUMENTS%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: %RECENT%
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: *.lnk
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Files
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \discord\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Telegram Desktop\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: key_datas
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: map*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Telegram
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: *.tox
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: *.ini
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Password
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: 00000001
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: 00000002
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: 00000003
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: 00000004
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Pidgin
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \.purple\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: accounts.xml
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: token:
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Software\Valve\Steam
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: SteamPath
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \config\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ssfn*
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: config.vdf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DialogConfig.vdf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: libraryfolders.vdf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: loginusers.vdf
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Steam\
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: sqlite3.dll
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: browsers
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: done
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Soft
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: https
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: POST
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: HTTP/1.1
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: hwid
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: build
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: token
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: file_name
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: file
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: message
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 10.2.Refugees.pif.17677d0.2.raw.unpack	String decryptor: screenshot.jpg

Source: lem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: lem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A047B7 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A047B7
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A03E72
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A0C16C
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0CB81 FindFirstFileW,FindClose,	10_2_00A0CB81
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00A0CC0C
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A0F445
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A0F5A2
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A0F8A3
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A03B4F

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199730044335
Source: Malware configuration extractor	URLs: https://t.me/bu77un

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 5.75.221.27:5432

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

ASN Name: TELEGRAMRU TELEGRAMRU

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.221.27

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A1279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

10_2_00A1279E

Source: global traffic

HTTP traffic detected: GET /bu77un HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: aeADchOTjdneRFbvgcniIPnKrpAg.aeADchOTjdneRFbvgcniIPnKrpAg
Source: global traffic	DNS traffic detected: DNS query: t.me

Source: lem.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: lem.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: lem.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: lem.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: lem.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: lem.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: lem.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: lem.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: lem.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Refugees.pif, 0000000A.00000002.4110662161.000000000171D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lem.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: lem.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: lem.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: lem.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: lem.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: lem.exe, 00000000.00000003.1646281231.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000000.1691914693.0000000000A68000.00000002.00000001.01000000.00000005.sdmp, Ignored.0.dr, Refugees.pif.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: lem.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Refugees.pif, 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, sqlt[1].dll.10.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27/
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/
Source: Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/)
Source: Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/.BAT;.CMD;.VBS;.VBE;.JS;.J
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/4c17bdosoft
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/K
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/al
Source: Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/crosoft
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/er
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/freebl3.dll
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/freebl3.dllt
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/id;
Source: Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/indows
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/key
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/mozglue.dll
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/mozglue.dllt
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/msvcp140.dll
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/msvcp140.dll7
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/nss3.dll
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/nss3.dllsoft
Source: Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/p
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/r
Source: Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/r&
Source: Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/r3
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/softokn3.dll
Source: Refugees.pif, 0000000A.00000002.4111018322.0000000001A5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/softokn3.dll:
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/softokn3.dll:5432/nss3.dll~
Source: Refugees.pif, 0000000A.00000002.4111018322.0000000001A5F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/softokn3.dlla
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/sqlt.dll
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/sqlt.dll2
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/v
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/vcruntime140.dll
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/vcruntime140.dll15;
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/vcruntime140.dlle
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/vcruntime140.dllll
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/vcruntime140.dlltch
Source: Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432/y
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432B
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432GHl
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432aming
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004898000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432c4c17bdle
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432cal
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004898000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://5.75.221.27:5432ntel
Source: HCAEBF.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: HCAEBF.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HCAEBF.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HCAEBF.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: HCAEBF.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HCAEBF.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HCAEBF.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335
Source: Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll
Source: Refugees.pif, 0000000A.00000002.4115047914.000000000CA40000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, CBAKJE.10.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: CBAKJE.10.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: Refugees.pif, 0000000A.00000002.4115047914.000000000CA40000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, CBAKJE.10.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: CBAKJE.10.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/C
Source: Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/b
Source: Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bu77un
Source: Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/bu77unguf_hMozilla/5.0
Source: Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: HCAEBF.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: HCAEBF.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown

HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A14614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

10_2_00A14614

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A14416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

10_2_00A14416

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A2CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

10_2_00A2CEDF

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A040C1: CreateFileW,DeviceIoControl,CloseHandle,

10_2_00A040C1

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009F8D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

10_2_009F8D11

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A055E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		10_2_00A055E5

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009AB020	10_2_009AB020
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009A94E0	10_2_009A94E0
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009A9C80	10_2_009A9C80
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A281C8	10_2_00A281C8
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C2325	10_2_009C2325
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D6432	10_2_009D6432
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D258E	10_2_009D258E
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009AE6F0	10_2_009AE6F0
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C275A	10_2_009C275A
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D88EF	10_2_009D88EF
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A20802	10_2_00A20802
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D69A4	10_2_009D69A4
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009FEB95	10_2_009FEB95
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009B0BE0	10_2_009B0BE0
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A08CB1	10_2_00A08CB1
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CCC81	10_2_009CCC81
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A20C7F	10_2_00A20C7F
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D6F16	10_2_009D6F16
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C32E9	10_2_009C32E9
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CF339	10_2_009CF339
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009BD457	10_2_009BD457
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C15E4	10_2_009C15E4
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009BF57E	10_2_009BF57E
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009AF6A0	10_2_009AF6A0
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009A1663	10_2_009A1663
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C77F3	10_2_009C77F3
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C1AD8	10_2_009C1AD8
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CDAD5	10_2_009CDAD5
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009D9C15	10_2_009D9C15
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009BDD14	10_2_009BDD14
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C1EF0	10_2_009C1EF0
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CBF06	10_2_009CBF06
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB619DD	10_2_0CB619DD
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CD3AEBE	10_2_0CD3AEBE
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB63E3B	10_2_0CB63E3B
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB61EF1	10_2_0CB61EF1
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB6209F	10_2_0CB6209F
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB63AB2	10_2_0CB63AB2
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB6292D	10_2_0CB6292D
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB6290A	10_2_0CB6290A
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB62AA9	10_2_0CB62AA9
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB612A8	10_2_0CB612A8
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB61C9E	10_2_0CB61C9E
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB6251D	10_2_0CB6251D
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB62018	10_2_0CB62018
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB6174E	10_2_0CB6174E
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CD3D209	10_2_0CD3D209
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB63580	10_2_0CB63580

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB

Source: C:\Users\user\Desktop\lem.exe	Code function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: String function: 0CB61C2B appears 39 times
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: String function: 009B1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: String function: 0CD406B1 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: String function: 009C0C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: String function: 009C8A60 appears 42 times

Source: lem.exe

Static PE information: invalid certificate

Source: lem.exe, 00000000.00000003.1646281231.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs lem.exe
Source: lem.exe, 00000000.00000002.1666408013.0000000000771000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs lem.exe

Source: lem.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/37@2/2

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A0A51A GetLastError,FormatMessageW,

10_2_00A0A51A

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009F8BCC AdjustTokenPrivileges,CloseHandle,		10_2_009F8BCC
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009F917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		10_2_009F917C

Source: C:\Users\user\Desktop\lem.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A03FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

10_2_00A03FB5

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A042AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

10_2_00A042AA

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\R2LW0TG4.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03

Source: C:\Users\user\Desktop\lem.exe

File created: C:\Users\user\AppData\Local\Temp\nsb3355.tmp

Jump to behavior

Source: lem.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\lem.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lem.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: KEGCBF.10.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.10.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: lem.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\lem.exe

File read: C:\Users\user\Desktop\lem.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lem.exe "C:\Users\user\Desktop\lem.exe"
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 820565
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "StudiedForeignTitansCircles" Eos
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Bind + Dow 820565\n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif 820565\Refugees.pif 820565\n
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5
Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 820565	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "StudiedForeignTitansCircles" Eos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Bind + Dow 820565\n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif 820565\Refugees.pif 820565\n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior

Source: C:\Users\user\Desktop\lem.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\lem.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: lem.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: sqlt[1].dll.10.dr

Static PE information: section name: .00cfg

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009C8AA5 push ecx; ret	10_2_009C8AB8
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB61BF9 push ecx; ret	10_2_0CD04C03
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB610C8 push ecx; ret	10_2_0CD63552

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A2577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		10_2_00A2577B
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009B5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		10_2_009B5EDA

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009C32E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_009C32E9

Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lem.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\lem.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-3897

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

API coverage: 4.0 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 2228

Thread sleep count: 39 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\lem.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A047B7 GetFileAttributesW,FindFirstFileW,FindClose,	10_2_00A047B7
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A03E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A03E72
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A0C16C
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0CB81 FindFirstFileW,FindClose,	10_2_00A0CB81
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	10_2_00A0CC0C
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A0F445
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	10_2_00A0F5A2
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A0F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	10_2_00A0F8A3
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A03B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	10_2_00A03B4F

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009B5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

10_2_009B5D13

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Refugees.pif, 0000000A.00000002.4110915823.000000000196B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Refugees.pif, 0000000A.00000002.4110715685.000000000179B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Refugees.pif, 0000000A.00000002.4110915823.000000000196B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: Refugees.pif, 0000000A.00000002.4110715685.000000000179B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware2*

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A143B9 BlockInput,

10_2_00A143B9

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009B5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_009B5240

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009D5BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

10_2_009D5BDC

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009F86B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

10_2_009F86B0

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CA284 SetUnhandledExceptionFilter,	10_2_009CA284
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_009CA2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_009CA2B5
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_0CB62C8E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0CB62C8E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: Refugees.pif PID: 6232, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009F914C LogonUserW,

10_2_009F914C

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009B5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

10_2_009B5240

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A01932 SendInput,keybd_event,

10_2_00A01932

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A050A7 mouse_event,

10_2_00A050A7

Source: C:\Users\user\Desktop\lem.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 820565	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "StudiedForeignTitansCircles" Eos	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Bind + Dow 820565\n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif 820565\Refugees.pif 820565\n	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

10_2_009F86B0

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A04D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

10_2_00A04D89

Source: lem.exe, 00000000.00000003.1646281231.00000000028B4000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmp, Ignored.0.dr, Refugees.pif.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Refugees.pif	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009C878B cpuid

10_2_009C878B

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: GetLocaleInfoW,	10_2_0CB62112
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: GetLocaleInfoW,	10_2_0CB62112
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_0CB6298C
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: EnumSystemLocalesW,	10_2_0CD3FF17

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_00A0E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

10_2_00A0E0CA

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009E0652 GetUserNameW,

10_2_009E0652

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Code function: 10_2_009D409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

10_2_009D409A

Source: C:\Users\user\Desktop\lem.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 10.2.Refugees.pif.46d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Refugees.pif.17677d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Refugees.pif.17677d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930884990.0000000001891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2931122159.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930762938.0000000001929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Refugees.pif PID: 6232, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Refugees.pif	Binary or memory string: WIN_81
Source: Refugees.pif	Binary or memory string: WIN_XP
Source: Refugees.pif	Binary or memory string: WIN_XPe
Source: Refugees.pif.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Refugees.pif	Binary or memory string: WIN_VISTA
Source: Refugees.pif	Binary or memory string: WIN_7
Source: Refugees.pif	Binary or memory string: WIN_8

Source: Yara match

File source: Process Memory Space: Refugees.pif PID: 6232, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 10.2.Refugees.pif.46d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Refugees.pif.17677d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Refugees.pif.17677d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930884990.0000000001891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2931122159.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2930762938.0000000001929000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Refugees.pif PID: 6232, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A16733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		10_2_00A16733
Source: C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	Code function: 10_2_00A16BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		10_2_00A16BF7

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	36 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	11 Masquerading	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lem.exe	29%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://5.75.221.27:5432c4c17bdle	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://web.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/msvcp140.dll	0%	Avira URL Cloud	safe
https://t.me/bu77un	100%	Avira URL Cloud	malware
https://5.75.221.27:5432	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/msvcp140.dll7	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199730044335	100%	Avira URL Cloud	malware
https://5.75.221.27:5432/r3	0%	Avira URL Cloud	safe
https://t.me/C	0%	Avira URL Cloud	safe
https://5.75.221.27/	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/v	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/r	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/vcruntime140.dllll	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/0	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/softokn3.dll:5432/nss3.dll~	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/mozglue.dll	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/y	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/mozglue.dllt	0%	Avira URL Cloud	safe
https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll	0%	Avira URL Cloud	safe
https://5.75.221.27:5432GHl	0%	Avira URL Cloud	safe
https://t.me/b	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/key	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/er	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/p	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/freebl3.dll	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/softokn3.dll:	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/al	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/nss3.dll	0%	Avira URL Cloud	safe
https://5.75.221.27:5432aming	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/crosoft	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/sqlt.dll	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/vcruntime140.dll	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/.BAT;.CMD;.VBS;.VBE;.JS;.J	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/id;	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/sqlt.dll2	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/vcruntime140.dlltch	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/softokn3.dll	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/vcruntime140.dlle	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/indows	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/softokn3.dlla	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/K	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/4c17bdosoft	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/	0%	Avira URL Cloud	safe
https://t.me/bu77unguf_hMozilla/5.0	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/nss3.dllsoft	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/r&	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/vcruntime140.dll15;	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/freebl3.dllt	0%	Avira URL Cloud	safe
https://5.75.221.27:5432cal	0%	Avira URL Cloud	safe
https://5.75.221.27:5432ntel	0%	Avira URL Cloud	safe
https://5.75.221.27:5432B	0%	Avira URL Cloud	safe
https://5.75.221.27:5432/)	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	true		unknown
aeADchOTjdneRFbvgcniIPnKrpAg.aeADchOTjdneRFbvgcniIPnKrpAg	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199730044335	true	Avira URL Cloud: malware	unknown
https://t.me/bu77un	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	HCAEBF.10.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	HCAEBF.10.dr	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432c4c17bdle	Refugees.pif, 0000000A.00000002.4111534243.0000000004898000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/msvcp140.dll7	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/r3	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	HCAEBF.10.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Refugees.pif, 0000000A.00000002.4115047914.000000000CA40000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, CBAKJE.10.dr	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/msvcp140.dll	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/C	Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27/	Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/v	Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/r	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/vcruntime140.dllll	Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/0	lem.exe, 00000000.00000003.1647886262.00000000028BA000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif.1.dr, Tags.0.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	CBAKJE.10.dr	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/mozglue.dll	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/softokn3.dll:5432/nss3.dll~	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/y	Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	HCAEBF.10.dr	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199730044335hellosqlt.dllsqlite3.dll	Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/mozglue.dllt	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432GHl	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/key	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/b	Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/p	Refugees.pif, 0000000A.00000002.4110683279.0000000001734000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/softokn3.dll:	Refugees.pif, 0000000A.00000002.4111018322.0000000001A5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/er	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	Refugees.pif, 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4115489405.000000000D19B000.00000004.00000800.00020000.00000000.sdmp, sqlt[1].dll.10.dr	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/freebl3.dll	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/al	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432aming	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	lem.exe, 00000000.00000003.1646281231.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000000.1691914693.0000000000A68000.00000002.00000001.01000000.00000005.sdmp, Ignored.0.dr, Refugees.pif.1.dr	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/nss3.dll	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/crosoft	Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/sqlt.dll	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	HCAEBF.10.dr	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/vcruntime140.dll	Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/.BAT;.CMD;.VBS;.VBE;.JS;.J	Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	HCAEBF.10.dr	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/id;	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/sqlt.dll2	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/vcruntime140.dlltch	Refugees.pif, 0000000A.00000002.4110915823.000000000195B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Refugees.pif, 0000000A.00000002.4115047914.000000000CA40000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, CBAKJE.10.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	lem.exe	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/softokn3.dll	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	HCAEBF.10.dr	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/indows	Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/vcruntime140.dlle	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/softokn3.dlla	Refugees.pif, 0000000A.00000002.4111018322.0000000001A5F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/K	Refugees.pif, 0000000A.00000002.4110973710.0000000001990000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/4c17bdosoft	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	HCAEBF.10.dr	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/	Refugees.pif, 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/bu77unguf_hMozilla/5.0	Refugees.pif, 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930972255.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930929509.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930560961.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930472615.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000003.2930811141.0000000001786000.00000004.00000020.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/r&	Refugees.pif, 0000000A.00000002.4110774990.000000000182F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/nss3.dllsoft	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/vcruntime140.dll15;	Refugees.pif, 0000000A.00000002.4111534243.0000000004809000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432/freebl3.dllt	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432cal	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432ntel	Refugees.pif, 0000000A.00000002.4111534243.0000000004898000.00000040.00001000.00020000.00000000.sdmp, Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://5.75.221.27:5432B	Refugees.pif, 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	CBAKJE.10.dr	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	HCAEBF.10.dr	false	URL Reputation: safe	unknown
https://5.75.221.27:5432/)	Refugees.pif, 0000000A.00000002.4111159434.0000000001B2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.75.221.27	unknown	Germany		24940	HETZNER-ASDE	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467834
Start date and time:	2024-07-04 21:25:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lem.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@22/37@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 89 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: lem.exe

Simulations

Behavior and APIs

Time	Type	Description
15:25:54	API Interceptor	1x Sleep call for process: lem.exe modified
15:25:58	API Interceptor	3992x Sleep call for process: Refugees.pif modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.75.221.27	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
149.154.167.99	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	vSlVoTPrmP.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	RO67OsrIWi.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot
	KeyboardRGB.exe	Get hash	malicious	Unknown	Browse	t.me/cinoshibot
	file.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegra.ph/Go-to-personal-cabinet-03-13	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegra.ph/BTC-Transaction--433854-05-10?hs=e7822360e2d7939bf6963a027637c1ff&	Get hash	malicious	Unknown	Browse	149.154.167.99
	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	XZ50BK5JPZ.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	Acal BFi UK - Products List 020240704.exe	Get hash	malicious	AgentTesla, RedLine, StormKitty, XWorm	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegra.ph/Go-to-personal-cabinet-03-13	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegra.ph/BTC-Transaction--433854-05-10?hs=e7822360e2d7939bf6963a027637c1ff&	Get hash	malicious	Unknown	Browse	149.154.167.99
	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	149.154.167.99
	McrflHf6vg.exe	Get hash	malicious	WhiteSnake Stealer	Browse	149.154.167.220
	https://tr.alertsgame.ru/	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	1dntbjwU2s.exe	Get hash	malicious	CryptOne, Vidar	Browse	149.154.167.99
HETZNER-ASDE	0001.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	176.9.105.210
	file.exe	Get hash	malicious	Vidar	Browse	49.13.159.121
	Scan405.exe	Get hash	malicious	FormBook	Browse	116.202.213.59
	ScanPDF_102.exe	Get hash	malicious	FormBook	Browse	116.202.213.59
	https://vi-822.pages.dev/robots.txt	Get hash	malicious	HTMLPhisher	Browse	5.161.38.67
	https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.de	Get hash	malicious	HTMLPhisher	Browse	5.161.38.67
	https://vi-822.pages.dev/files/?email=gerold.barkowski@schoenhofer.de	Get hash	malicious	HTMLPhisher	Browse	5.161.38.67
	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	5.75.221.27
	ck4L513fGM.elf	Get hash	malicious	Unknown	Browse	213.133.114.102
	Z2X8cP8r7S.elf	Get hash	malicious	Unknown	Browse	195.201.32.135

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	149.154.167.99
	5gO02Ijl9V.exe	Get hash	malicious	GuLoader	Browse	149.154.167.99
	ooXgr5BYnA.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	7Bkd5ILk1o.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	oFNtjcXGVB.exe	Get hash	malicious	FormBook, GuLoader	Browse	149.154.167.99
	Co0Wd0QVRU.exe	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.99
	J65wD7LHi0.exe	Get hash	malicious	GuLoader, Lokibot	Browse	149.154.167.99
	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	149.154.167.99
	msvcr80.dll	Get hash	malicious	Unknown	Browse	149.154.167.99

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\820565\Refugees.pif	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	27062024_1338_ItsComedy.exe	Get hash	malicious	AsyncRAT	Browse
	External24.exe	Get hash	malicious	RisePro Stealer	Browse
	External24.exe	Get hash	malicious	Unknown	Browse
	9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	i9TWeCgYBy.exe	Get hash	malicious	RedLine	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	SHabaB.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll	file.exe	Get hash	malicious	Vidar	Browse
	QeIcyVt0Op.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse
	82xul16VKj.exe	Get hash	malicious	CryptOne, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	pDHKarOK2v.exe	Get hash	malicious	CryptOne, Vidar	Browse
	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
	zyJWi2vy29.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRAT	Browse
	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse

Created / dropped Files

C:\ProgramData\JKJEHJKJEBGH\CBAKJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\DHIEHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\ECFCBK

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	modified
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\FIIEHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\HCAEBF

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\JKJEHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJEHJKJEBGH\KEGCBF

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2459136
Entropy (8bit):	6.052474106868353
Encrypted:	false
SSDEEP:	49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
MD5:	90E744829865D57082A7F452EDC90DE5
SHA1:	833B178775F39675FA4E55EAB1032353514E1052
SHA-256:	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
SHA-512:	0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: QeIcyVt0Op.exe, Detection: malicious, Browse Filename: 82xul16VKj.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: pDHKarOK2v.exe, Detection: malicious, Browse Filename: 1719859269.0326595_setup.exe, Detection: malicious, Browse Filename: zyJWi2vy29.exe, Detection: malicious, Browse Filename: 56bDgH9sMQ.exe, Detection: malicious, Browse Filename: vjYcExA6ou.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4\|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 27062024_1338_ItsComedy.exe, Detection: malicious, Browse Filename: External24.exe, Detection: malicious, Browse Filename: External24.exe, Detection: malicious, Browse Filename: 9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe, Detection: malicious, Browse Filename: i9TWeCgYBy.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: SHabaB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\820565\n

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	318050
Entropy (8bit):	7.999379579042436
Encrypted:	true
SSDEEP:	6144:BWPwX/H9+KYHuVoa//2BKF/h+8yboPyBo/U5Zcurn0:8POv9+KYOVoa2B8YoK/5aurn0
MD5:	8A1A61C380B69AD62EF10671966AB7D5
SHA1:	6067400E4E12981B8D14AE16382D360C0DE07260
SHA-256:	587A5E7F9F5A49C3A0B5793096224488EA1F78E17D872C8623A5B9AFE0C0C05E
SHA-512:	F6EF688F8514D8628CC2CC2C92A6EF95CA6CC5241898158779B492D8B716CB0273627D28CEC685440C8CA989A273774C4E522215C4FBD321772421DBCD2B1B39
Malicious:	false
Preview:	...Q..7O....`...pB\.....n~...[8...H......r....'.Ke..mk.qe.....d.vW...eA...\....W.Be:..J...m..D\|.x+6.]Z..[s.n..\.a....h...j..oe.JJ.9rOB..0....I...B..Z\|^\.A..[.sc~.'R.pN....4.u...#..:.-.._..$,.LYu.xq.Yf...\|(]..Y8y.(..L=Qo.ft\....i.9../..^..5.j.H.\|L..+4?...DC.M@ ]1 ...s1M.OP9v....^..\.R.H..Kx....9......=..p#.0".oC...S.e..u..$...p...>...d .q..V.Q..d.O)h...4_..a..u`w......m....>R.^W!.&.L.V...3..[.O.."..`^.(..4!9..\..9y.7_..7Z]..>.d....%Kq#..Z\|...._..N.u&./..k....S......P.Y...P..N..s.a1K..B..A2%...1.$'X~..0mJ...E..?..o..#..{q'.4N...)s..E...'c.%Jmh...MX..~....TH.V.t.I.+o...a0.L.u.....p.v'..T....92.a...Q.@.2N1.-.J.zX. ....y_y(E.......1...h.'...>TL.G...nK...:...~.%..rI....... %.G..6.a.$....gv..=..Ws.4b.k:'...GxO..\<v$)....D5...n.M.V..B.....'<..zc2I.. PY6a.62....7..y.;.+..`U..X.....^...hY.j}...K.....~..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..F

C:\Users\user\AppData\Local\Temp\Bbs

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	6.6331941872716325
Encrypted:	false
SSDEEP:	192:DogpLTR3sk0KGKEv+HETxpFYf4EdQEt88OUKomjsHSY3v46/Jka2S2Al5amQ:RhT9Tmv+QZYfbdQtI2jsHSY/46hZX2o4
MD5:	8AC8C706C4684C18F197C30070C124C2
SHA1:	A07521DC17273A281F8FDA7E2981624AA957CAF1
SHA-256:	4BDF7A2A03C7838C0A1FA3801289F44E5A23AF4E633E462748EB6C02E8B5FD38
SHA-512:	B8CCA2976DDADE99C770D6221F2CE6F71502D18A1B2784945B2696EA2475AC8DFBE2D11D9307858D9904E87DBE4E5895331F19CD233D7B3FC1853C756B48A5D2
Malicious:	false
Preview:	.Z@....q...;ZD..h....U.f.Z......](3..C,.[0..~0..Q.M.V.....Y..t..E(G.M.@4.4F;.\|.U..u.u.E.;...........u.}.G.M.;.}S.M(.Y4...u.M...E.P..@...Y..u..E(FG;x0.E.\|.;u.~..U..E..E.....f.B.f.B.f.r..8....M..U.........U......f.B.f.J...............E.jR_f98u@.].3.U...~.j0_...Pf;...b...f;.x.....U...k.......E.B;.\|..u..}....5...j....K.......Y.........U.......].f.B..E.u..E....j+Y;.t.j-Y;.t.../......j9Y;...~...j)X..].......E.E.........A\j}X......j.[.U(j..B\X...u..H.....j=.u.X..>f;.......j>Xf;.t.j<Yf;.......j)......E.E......]..E.jv..h...Xf...u..]...3.j0.._..f;.x...w.k............u....f;.s.j)Xf9............;.......j&......F.j!..[;.......j=[;...0........f;........E(j.[.@..........j<X3.f;.j......XI.u.#..j'X..]....j0Zf;.r.j9Zf;...0....}(.....f;.w#.W.j.[.......t...u....f;.(...v.]..+....},..U... ....G@@.E.f9...1.....0.'.........B.;G4~.j .G4X;.~.j0.....M(3...(..9A0~];W.u?.M.R...Q...Y..u,.E.9G.t=.E............M(.E.Ax.U.C...;Y0\|....M(.E.9G.u.E...A....j....M(;Y0\|y.](.C89C0\|?.<.k..P..

C:\Users\user\AppData\Local\Temp\Bind

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	141312
Entropy (8bit):	7.998609084350709
Encrypted:	true
SSDEEP:	3072:1UEN8/JWr0pFwX/DAMongn+KYLLea4VoapSQWbjU7hUsaF95Hj:BWPwX/H9+KYHuVoa//2Bj
MD5:	04B1A5A5E29697CB473EF97F25C4B326
SHA1:	6AD56924B67B6FF6990E2B55E45BFA2F95990ACF
SHA-256:	B3D3E654662389A26572EFC5503B27F05CD0B0C0F24ED9926F3A4A2169EA8F62
SHA-512:	FEE61EC5A06261533B8C2AB004152EC9060E998F231832BD02829432B9D2570A1A7ECCF93BCE79704190B3728544EA1CF670254C934A434D07E700F9974E6ECF
Malicious:	false
Preview:	...Q..7O....`...pB\.....n~...[8...H......r....'.Ke..mk.qe.....d.vW...eA...\....W.Be:..J...m..D\|.x+6.]Z..[s.n..\.a....h...j..oe.JJ.9rOB..0....I...B..Z\|^\.A..[.sc~.'R.pN....4.u...#..:.-.._..$,.LYu.xq.Yf...\|(]..Y8y.(..L=Qo.ft\....i.9../..^..5.j.H.\|L..+4?...DC.M@ ]1 ...s1M.OP9v....^..\.R.H..Kx....9......=..p#.0".oC...S.e..u..$...p...>...d .q..V.Q..d.O)h...4_..a..u`w......m....>R.^W!.&.L.V...3..[.O.."..`^.(..4!9..\..9y.7_..7Z]..>.d....%Kq#..Z\|...._..N.u&./..k....S......P.Y...P..N..s.a1K..B..A2%...1.$'X~..0mJ...E..?..o..#..{q'.4N...)s..E...'c.%Jmh...MX..~....TH.V.t.I.+o...a0.L.u.....p.v'..T....92.a...Q.@.2N1.-.J.zX. ....y_y(E.......1...h.'...>TL.G...nK...:...~.%..rI....... %.G..6.a.$....gv..=..Ws.4b.k:'...GxO..\<v$)....D5...n.M.V..B.....'<..zc2I.. PY6a.62....7..y.;.+..`U..X.....^...hY.j}...K.....~..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..F

C:\Users\user\AppData\Local\Temp\Butler

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	43008
Entropy (8bit):	6.700757271986916
Encrypted:	false
SSDEEP:	768:9NK1dvq6LqgaHbdMNkNDUySdK8M4INduPbOUGM4INduPbOU+aI4kF:UvtmgMbFuyO1MBNfMBNBr
MD5:	8DC490C7C1F7643956FD2FEE5F5A5574
SHA1:	B412643EE2E574330A5F7706249A7B7B6BC7FAC2
SHA-256:	119DDE8AA763954BA6634A3FCF609291337E3CE7D5C8AE94190133AAE9EE3B71
SHA-512:	7F649AF65E68AA5032C0086D2DCE8882D495DC4C1F79F586B8D9D6F7625B075449ADFB5906BB8A31CC153B443D088876C2FB22E6C1C10F214FBD395DA6351598
Malicious:	false
Preview:	..HI......HI.....0II......II......II.....HJI......JI.....(KI.....tKI......KI. ....LI.!....LI."....NI.x...@OI.y...`OI.z...\|OI.......K......OI.R.6.0.0.2.....-. .f.l.o.a.t.i.n.g. .p.o.i.n.t. .s.u.p.p.o.r.t. .n.o.t. .l.o.a.d.e.d.............R.6.0.0.8.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .a.r.g.u.m.e.n.t.s...........R.6.0.0.9.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .e.n.v.i.r.o.n.m.e.n.t.......R.6.0.1.0.....-. .a.b.o.r.t.(.). .h.a.s. .b.e.e.n. .c.a.l.l.e.d.........R.6.0.1.6.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .t.h.r.e.a.d. .d.a.t.a.......R.6.0.1.7.....-. .u.n.e.x.p.e.c.t.e.d. .m.u.l.t.i.t.h.r.e.a.d. .l.o.c.k. .e.r.r.o.r.............R.6.0.1.8.....-. .u.n.e.x.p.e.c.t.e.d. .h.e.a.p. .e.r.r.o.r.............R.6.0.1.9.....-. .u.n.a.b.l.e. .t.o. .o.p.e.n. .c.o.n.s.o.l.e. .d.e.v.i.c.e.............R.6.0.2.4.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. ._.o.n.e.x.i.t./.a.t.e.x.i.t. .t.a.b.l.e.............R.6.0.2.5.....-. .p.u.r.e. .v.i.r.t.u.a.l. .f.u.n.c.t.i.o.n

C:\Users\user\AppData\Local\Temp\Darwin

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	4.961470150249258
Encrypted:	false
SSDEEP:	384:/GiwxFr9LE/MpfhwHLWAkqLyH3Per2Wfn2HuboEI:/G5bAGWrT+UI
MD5:	05C38CF6F8D52D2166B0EC2E19B5952D
SHA1:	1E68455B73E2EA8593B2E1E5D7DF47907C6F4EF0
SHA-256:	60555FC678AD0D7684D74763F8136E14FCBD967AF26105DA6FDEEDB516664FD6
SHA-512:	256A911A1898E0405CE246DD641436ECE680C7F5BB59447987B40906572AA9727BD310E662C8A24AC9229D12F41FAFE4305D20E3B76C3645A81EA465163D1EBC
Malicious:	false
Preview:	.............................................................................................................................................................................................................m.m.m.m.m...........................................................................................m...m.m.m.m.m...m.m.................................................................................................................m.m.m.m.m.m.m.....m.m.m.m.m.m.m.m.m.m.m.m.m.m...4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.m.m.m.m.m.m.m.m.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m.4.4.4.4.4.4.4.m...............................................................................................................................................................f.........................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m....

C:\Users\user\AppData\Local\Temp\Dow

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	176738
Entropy (8bit):	7.998938837217997
Encrypted:	true
SSDEEP:	3072:AZam8822iGFun+1yboPGR6Qahfq8FIhoU5Z7PwQxznj52o0:eF/h+8yboPyBo/U5Zcurn0
MD5:	DAA015A1F21C7A4894D033627BF130BF
SHA1:	2FCBDFBEC1CDEB213EC8CF28F1D040093CF436B2
SHA-256:	C8F6037F9E31C27D5759C623E3DAF3F401B2741CBBD2560A703E0BA8DF0A309D
SHA-512:	FCC4EE2F23EBCEE327E705684CADE08F558D301E356CED7F1393DDC5AE4EBBBBCAED70178A4B437A042E8AACD8BC7319E03F18E0DB9F0656508E342848276CB3
Malicious:	false
Preview:	...'.>.}.......N/.....B..;....,p.....`p.cF`..Ft..;.(f..fa@....6...a)......Fc!.S...d,.0..?e..... .JI5.\..9.0....#..J.i.7.K...y..."...U.c..)K....F.[C0,Z?.$..q.......!.".~.W........R....W.......+6..w@.C.@S=3....03N..1.$.9.M..v"}.O..&\|h..wZ....;...dBMmh`.~q...X..n.g...th....3.P1..#. ..d.?3..R...6..z.+F..A.....Yn`.;..K7o."g^0a.I...F.:.~V....C]b.(f..X...b...n..{...r.{l#..4.#.Yk....i.#P..m..2..oz..H..k..AZ.=N H.....0.=.2._.f'.&........ZM.E....CH...l5~Z;..`F}.K.F...L..uV.....K..........x:..f..LH..+&.m.S[.Uol.%.F{.'..].4..7...hL./&..)Ch.[Y....l.....U@.C>.e.y/......Z-}..C..J;.....I..F..R@.....7......#...^}c..U. au..H%....M ......b..C..2/...&..NA..\|5._..&..7..sL.G.".....%.Z%B..\.~.\.~k......6..b.,.H.Sd.n:........Gd...X.2....).g8.}...........O=..K.7... L+.O>O......_r..n.t.<.........y......Q@.g`.7....\|.+...nC.4.Ob.y..WO..g..q5q....\|;.... .Oa..".n.vv..S...Z.Il..T$......z.d.ct.Y...uq....r..[.03......./)..2..............*i..T.W....wf..,L..k:..\|...;.

C:\Users\user\AppData\Local\Temp\Encounter

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	6.575297865455708
Encrypted:	false
SSDEEP:	384:HXxdB1gv4PSTNVvmQXPMYSckSllpFC/0vB9Kr6dVo9J9p:hdB1gpjXgckS9cAXKOd+3p
MD5:	E169484F61EE7F91A48E9950369B0C19
SHA1:	9A7A13BC99E6075E3CCACED9AEF73928E911982E
SHA-256:	F0B5FDC6317E21F5E78904E3833521C656C13EC715353C2185985FD158349C9F
SHA-512:	CDFA5B2731268753B2BA549E8336FF1D3AC68BC83D7E61A21B2E34461BDA1617AB1961A2938841E5B479B3D3EA792C8785EB2BBA1D70CA273E20B663EB28C6D5
Malicious:	false
Preview:	^.......t..M..w......>.u....T....>...t..f...F......U.F......L..t..M..@...f.....t...>. ..>....t..M.."........t...>....>.u.........F......>3._^[..]...U.....E..SVW..c....}....Y....].+]..} ........M......E...u...ta......F.9X.}.........F..X.C.......Sj..v..M.......M$.E.P......M..S..H.....SV.u..-...V...................F.9X.}........F..X.C......Sj..v..M.....M$.E.P.}......P.u.......E..t?.s.V.<...S.u...W...................M$..V....V...W.....Y.@..3.j.Z.C..........Q.....4...V.u.W.h....M$...3.f..>W.N...W.<...Y......M.....} .tn.u....l......t............F......P.M..d....M$.E.P....j..M..b....E..t....E#.E#j.......E .E j.P.u.........J.E..t.j..u..E#P...f..E#......P..j..u..E P.......u .M.......M$.E.P. ....M...._^3.[..]. .U... SVW...M..}...............E..x..u..u......]....>3..F.........3.C9X...9....@..M.3..}..}..0.}.......}..t..M......M.p.......]..u.M..E.P.E.P.E.P......u...E...u.......>.}..^.........E..F........M............E.........E..j._.......E.....p.;.v..u........&

C:\Users\user\AppData\Local\Temp\Eos

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	104
Entropy (8bit):	3.416604981420026
Encrypted:	false
SSDEEP:	3:3E8jim/AW79cUqt/vllpfrYZm:3CSFHqj7
MD5:	893F66656D1AE71C271437ADFAA8B2AB
SHA1:	D6891A291D5BE87144FD7726B6057A650A43EB67
SHA-256:	D7DA3BF12721CD0A5B168319C7DD3378E166BAAFE9897059CB3677BE40E817EC
SHA-512:	EE17760000F587B5C1B1F0A9CACAA16B0AC51DDC1221FC041DC272C04F0D9E425C8B303C26FA64B1C7E23A3C69D244AF73AD4AEA6709DEC18C470CE43AC1EA3A
Malicious:	false
Preview:	StudiedForeignTitansCircles..MZ......................@...............................................!..

C:\Users\user\AppData\Local\Temp\Essential

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.49541038639822
Encrypted:	false
SSDEEP:	768:p7nxZL96Yk4iARefFilP4Bwh1QwTMvcVPDqdU7SIc/jnsRf4rJsb25v0hL4G+CAv:pv/pAfkF/bIQ2dU7SP/jnsF4rJsx9RZ4
MD5:	9F06D5E95DF19B2DA82D9A7EFC94D66E
SHA1:	C09F6DD987A9F9A625C18C61BC43D69694D8275D
SHA-256:	EE5EA03416921826638D490975B7B1A7491D14616714BFAE919BC5C11DCED2FB
SHA-512:	434AA56B6480DEFDF42ED601C51827B403FB6EEDF88FF6C7C4789E8035084E4D197D66B2FE246ABD9C1C5B313A80BFB8ACCDB56606D7A64FF7CD560B1CCABD68
Malicious:	false
Preview:	B....M...@...E..0.. .......u.S.M...E...E...P..E...M..<A...^r...I.y.D.9.@.9.@.6.D.9.@.X.D...D...D...D...D...D...D..~@..~@...D..~@...D...D...D...D...D...D...D..~@..~@...D..~@...D...D...D...D...D...D.j.jj..cL..........t..9E....t..9E....t..9E....t..9E....t..9E....t..9E ...t....t...e...E..e..j.PWQ..]..5F....pbL...D...........xM.E...j..@....Yf9H.t...@.Pjr.).M..uB..........\|bL.t......=....w.j.h............M...?...t...E....E..@......@.Ph.........$u...U....@PR.u.VW.?u.......v...8v...G..D...U.f9P...'v...u...G......@.Pj~...G......@.Pj}....@v...U.....7...M...u..U..v.....M...@.Ph.....a.......v..j..u.Q.2......M....?...u.u..E.......w.....).....w.......tKJt....uU.E...SWP....M\|....t!.@......t....t..E...SWP.=....(\|....A.Pjn.....E...SWP.c.....\|...U...w.....uJ.E..xrL.PS../...E..Zx...E...rL.PS.[....../...E.....Ax...z....rL..p...w...E...x...}....jz...E....@.....M...@.Ph..............t"...tX.....lx...E..xrL.PS.^/...Dx...=.rL..t..E...rL.PS..Z.....:/......!x...E..prL.PS.#/....x...E..prL.PS../..

C:\Users\user\AppData\Local\Temp\Framing

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	26624
Entropy (8bit):	6.650060605465728
Encrypted:	false
SSDEEP:	768:Yr5DhaEM66z/rIYlZh9dyb3cTzH1hrNCTtTaGJNH5yf44n5ETavrYFdjVe1N:Y5kEMDzMdMhrNCsGJh5yA05E22VeP
MD5:	2A4AC5EE8E094168C874CD3431735A92
SHA1:	00A5983D45DE5074A9FCCA66B1006447A14C7930
SHA-256:	3F36FFB3DCCE7F4F33DDD3E56CBB5CA825736FC926CE67E3AA927F39FA8D80D7
SHA-512:	FD1AE8F47DC9E628822CAADBA032B860012AB2836C5818881011B19E227F7E3D37F02370D99C0E4CCBB121038678A2CAE8471173F334F37DDF4ACC42651B1ACB
Malicious:	false
Preview:	\|...........%....=....u...G.......%................................FD...........E.<W@.}..E.;E.\|......;U............;~\|...........%....=....u...G.......%.........................s..FD...........E.<W@.}..E.;E.\|.....;U.}......;~\|sU.....%....=....u...G.......%.........................s=.FD....t4.E.<W@.}..E.;E.\|.. .......t.;.....v..Vh9...........}....K@..;}...'?...E...@..P.u.V.u..u..L=..........>..f.G..........}.f#......f;.u.....}..}...M.u.;.v.f.?.u.f....u.....}.;.u..>.......z....$.0.D.;U........N\|;........V...t..F.j.PQ....9.......t1.....V....+.;.w f..f;F4u......z...f.G.f;F6..l..........t1.G.;F\|r).~..u#.~..u.f..f;F4u..Fh..................E...@.}..E.;E...X.........N\|..)U.+.U...;.v7...}..............;............Fh..................X....<W.}......;U........N\|;.s.......u.....}.;.......f.?.t4.8...t-.~l..........t....t.=....t.=( ..t.=) ....b.......}.B;U.\|..Q....M.;...F...;~\|..>......=.....2..-...=........ .............. uG.....=....u;.....=_ ...$......=. ..\|"=. ........=/ ..u......=.

C:\Users\user\AppData\Local\Temp\Hierarchy

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	37888
Entropy (8bit):	6.613365698374663
Encrypted:	false
SSDEEP:	768:s+ylIt0su0B4y+aZmzddtw1E1Yd5dArqsfGuYJhLgBF9g:/ylIusu0B4MmHtt1OPeI
MD5:	43B9B743AFC3BAFCDCE0DE5C02E5435B
SHA1:	4312CF695167DBB0D06DC0FCFCCA0E1F03B94692
SHA-256:	B53DAAABD96F059F26BB48F90953288F33977F046C22623B9FEC40D7C77A13FA
SHA-512:	A8C41B42C6B14BE2F540B24305EB91E5797F4493241676055BB8B66754A2F13BE2A03007EE345B24399127787BBD162F4BFAEFB8E756DBC749B0E704EB5A78E4
Malicious:	false
Preview:	.1Wt...%....=.......b..j._j.[;...&c..;.t.......b..3._^[].3...b..U..E.SV.Y.W.8...r.........Q.....F......>.Y..._^[.@..]...3....,I..A..A.f.A....U..VW.y....*......N ..P...U....F,.....V ......M._^.H0]....y...A.u..@8.V..W.~.....b...~..u..N..y8..t.Q.P....~..F...._^..F....U..V..~.....b..Wj@......Y..t..u....4....F..G8.~._..^]...3...V..N .!P......P..V.....Y..^...U..V.u.W..V.g...P...F..O .G..F..G..F..G..F .a..P.wP...F0.G0.._^]...3.3...@.A..Q..Q..Q..Q..A,...Q .Q(.Q0.VW...?.t..7.`...Y...............u..........j.........._..........T..........I....O._^.l...V..&..N..y..........w..........l..........a..........V..............j..S...Y..t.. .h(,I.......I..F...^.3...VW..3..D.......a..F...\|._^.j..A.Z. ..@.Ju....U..V.u.W.......O..F..G..F..G..F..G..F..a..P. O...F .O .a..P..O...._^]...3.3.@.Q..A..Q..A,...Q .Q(.U..V..~.....`..j.......Y..t..M......F..B..V...^]...3...y...A.u..@..VW........p`......u..G.P.p.....Y.w..G...._^..G.....A...u..V.V`..U..........Vh............Pj.....I.......P.M........M..

C:\Users\user\AppData\Local\Temp\Ignored

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	47104
Entropy (8bit):	3.4682830089201713
Encrypted:	false
SSDEEP:	768:6cL4qHq25NKEHq9BxyyM0Dj2Bmgari0UPD/3J:6cvNHq9Bxhgari/D/3J
MD5:	6EF485E669E927FA4424C224ED0BE4FD
SHA1:	57F788BBB8CFFB7E35DFE5425C191DF3D9041D5F
SHA-256:	1D352C3FCCF7C4CC937478327CEBDB1E11FC6BC91C4279EFE87BFE258E665880
SHA-512:	81A609B9116C0CBB6A7DB3DF4101085964F801A691B319719ACCF27D5AE65A7DB9BA2376B779519C372E4CADD8F33F9C1645D839ACC35F1B163736C6E5D29736
Malicious:	false
Preview:	.=...[.H.A.N.D.L.E.:.....R.E.G.E.X.P.=...[.R.E.G.E.X.P.T.I.T.L.E.:...C.L.A.S.S.N.A.M.E.=.....[.C.L.A.S.S.:...A.L.L...[.A.L.L.....]...H.A.N.D.L.E.....R.E.G.E.X.P.T.I.T.L.E...T.I.T.L.E...T.h.u.m.b.n.a.i.l.C.l.a.s.s.....A.u.t.o.I.t.3.G.U.I.....C.o.n.t.a.i.n.e.r.....E...C.o.C...C.s.E.5.C...C...C...E...C.o.C.o.C...C...E...C...C...C...C...E...C.o.C...E...C...C...E...C.o.C...E...E...C.o.C..C...C.;.E...C.).E...E...C.M.E...C.y.C...C...C...E...C.o.C..C..C..C...E...E...C.o.C...E...C.o.C...C.8.C...E.t.C.K.C.".C...C...C...E...E...C.^.C.o.C..C.f.E.o.C.Q.E.o.C.W.I.N.D.E.S.C.R.I.P.T.I.O.N.....D.E.S.C.R.I.P.T.I.O.N...S.O.U.R.C.E.....H.E.L.P.F.I.L.E.....H.E.L.P.C.O.N.T.E.X.T...L.A.S.T.D.L.L.E.R.R.O.R.....S.C.R.I.P.T.L.I.N.E.....R.E.T.C.O.D.E...R.A.I.S.E...C.L.E.A.R...S.T.O.P.....i.E...........I.x.K...K...K...K..K..K...K. .K.0.K.<.K.H.K...E..xE.#.E..yE.B.E...E._.E.@.C.O.M._.E.V.E.N.T.O.B.J...~.E...E...E...E...E.i.E...E.c.d.e.c.l...n.o.n.e.....b.y.t.e.....b.o.o.l.e.a.n...b.o.o.l.....s.h.o.r.t...u.s

C:\Users\user\AppData\Local\Temp\Inappropriate

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	6.114432477962359
Encrypted:	false
SSDEEP:	768:dN3AFR97T98+sDkXLAlMoLVNIo8DJWxWWbP75qcaTlKWzhQVNsbSSkLQ7PqYIue2:z3OFTR7bAlHL/4aj5Vf7gqYrui3X
MD5:	8B72724BE50BE4C02D108E13BA1F03AC
SHA1:	64C19A356548A6D21FDF5BF156A945021A2FA3C8
SHA-256:	F649DEB8A84C55F8F16FF7B5F4F0DB9F01E1BF64929479CAC712F7A0B8D65994
SHA-512:	37C9A4048C101DBDB51D390C5EB51B85B6C0A502F327DD2D9C173D9A3DACE21534D1DEE2F1E8FCC204D20607D2E1211BCE88599543D4862A1915F6E6B82EB6C6
Malicious:	false
Preview:	...g........g........g........g.........G.. .....g...G..@.....g...}..u..E..TJ..M..........g...E......G........g...E..............g...E.......G&.....G".u....W.U...t....E...x.....B..\|....E... ..W...3...\........ ..M...3...X...........C...3...T....,...........3...3...H...........)...3...L...............3...`...............3..w...d....h........E......E......E.................3...p....E.<..........@.....D.......@...%......yf...........f...l...........p...........p....f............}.....g...VUUU.m.........@.VUUU...........E...G f.....f...u.................VUUU.E....................t7..G.........+.F.;..........;........F..................}....j....G.....@....}....U....E....J....@....@....M........G..@..:...........\|....U..I..}...]...6g....w..u.........~...9u.......9u...oh...U.9u........]...u.9u.u).M..t..A..t...+...;A(..=.................M.......j.j.Pj..U..U.R..t.............E......E......(........8....M......h.........i.......i.......$k...}...]...ik...E......u....k....+...

C:\Users\user\AppData\Local\Temp\Jim

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	7.037694916657714
Encrypted:	false
SSDEEP:	768:6frafd0maNBZikj0kkuhsRqI5o+oyyxVxCaw2F8aP6VOHQznzp8G7bJu1U3:6fraF0Hikj06LDykFIcizp97bv
MD5:	936DF0A9731F06346CF5FAEBF2185309
SHA1:	7940B59EA5FF316D60F77E244A7FAAEE0D16087B
SHA-256:	C24354439C40BD14D14E14E10B8B0D4385D8189719CCBC6F174D827467DC2BB1
SHA-512:	01A53E1DD1DB533AF086ED274A5F7D165490E9C5BCB472D487EDEA8D1DD9966500157625ED27FD70F9F8190E1A738B9B1A6086261558510280D3FA54D48E9E00
Malicious:	false
Preview:	.e.s.s.i.o.n...".U.n.b.a.l.a.n.c.e.d. .b.r.a.c.k.e.t.s. .i.n. .e.x.p.r.e.s.s.i.o.n.....E.r.r.o.r. .i.n. .e.x.p.r.e.s.s.i.o.n.....E.r.r.o.r. .p.a.r.s.i.n.g. .f.u.n.c.t.i.o.n. .c.a.l.l.......>.".S.e.l.e.c.t.". .s.t.a.t.e.m.e.n.t. .i.s. .m.i.s.s.i.n.g. .".E.n.d.S.e.l.e.c.t.". .o.r. .".C.a.s.e.". .s.t.a.t.e.m.e.n.t...+.".I.f.". .s.t.a.t.e.m.e.n.t.s. .m.u.s.t. .h.a.v.e. .a. .".T.h.e.n.". .k.e.y.w.o.r.d... .B.a.d.l.y. .f.o.r.m.a.t.e.d. .S.t.r.u.c.t. .s.t.a.t.e.m.e.n.t...".C.a.n.n.o.t. .a.s.s.i.g.n. .v.a.l.u.e.s. .t.o. .c.o.n.s.t.a.n.t.s.....C.a.n.n.o.t. .m.a.k.e. .e.x.i.s.t.i.n.g. .v.a.r.i.a.b.l.e.s. .i.n.t.o. .c.o.n.s.t.a.n.t.s...9.O.n.l.y. .O.b.j.e.c.t.-.t.y.p.e. .v.a.r.i.a.b.l.e.s. .a.l.l.o.w.e.d. .i.n. .a. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t...v.".l.o.n.g._.p.t.r.".,. .".i.n.t._.p.t.r.". .a.n.d. .".s.h.o.r.t._.p.t.r.". .D.l.l.C.a.l.l.(.). .t.y.p.e.s. .h.a.v.e. .b.e.e.n. .d.e.p.r.e.c.a.t.e.d... . .U.s.e. .".l.o.n.g..".,. .".i.n.t..". .a.n.d. .".s.h.o.r.t.*.". .i.n.s.t.e.a.d...-.O.b.j.e.c.t

C:\Users\user\AppData\Local\Temp\Parker

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	6.432447343571644
Encrypted:	false
SSDEEP:	384:iHdeGPKnwcN6IHVXOjAVAtSMgRoa6PfUIi6J89nOrHV8Eepte7t7WO1:iGntN6IZOjAV0SMg4XJ80RGrkx31
MD5:	4C873E5A7FDDCEC3D3397ED0FA1D7979
SHA1:	95D9594E55A569345D2BC142F5A69B749B1D0177
SHA-256:	D6B057C834F42E8B447871680336DC4039B327EEBBC33DB85E2847DA6AA8A8E5
SHA-512:	492F02B31C8D0C48B7DBF42B3CC0AD73D0CED1BB7484A3F83B59C6C507649FABBE57AE5EEF9322C67431D0C38203F7A19374E0212652CF0C6870ED069B785DAF
Malicious:	false
Preview:	...u...P.p..u..2.=.....t'..u#.@.3...f9p.u.....tNHu..uD.}...O..}...u..].}.t3.F.....\....E.P.....M.......M......_^[..]...I.A.G..............U...TSV.u...Wj..M..E.Q.M..E.....QV...E......E......E.................M.E..U.E....uT..uc2.].....=.............V..}....f.x.........8........D..Gf.x....A.....u _^[..]....y....w..$..@...t....3..E...I.3..E......M.u....I.......;.......j..Ay.................K.f.N...F...K.f.N.f..?~Af.....3...f.. ...........M.E.]..4..M.S.A.M...f.x.........u..f..0\|.j...x..........:..........H..J..H..J..@..B.......6...s......3.E..............Q.{x........E..t .M..t....QPV..x......u...x......u.........E.;...l...j..3x.................O.f.N...F...O.f.N.f..?......f........f.. ...........M.E..u..4..E..M..E.P._5..3..E...I.9u.v...E.<...t...G.f..?~4W."x...E..........F;u.r..u..E.......x....._^[..]...f..0\|....t..C....C..8...:...S..w......}.3.2..E...E......E........E......E......E......E......H..U..U..M.....%...3..E..7.V...;5.rL..K..~G....5.rL.t<..u8.

C:\Users\user\AppData\Local\Temp\Patterns

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	6.785269369152044
Encrypted:	false
SSDEEP:	1536:mlRHq6EQU7uLQT6unj5ctpYuYtWGJG2kQyyy9FskzWaIxg:mlRKecTF5c2p02kQi9FsgWaIO
MD5:	5C109AD97B8502C27805D64BFDE91D4B
SHA1:	3DF3B449E42B1BCE015473DE53378951D99C9102
SHA-256:	8308C234DE3F18053E52B48E83BD3BC69B3E6D9632FD2A1FE09059FF47754D49
SHA-512:	FF410D4962695FF11547DFFFE71D7B32583B6DA9A978DD9476E94339E778C7AD346ED80694C3F01296CCA98873ECCD28FBF929CF52778168590DD5A3704854BF
Malicious:	false
Preview:	K..YY..uJ.E.QQ..$..y...E.....YY....Dz+...XJ.QQ.U...$..y...E.....YY..Dz.j.X..3.@....3...].U...E......V3.......9M.u:9u.u\|.........z.......`.K..............A.E................9E.uB9u.u=.........z.................A.E.u...`.K.......h.K.3...F......9M.u-9u..........E.......A..m...........E.{[.....U9E.u]9u.uX.E.QQ..$.......E.YY.......Au.......`.K....u............z....u.......K..E......M.........^].......SV.D$...u..L$..D$.3....D$.....A..\$..T$..D$...........u.....d$...D$.....r.;T$.w.r.;D$.v.N3..^[...j.h.K......3..u.j......Y.]....}.;=DbL........@bL......tZ.@..uJ.@.....uA.G....w..G.P.P...Y.........@bL..4.W..f..YY.@bL.....@..t.PW.Fg..YYG...u..Pj8...Y..@bL......t:Sh.....@bL...... P.......@bL...... P..\.I..@bL..4..u.^...t..f......^..^....^..N...E.............K....u.j..p...Y.U..QQSV.u.3.W.=.QL...j .M..M.X.....f9.t......at/..rt#..wt............e...3..F...........................3.A...f.........E..................S......tv.. .........tRHtC...t-...t....u.9E........E..........

C:\Users\user\AppData\Local\Temp\Pork

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.640421485132228
Encrypted:	false
SSDEEP:	1536:F7XDh1RlyxcZqvinN8PsJitgXKUvl8UTcyzJW784Lls:dDhrlyU8PsYuXtvrhzU78Gls
MD5:	DE7DEBCF02E6312441ED6F77D8FB0FF7
SHA1:	B887F109443CD46E1B125B74A24468E02FB97406
SHA-256:	7649067870BF2EBB47D8D3DEE1D634D052902353A9EA4A27A2B171E4CAA2B677
SHA-512:	8938D2E542A4836C11E61CF33B590F916E9FB00D40B2F8DFDB61FB26AA1AED8D90B1B873989787CC8B90A3A48255E2F3DA35EBBD6B325A3BDE90591306CFC3D3
Malicious:	false
Preview:	...jw[...3.B...@dJ...F.....;u...........QTE.)SE.;.A.............=....~.=..........=.................}.....A...Af.9wt.....o....E...;F s*.F..y..}...:..x;E.t..F....;V r.....;f...}.;V r...Q..F...P;.r....f.A.....7.....A.f;E.t.f;E.u....j.^.....A.f;.t.f;E...............-.........HH......HH..g.........j...._;........$..UE.f.......j...j.Xf......f.>....f.........F..<F.c.....F.f;.t.f;E.u....jpZ......F..4F.......UE..UE..UE..UE..UE..UE..UE..UE.f;E......f;E.......f;E..........G..}......C.............\E..$..[E....;...............u.........;.t.........u.8.....3.......P.w.....YY....m....................E..@........U....u...+....4...Y....3.............."....E..@.............f....E..@..................E..@......p...........3....E..@..................E..@......=........;.w/................. ................................ .......... ....`...../ ....T....._ ....H......0............;.w/................. ..x...........l................. ........... ....I...../ ....=...

C:\Users\user\AppData\Local\Temp\Regards

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	6.491730884885601
Encrypted:	false
SSDEEP:	768:ob3jsJhQlEF2VVay1N5J3SoO6Qku2ox3hOk3Hsu1izuQ:obgjQWq8GV3jOTJh1Xl2uQ
MD5:	C0FBF0CFDA8B9E1ABD0758C522A8802C
SHA1:	72695440DF9037B3AB984CBF67842C68EA27AAF7
SHA-256:	55F815E67C0679AC0F2DB488CD2436974B6A845BEA9DA243C7D80F97695A3456
SHA-512:	167859C756D96220E20F2164BDB1986384D39E334BDA4DC3968F97475D9E58826F4AA0F8E17C13DDB371F9573C4A3B3DA1A6D65741CA846F691CDE9E441B8492
Malicious:	false
Preview:	L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y...L..h.C..{...Y..N..h.C..j

C:\Users\user\AppData\Local\Temp\Rh

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	6.539439235454021
Encrypted:	false
SSDEEP:	1536:3oejQ1/9klkp5VLGEDuaiC7v8xV96AE11yHxpfYAz7Fbk+:3oT1/Qkp5IKuLuv8xVTOAxpg6pbJ
MD5:	F99E527E596BBB5F2A9703DC97B639BA
SHA1:	EB6E493FC6ED954AFD4F01CC00509B076FCBE022
SHA-256:	F7FCD12EAA99887EB2BD44ED05E90D056AC3A43E5BBABA127B5E157600E355FC
SHA-512:	FACCA0B2E2D93513D729CAB9DCBE48ACE825F14ECEF7ED146ECE5CCF95F5704EF174697287633B231F2459DC93F28D7F95AB850FE64AC5EE96180176CAC0ADE8
Malicious:	false
Preview:	4...j.j...D...P...............D....M.P.e..j..M..`.....C.....M..0.Mc...E..xrL.P.E.P....E...u4j..u..E.h.tL.P......E..xrL.P.E.P.q....E.....\|....E...u.h....P.u..n....M..g.......C.jN...Yf9H.u3.E..P..D...P.E.PVS.:............M...u..M..E.P......M....C....f.x.A.......B..S........z..}..}..t.VS.........jNYf9J.uq.M..y..t H...E.P..D...PQVS..._............u....6S.)............M..~.3...D....}.j...D.....P.u.VS.u............3.u...PS.............j..E..PVS.....x].M..E.P........K......@.f;E.tuf..@u@.B......j3Zf9P.uG.U.........C........@.Pjy.....M..@f...6.u.jn.(.......C......@.Ph.........C......@.P.u...L....M......_^[..]...U...\|SVW..3.3.].A.]..M.M..M..]..rH...M.3.@.].E.E.E.A..]..].].]..]..@.j.Z.E.....f9P.u...@.Pjn......E.j...H.E.E..E.P.E.PQ...i.............u.M...P.P....<x............J.......3.S...f9H..M.u.......*...Ht.Ht.H......Hu.........N..u..}..u..B.3..E...E.....f9H.u .8.u..B.j.Y.E...E.....f9H........}........j..E..P.E.PS............C.3.u....f9H.uF.8.uAj..E.FP.E..u

C:\Users\user\AppData\Local\Temp\Scheme

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	6.6358881954068245
Encrypted:	false
SSDEEP:	768:7R7F8ufnz4kVDZxj/JiFwfGW43E2lfwMwstd7y:0Qnz4qDZxj/JiB27p
MD5:	8D1E059AD293BBAE83321E46AB27CB35
SHA1:	FD7CC899D7531CF20AC6C2F133E9D6429E73A4B3
SHA-256:	80EF276FBE7BD300CB570295B879C5009FE8E7843D3F752F1EA8D197667BC589
SHA-512:	8782AED80D32F3143256BBEFE1A005B30EDECB59B7172D23DAB13E391E8DE4D7EB70668311B593BCC8BA3BAC4515F38C34D230519ADD84421DA9201240090CDD
Malicious:	false
Preview:	Y.vx.a..........V...YY........tD9.u@......-....P.5..............+.P.".........+.P.........................=..K.t.9.....u.P.q..............YYj.X.......E..~......K.t.....t..8.u.P....3...YY.E.....t..G...t..8.u.P...Y.E.......H.E.u.V.{...Y_^[].U..U.........SV...W.......Jx..t...............t........J\|..t...............t.......j..J.[.y...K.t..9..t........y..t..y...t..........Ku...............1N_^[..].j.h.K..t....e.............K..Npt".~l.t.......pl..u.j .....Y.......j..@...Y.e...54.K..FlP.!...YY...u..E...........u.j..w...Y.U..W.}...t;.E...t4V.0;.t(W.8.....Y..t.V.....>.Yu...8.K.t.V.F...Y..^..3._].=TbL..u.j..M...Y..TbL.....3..U..E.-....t&...t....t.Ht.3.].0?I.].,?I.].(?I.].$?I.].U.....M.j......%$BL...E....u...$BL.........I..,...u...$BL.........I......u..E...$BL......@..}..t..M..ap...].U..S.].VWh....3..s.WV....{.3..{................{.......K.+...7..FIu..............9..AJu._^[].U... ....P.K.3.E.SV.u.......WP.v.....I.3.....................@;.r................ ....Q.....

C:\Users\user\AppData\Local\Temp\Son

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	ASCII text, with very long lines (500), with CRLF line terminators
Category:	dropped
Size (bytes):	12828
Entropy (8bit):	5.086154128567318
Encrypted:	false
SSDEEP:	384:fQjplcotEbz3bOICS0VJxVA7dGW4LxFXOtxzrtczEoRGzFV:CFEbz3b8SOzW+xFqSzEsGz/
MD5:	B35A7678F2ACE72E53FDFCD3B182A809
SHA1:	1795052B1751CA6A5587C76F36D6E8DD989C2545
SHA-256:	B6AF7026B87607244BC3501CFFAA3BE14DC657FC298BD72EEBDDEC80CF1AE27D
SHA-512:	27404A98232AE1FFB8902120DCA801E6A7174FB112C75B4D217B4EC7B2224C10FE2DB9C869E6FFA003771634429744C576DE2AAB6B45DBC5C99272B7740523BC
Malicious:	false
Preview:	Set Mattress=8..pOdFigured Independently Luis Rent Andorra Commissioner Groups Sp Bracelets ..rfDxMagnet Thu Whenever Younger Bedroom ..BfgOught Smilies Party Mexico ..KRAccountability Already Productivity Charged Childhood Explained ..eNTIncentive Kentucky Dice Tones ..lMScuba Dawn ..QoFrequency Harbor Fo ..gTykMention Funded Serve Give Remember Penetration Perfume ..TISociology Test Garmin Tranny Neck Floyd Key Josh Appropriations ..Set Generations=6..CUTransport Worker Enjoy Knew Wrap Diet Crazy Shanghai ..BjQZCarlo Contracting Grows Certainly Cvs Hybrid ..wvoGolf Og Comfortable Enough Soma Characterized Disclaimer Korea Victory ..ILxJNudist Beaver Port Gene Finding Luis Kirk ..VpsrInquiries Ethernet Tent ..iDFAnimals Latest Supplied Gmbh Working Export ..RnAdapter Islam Matthew Smithsonian Graduates ..rQxProduced Diverse Cad Lands Banana Van Annoying Parking Stakeholders ..EQAnnotated ..Set Mistress=C..ZalbImprovement ..dFNGMailman Kazakhstan Fake Conferencing Protocol Upcoming Rou

C:\Users\user\AppData\Local\Temp\Son.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (500), with CRLF line terminators
Category:	dropped
Size (bytes):	12828
Entropy (8bit):	5.086154128567318
Encrypted:	false
SSDEEP:	384:fQjplcotEbz3bOICS0VJxVA7dGW4LxFXOtxzrtczEoRGzFV:CFEbz3b8SOzW+xFqSzEsGz/
MD5:	B35A7678F2ACE72E53FDFCD3B182A809
SHA1:	1795052B1751CA6A5587C76F36D6E8DD989C2545
SHA-256:	B6AF7026B87607244BC3501CFFAA3BE14DC657FC298BD72EEBDDEC80CF1AE27D
SHA-512:	27404A98232AE1FFB8902120DCA801E6A7174FB112C75B4D217B4EC7B2224C10FE2DB9C869E6FFA003771634429744C576DE2AAB6B45DBC5C99272B7740523BC
Malicious:	false
Preview:	Set Mattress=8..pOdFigured Independently Luis Rent Andorra Commissioner Groups Sp Bracelets ..rfDxMagnet Thu Whenever Younger Bedroom ..BfgOught Smilies Party Mexico ..KRAccountability Already Productivity Charged Childhood Explained ..eNTIncentive Kentucky Dice Tones ..lMScuba Dawn ..QoFrequency Harbor Fo ..gTykMention Funded Serve Give Remember Penetration Perfume ..TISociology Test Garmin Tranny Neck Floyd Key Josh Appropriations ..Set Generations=6..CUTransport Worker Enjoy Knew Wrap Diet Crazy Shanghai ..BjQZCarlo Contracting Grows Certainly Cvs Hybrid ..wvoGolf Og Comfortable Enough Soma Characterized Disclaimer Korea Victory ..ILxJNudist Beaver Port Gene Finding Luis Kirk ..VpsrInquiries Ethernet Tent ..iDFAnimals Latest Supplied Gmbh Working Export ..RnAdapter Islam Matthew Smithsonian Graduates ..rQxProduced Diverse Cad Lands Banana Van Annoying Parking Stakeholders ..EQAnnotated ..Set Mistress=C..ZalbImprovement ..dFNGMailman Kazakhstan Fake Conferencing Protocol Upcoming Rou

C:\Users\user\AppData\Local\Temp\Specialists

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	5.829980176271686
Encrypted:	false
SSDEEP:	768:0YYTrIx+I0IKQ8SbkXhdqgWWwr2G+jvEHHzR3Sh7Wscy:aHIx10IKQ8SoXTqgWVrZ+Int3SdFcy
MD5:	979283DDCD0AC50FCEE85CB33EFE32A5
SHA1:	0094676F4770DFA6FD8325B0CA1ECA631E417EDE
SHA-256:	EF22EB20475D15AAAD1325B794EF3CA7705329FC659FB68F62D6CF22558EB915
SHA-512:	0E94297D02324F2323EBDF4883F004F8133448F4EDF14539637D02D196A8DC621AFD89E5A203C45BDFD2D4AC705630B774BCC88E7C61D1743B2F7FE973E69ABF
Malicious:	false
Preview:	QP.E.....I..U...u..}.+..}...M.u..E.+..E..E..U.P.E..M..0..p.I..M....u..M..M..U....u..U..E..HX.M..P\.x`.Hd.......;E.u%.......;.u........;.u........;.......j.QWR.u..u.....I.j.V.u...........uU..4hL.j._;.\|H.u..$hL........t/.A.;F.u'.......u..E.9A4u.j.Phi....1....I...4hL.G;.~..u.j.V.u..H...3._@^..]...U..QQ.E...gL.P.E.P.u..C.....u.3..l..$hL.VW.}.....03.f9.....t..M.......\|.3..@..y...A.=....w.f........$hL..M...hL.......y:.u....j..0Q...3.@_^..]...U..........D$...gL.VWP.D$.P.u......u.3.......L$.3...hL..T$..t$.....M....D$ .$hL.....8...D$........D$...y...M...%.....D$.t.R.t$..e....M..D$...........t+.\|$....u.3.@h....VVVVP.t$,....I..M..D$.......D$.................:...................................&......................G...$......$..$..............$..........#....$..........t......$......$....PVh?....w4....I..E.....t..w.j.h.....w4....I.9t$........w4..gL......P.t$..<....w.j.h.....w4.....D$$.D$$0...PV.t$$.D$4.....w.....I.....:....E.. ../.....y.j.Y.....t....9t$.t.......D$0.t...u.....D$$

C:\Users\user\AppData\Local\Temp\Spyware

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	6.706822118312325
Encrypted:	false
SSDEEP:	384:0BNywAhADsULqe/el6AJXCVStyOl++cU6ydgi8xKHeIN3F3XyaqdXE9mR:qy5UxrUCVoyOQ5DuOKHnPiamE9k
MD5:	5F1A35B3F44E3BF44A8FB705323DE274
SHA1:	B0947EEF74CEAD1A377F201C23F58CFC625BC09A
SHA-256:	9ECE0B230157698FCACCD55A8CDE992D471A31906147607CBCAE654C3474CE3C
SHA-512:	CF4B1C30085855A9A02980F21F422A59F0AC5D3F7D05382C3A1E27A25C82A17409FA9E53FB313078CA210FFA432D525EEE1315F2E9DF23261C751C9910755DF0
Malicious:	false
Preview:	...b..~W..uM..lA.uS6.........................SSSk........~~~/........................pYD..rH..zR..._...h...r...{........5-'......................................................~j......}...t...h..._..{T..mF._N?.........................NNN-............ppp.....................mhd..yO...X...d...n...y...........yj.............................................BBB.gYO............y...p...d...Y..hF.fb_.....................ppp.................eee.........................~eM...^...i...r...}.............aWN.OOO.....................................YOH...............}...t...j...\.jWG.........................\\\....................,........................lf`...`...k...w....................\TN.................................%".........................w...j..vW.d`\.........................TTT)....................iii.........................teX...n...w.......................;74..............................xp.....................y...i.e[R.........................eee

C:\Users\user\AppData\Local\Temp\Story

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	5.066531817325707
Encrypted:	false
SSDEEP:	768:QmEusWjcdeDvFQC7VkrHpluuxdCvEHKKgItUHM:6usWjcdmQuklluhvEHKxM
MD5:	17A40B97E496AF296AAA0E9FDC1170C9
SHA1:	4FEA4BF72C1BE106AD6EB9274D322005A9C85BC6
SHA-256:	61862AFAB4B586692A55C95B625305162FA5BD0559380D99A0E4C08797636955
SHA-512:	B6A0FF7DAD07FBAF9D9A91F427775F3D1F293D56BD36E0972D60EE4423DFFB8B5E67DA69497505E34B2F1CAB93C737D35B0AD2C82CA834DFF968E45B288211BB
Malicious:	false
Preview:	)f..?....0.9<.......Xw$..3..A..k...?... ..........2...y...;.f...?... 4............S...?...%.L.?... j.h<.......ty.[g..?.h.9;..?... .%.<.......y..sh:.?;..8]+.?... ..^<........k..\|.?c....}.?.....,g........Z".....?.......?......u.........i.....?..i<...?.....mb........1mm...s?,.)....?.....'>.......................................1mm...s?,.)..........'><........i.....?..i<........mb<.......Z".....?.............u<........k..\|.?c....}......,g<.......y..sh:.?;..8]+.... ..^........ty.[g..?.h.9;..... .%............S...?...%.L.... j.h........2...y...;.f...... 4.<.......Xw$..3..A..k...... ..<.........s.....)f......0.9........N...,J.?....8.......v<.......uZEeu..?F.2.k..... .Wt........-..v1....-.VA......`..........gY....?.\..b.... .bu........P/Y.e..?&%.......@.}.<.......................................P/Y.e...&%.......@.}.<.......?.gY......\..b.... .bu........?-..v1..?.-.VA......`.........?uZEeu...F.2.k..... .Wt........?N...,J......8....

C:\Users\user\AppData\Local\Temp\Tags

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	20197
Entropy (8bit):	7.160304313791378
Encrypted:	false
SSDEEP:	384:RD57OMPJ70YXZg4eVv76AzqmopEitriaIKJ7775i:R97OUg4eVDqp8VQ7A
MD5:	8B18B5B19625040AF0ACD3E289E8F5EE
SHA1:	CD86D5DE5ED1F23F288EDE6F07EAEE499655ABC4
SHA-256:	1E24D91BFD58F1576460250E55A8F08B2C3DC349FC1311E3080B95F18A802396
SHA-512:	D8CDD20980CC59B7223BEE2234CE343B3DC7FA03519DB9F70C4CA7E26118ECB14277F9A1C9187644369AEA1BFFB6EF414231B7916CE01C40678D0B32E889EDA9
Malicious:	false
Preview:	=%=h=.=.=.=.=.?...`..T...i0I1.1.1.1.1.1@2.2.3.394.4.5.5.7.8 8.8.8.8.8]9t9.9":D;L;.<.=.= >(>4>C>.>.>...p..0....5,6o6)8.8.;.;.;.<.<\=.>m>r>x>.>.>.>.?......D...C1\2g2.2.2.2.2.3.3.5)6V6\|6.6.6.6,7.7.7.8/888p8x8.8.8.8.9.<.<....X...g0k0o0s0w0{0.0.0.0.0.0.0.1.1.2.4.8.8.8.8.8.8.8m9t9.:.:S:.:.:.:.;.<.<.<.=&=^=.=......4....7s:.:.:.:.:.:.:.;^;r;.;.<.<.=%=.=.>.?.?.?........../0.24G4V4_4e4k4.4.4.4.4.4.6.6.7.7.7%7/797C7M7.7n8x8.8.8.8.8.8.819<9C9.9.9!:-:4:K:r:.:.:.;.;.;A;G;[;b;l;.<.<.<E=.=.?1?J?a?}?.?.?.?.?.?.?.?...........0.0E0Q0`0r0.0.0.0.0.1.151U1`1\|1.1.1.1.1]2.2.293d3p3.3.3.3.3.3.3.4K4.4.4.4.4.4.4.5.5(555?5U5j5.5.5.5.5.5.6I6.6.6.7y8.8.9'9R9.9#:9:P:]:i:x:.:.;2;o;.;.?.?.?.?.?......L...50N0n0.0.0.0d1i1.1.1.1.2.2.2.2-:4:N:.:7;A;Q;.=~>.>.>.>.>.>.>.?)?.?......X....0.0.0-1e1j1u1.1.2.2.2.3.3%7B7\7.8&979.9.9.:.:.:.;.;.;.;k<.<.<]=r=w=.=.=.=.=.=...........0F1J1N1R1V1Z1^1b1f1j1n1r1v1z1~1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2.2.2"2&22.22262:2>2B2F2J2N2R2V2Z2^2b2f2j2n2r2v

C:\Users\user\AppData\Local\Temp\Teams

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	6.508171791599198
Encrypted:	false
SSDEEP:	768:+vgmy/bJCVKSb279sAOOWNMZmwfHh17McqQHEdQ7iwDIUKo+jBAfe6TtgguvkFe4:+S/4KS+9sAO+kdIlDbKffUCJ5h3Fa
MD5:	29CB38F95A85EAC953F55FBB66846288
SHA1:	963CD51AE652D58E6DFE2498E4BA8427148F1D9C
SHA-256:	38C5DCC4CC3D454FAE7E607EE72A536AC01FD9F349B4FC20B2B02519DCABCBF8
SHA-512:	5A2D63C608BCE69829A3F851211656C4B6796D7BD404D4C3F51E31D968507937ED736E96251AC72A35095648F8ACE06EAC664C41EB999CA5B6433EDDCAA242E3
Malicious:	false
Preview:	N....D$..A..D$..A..D$..A..L$..D$....1r...t$..t$.....I..x.K..L$..c.....K...t.V.L$...o.....K..L$..c....u...L$..c..........S....I..........h..K..L$$.Qq...D$0P.L$$..n..h..K..L$$..o...=..I.3.SSS.t$,...uch.K..L$$..n...D$.P.L$$.n..h..K..L$$..o..SSS.t$,...t..u....i....F.......h..K..L$$.n..SSS.t$,.....u....=....F........L$ .!s.....u.........&..F......L$...s...L$0..r.._^3.[..]...U..QS.].VW.E...{..r..C..H..D.....t..E...C..p....;....F..8.C..0...*....F....u......Y..u..u.......&..F....._^3.[..]...U..E.V.@..0.......N../.....u..u....W....&..F.....3.^]...U......LSVW.}..L$..G..D$..G..0......F..L$H.0.o..3..D$..j..\$..\$$.\$(.\$,.\$0.\$4.\$8....I...9\$L..c....L$H.k.......R....L$H....\|$..v-.G..H........t..D$...G..H......$.......$..D$..t$..L$..D$4.t$.P.D$4P.D$0P.t$\.LM....u.........8\$........M..I...j...j.W....L$,.D$D....L$8.L$$.L$<.\$@Sj.PW.D$T.....".......L$8......D$(.D$8.D$,j..D$@.D$<j.PW.\$P.D$T............L$8.....D$0.D$8.D$4j..D$@XP.D$H.D$<j.PW.\$P.......L$8....E.}.......

C:\Users\user\AppData\Local\Temp\Translation

Download File

Process:	C:\Users\user\Desktop\lem.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.904998289502859
Encrypted:	false
SSDEEP:	1536:kEKNcpzjIqIinTglynkQ3+EX0eomqewgMQjH:kE9pzjIqnnTJkQ3+FnkjH
MD5:	8942096633510A8F6C2BA6398A67417D
SHA1:	FE2CFE87AF1482D33C824D59D6B2509BF8AF58AD
SHA-256:	C9EAC22D2711A6C9D7A5664C7DD286529F645EF0D19C8D0855E52DC8C637C6A4
SHA-512:	E6627D3E559F7F5AA4AFD33C84516337D9FA1C614BE4E6F2321F26924C342558399424620A61B821FE1E58D1B0E1FBCEF77370796A68379781C69E8193019FC0
Malicious:	false
Preview:	..D...(..C/.....j.P.011..Wo..NEz8.vn7.`O..../.i..z..F..:.o..L......1..{_9. 7.L.....<l...A...v)...J........+.,...b=t.W!."_k.....t.9g.1.'s.&.......M.....p.M7att..J..v..o[.?.}..=mI3...i&....g.X.MH.R..............q......hD.../Fh.Lc../.s..........I.E!~.+.......(.8.y..R....2.PA.G'...t..tb.....\|Y.i...R..Z.....~...`.. -Y .....k.>........"..=.....(.....h4Pi.Af...T...D..`......u.....=~...B5p.A.t].9...u.(#..d.F..3"v.D.....9.v..'..t.\|..R.k......n....4bYRS..f.Tr...[..!....YHjfr..c....L......3L..(.9.y.G..^.p...9..r.....7.....\|..@G.f\.8.......!.0.(...#G..!..Uv~..e..b.d?..!....#.....H5......f....A.\.N....?mx.\|D$5...:...C..B.9P.:hG.[.......c..E.pg.D.....$...4..<..1.!....nvR.\.N.eG!..L. ..b.....8~..~.o..W..b....7.X.i...d..B.S...r.......[.q....GVR:.?3...c..\k...>..B....Y..Jv....."...K..N...R..2.C.]L..@.........2fr.C..@...t:h4...d...^.IS..F..b.../.....y..0..SM.9....o<....j....Fl.....TJYm7..".D.....t.a2..m./4C~..J.=..SO:.e..j..d.d."v........GY..1...H.X

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9742719182267425
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	lem.exe
File size:	879'213 bytes
MD5:	7aec38c6f23f36dbf2698d116efebca5
SHA1:	7094d6969973a686765978a661845078bbbf04c3
SHA256:	efa6c45930146d4fcec3793aaab65626df16363643b1452ccdc4e77ac56fb40f
SHA512:	ad598d8b5b23971677c352729b479fe51a04c722b97ea3869f374498030936329ba4e5b36e2713b72d0aeb382d6e05698dba044367106e277d695cb461bae419
SSDEEP:	24576:FPgnJI9ACUvVBQWnNYMFm0ykNNcw0xGJWW45:EQUvzQWj7ykNNcRxGv45
TLSH:	801523C28BE8C087DAF60FFA38351530D57572161171C79B6378C8DA36D6346AAB82B7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

File Icon


Icon Hash:	b8f0e0b0b0b0b038

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	03/11/2023 00:00:00 04/11/2025 23:59:59
Subject Chain	CN=Adobe Inc., OU=Acrobat DC, O=Adobe Inc., L=San Jose, S=ca, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	464C015DAA50884AB4DD5502E6B164B0
Thumbprint SHA-1:	96B7B1EF175BBA4BDE33A05402134289B28B5BCB
Thumbprint SHA-256:	ABC429325881B54BEC561B7B5A635E0E0AC9C94742F1324EBE5EB9AF6AE0CCC5
Serial:	0D1A340F78D7D000E089FDBAAD6522DF

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F233CF116EBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F233CF113CDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F233CF113BBh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F233CF0ECBAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F233CF11091h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F233CF0ED43h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F233CF0ECBAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x2f88	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xd40cd	0x29a0	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x2f88	0x3000	b21478a212bee0b86229caeb7f4111d0	False	0.7410481770833334	data	7.096616167215212	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf7000	0xf32	0x1000	54a4edf465826632590ac58d1334beb5	False	0.732421875	data	7.130531204444497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41c0	0x171c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0018593644354294
RT_ICON	0xf58e0	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.4722222222222222
RT_DIALOG	0xf6a08	0x100	data	English	United States	0.5234375
RT_DIALOG	0xf6b08	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xf6c28	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xf6c88	0x22	data	English	United States	0.9411764705882353
RT_MANIFEST	0xf6cb0	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 21:28:06.547460079 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:06.547501087 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:06.547590017 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:06.558533907 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:06.558552980 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.199434996 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.199626923 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.246970892 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.246990919 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.247191906 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.247246027 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.250189066 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.296494961 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.512161016 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.512192011 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.512233019 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.512249947 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.512259960 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.512286901 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.512331009 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.514384031 CEST	49738	443	192.168.2.4	149.154.167.99
Jul 4, 2024 21:28:07.514405966 CEST	443	49738	149.154.167.99	192.168.2.4
Jul 4, 2024 21:28:07.519687891 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:07.524771929 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:07.524854898 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:07.525083065 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:07.529848099 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:08.267693996 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:08.267715931 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:08.267807961 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:08.290250063 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:08.295219898 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:08.509763956 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:08.509835958 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:08.510493040 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:08.516103983 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.003071070 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.003154993 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.006453037 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.011996031 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.012079000 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.012310028 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.021168947 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.692163944 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.692240000 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.692744017 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.695211887 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:09.697997093 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:09.700206041 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:10.375565052 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:10.375667095 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.377055883 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.377599955 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.382826090 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:10.382911921 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.382926941 CEST	5432	49739	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:10.382987022 CEST	49739	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.383224010 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:10.387979031 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.056463003 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.056575060 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.057121038 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.059300900 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.061872959 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.064136982 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.733175993 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.733191967 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.733300924 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.734901905 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.735398054 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.742619991 CEST	5432	49740	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.742633104 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:11.742697954 CEST	49740	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.742755890 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.742950916 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:11.750003099 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:12.424366951 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:12.424506903 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:12.424968958 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:12.426811934 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:12.429908037 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:12.431633949 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154258966 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154280901 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154298067 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154376030 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154395103 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154408932 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154419899 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.154460907 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.154520988 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.156362057 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.156881094 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.162739038 CEST	5432	49741	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.162852049 CEST	49741	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.163028002 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.163149118 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.163585901 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.168387890 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.839701891 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.839785099 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.840204000 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.841960907 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:13.844966888 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:13.846760035 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:14.503355980 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:14.503438950 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.586200953 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.586631060 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.591337919 CEST	5432	49742	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:14.591404915 CEST	49742	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.591407061 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:14.591470957 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.591706991 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:14.596467018 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.297875881 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.297949076 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.319634914 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.324153900 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.324215889 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.324397087 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.328926086 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.328939915 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.329019070 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.329030037 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.329071999 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.329082012 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.329091072 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.830415010 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.830949068 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.835570097 CEST	5432	49743	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.835661888 CEST	49743	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.835755110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:15.835819006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.836054087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:15.840773106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.081392050 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.081480026 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.514456987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.514569998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.514961004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.517230988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.519936085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.522207022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879221916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879240036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879252911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879267931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879290104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879301071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879313946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879313946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879329920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879342079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879343987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879376888 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879399061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879473925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879486084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879498005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.879523993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.879537106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.884205103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.884227991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.884260893 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.884277105 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.884392023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.884438992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.967346907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.967365026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.967477083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.989425898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.989439011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.989449978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.989512920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.989533901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.993336916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.993349075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.993364096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:16.993412018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:16.993455887 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.000890970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.000902891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.000914097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.000948906 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.000992060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.008503914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.008514881 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.008526087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.008560896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.008589029 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.018423080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.018477917 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.018713951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.018764973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.019259930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.019313097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.019530058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.019582033 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.025584936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.025595903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.025607109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.025635958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.025665998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.034498930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.034511089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.034523010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.034560919 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.034594059 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.044199944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.044212103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.044223070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.044250965 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.044281960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.054485083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.054497957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.054507971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.054542065 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.054564953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.058099031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.058109999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.058152914 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.082856894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.082866907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.082914114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.082930088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.083031893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.083045959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.083062887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.083084106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.083107948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.102482080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.102494955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.102507114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.102535963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.102559090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.106281042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.106328011 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.106367111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.106415987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.106422901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.106432915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.106473923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.113894939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.113948107 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.113960028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.113970995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.113991022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.114021063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.114057064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.121881008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.121939898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.121978998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.121989965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.121999979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.122028112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.122052908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.129332066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.129348993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.129360914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.129389048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.129431009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.136904001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.136917114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.136926889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.136957884 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.136985064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.144535065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.144567013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.144577980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.144587994 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.144625902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.152354002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.152374029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.152431011 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.152453899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.152486086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.152522087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.152530909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.152565002 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.159528971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.159620047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.159626007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.159631968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.159677029 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.159687996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.159718037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.159766912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.166347980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.166359901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.166372061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.166425943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.166460991 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.172601938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.172662973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.173443079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.173500061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.175698996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.175709963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.175720930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.175764084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.175807953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.181549072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.181570053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.181581020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.181622982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.181646109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.187079906 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.187133074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.187139034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.187144041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.187192917 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.192631960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.192643881 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.192653894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.192691088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.192706108 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.198206902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.198219061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.198227882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.198275089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.203870058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.203910112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.203919888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.203974009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.204022884 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.209466934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.209487915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.209497929 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.209538937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.209572077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.215189934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.215214014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.215224028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.215373993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.220819950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.220869064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.220879078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.220880985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.220928907 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.224800110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.224812031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.224822044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.224860907 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.224874973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.227813959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.227833986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.227873087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.227886915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.227965117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.227974892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.228019953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.231595039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.231606007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.231621027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.231662035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.231678009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.235090017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.235104084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.235116959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.235260963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.238867998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.238881111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.238889933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.238928080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.238956928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.242029905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.242048979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.242058992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.242089987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.242105961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.245573044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.245584965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.245594978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.245628119 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.245641947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.249172926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.249190092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.249201059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.249228001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.249249935 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.252453089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.252464056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.252474070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.252502918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.252537012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.256249905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.256293058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.256302118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.256335974 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.256357908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.259525061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.259536028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.259546041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.259574890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.259602070 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.263132095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.263189077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.263226032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.263267040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.263273001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.263312101 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.266650915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.266717911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.266720057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.266729116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.266766071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.270045042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.270056963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.270066023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.270097971 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.270112991 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.273638964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.273659945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.273669958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.273689985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.273710012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.277223110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.277278900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.277304888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.277319908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.277417898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.280456066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.280513048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.280554056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.280572891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.280584097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.280611038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.280639887 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.284173012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.284183979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.284193993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.284226894 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.284256935 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.287698030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.287744045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.287754059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.287779093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.287801981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.291251898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.291261911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.291273117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.291300058 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.291330099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.294725895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.294745922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.294756889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.294780970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.294804096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.298144102 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.298202991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.298213005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.298230886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.298249006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.298275948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.298300028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.301620960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.301631927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.301683903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.301685095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.301714897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.301729918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.301759005 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.305109978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.305123091 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.305149078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.305165052 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.305185080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.305191994 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.305228949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.308653116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.308664083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.308675051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.308706999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.308723927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.312051058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.312062979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.312072992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.312225103 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.315327883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.315339088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.315411091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.315416098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.315458059 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.315473080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.315517902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.318594933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.318608046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.318617105 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.318662882 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.318691015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.322047949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.322057962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.322108984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.322124004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.322134018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.322180986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.325371027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.325382948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.325392962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.325434923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.325452089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.328399897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.328413963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.328429937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.328464985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.328496933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.331391096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.331437111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.331446886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.331449032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.331482887 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.334549904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.334561110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.334572077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.334610939 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.334626913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.334636927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.334683895 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.337599039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.337627888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.337639093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.337646961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.337678909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.340572119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.340617895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.340631008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.340631008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.340642929 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.340662956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.340701103 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.343638897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.343651056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.343660116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.343698978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.343713999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.345839977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.345851898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.345861912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.345896959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.345913887 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.348089933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.348133087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.348155022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.348186016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.348216057 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.348226070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.348267078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.350338936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.350348949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.350398064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.350428104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.350436926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.350480080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.350521088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.352746010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.352756977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.352766991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.352811098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.352838039 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.355243921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.355253935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.355298042 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.355313063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.355365038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.355376959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.355417967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.357021093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.357031107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.357040882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.357073069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.357119083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.359527111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.359538078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.359548092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.359591961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.359606028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.361301899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.361355066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.361363888 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.361371994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.361397982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.361406088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.361418009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.361450911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.363287926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.363328934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.363338947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.363369942 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.363380909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.363390923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.363429070 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.365370989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.365381002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.365432024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.365463972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.365473986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.365524054 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.367388010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.367400885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.367414951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.367446899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.367479086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.369285107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.369297028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.369308949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.369335890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.369358063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.371272087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.371282101 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.371326923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.371360064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.371370077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.371398926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.371431112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.373533964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.373545885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.373557091 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.373594046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.373620987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.377579927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.377628088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.377655029 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.377675056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.377679110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.377686024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.377721071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.379543066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.379551888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.379596949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.379626036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.379635096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.379661083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.379690886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.379719973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.380337954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.380348921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.380392075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.380425930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.380466938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.380475998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.380515099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.382251978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.382299900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.382303953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.382311106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.382349014 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.382364988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.384221077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.384242058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.384253025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.384269953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.384284019 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.384306908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.385894060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.385905027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.385915995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.385943890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.385958910 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.387671947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.387712955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.387726068 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.387761116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.387763023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.387783051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.387809992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.387824059 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.389358997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.389369965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.389380932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.389420986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.389445066 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.390995979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.391040087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.391052008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.391086102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.391115904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.391125917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.391163111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.392756939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.392776012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.392818928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.392844915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.392853975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.392863989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.392900944 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.394500971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.394512892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.394524097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.394553900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.394570112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.396158934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.396178007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.396228075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.396286964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.396332026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.396351099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.397856951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.397870064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.397885084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.397902966 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.397919893 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.399502039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.399548054 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.399563074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.399606943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.399624109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.399633884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.399666071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.399679899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.401123047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.401165009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.401169062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.401180029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.401190996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.401206017 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.401228905 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.401245117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.402721882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.402734041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.402745008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.402771950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.402795076 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.404274940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.404284000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.404321909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.404341936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.404342890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.404352903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.404385090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.405935049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.405945063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.405982018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.406019926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.406032085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.406060934 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.406088114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.407438040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.407449007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.407500029 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.407526016 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.407546997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.407572031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.407597065 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.408973932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.408987999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.409008026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.409033060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.409065008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.410434961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.410444975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.410484076 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.410521984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.410531998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.410566092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.411923885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.411945105 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.411968946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.411984921 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.412029028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.412049055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.412071943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.412089109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.413547993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.413599014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.413609982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.413625002 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.413640022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.413654089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.414982080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.414993048 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.415028095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.415041924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.415064096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.415075064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.415105104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.415118933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.416439056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.416454077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.416479111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.416500092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.416518927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.416531086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.416557074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.416570902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.418214083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.418224096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.418256044 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.418271065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.418272018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.418313026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.418325901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.418365955 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.421338081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421360016 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421372890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421384096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421386003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.421406031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.421417952 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.421617031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421658993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.421715975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.421757936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427545071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427556992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427567959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427647114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427684069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427717924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427783966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427797079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427825928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427854061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427880049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427891016 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.427925110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.427946091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.433468103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433479071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433490992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433517933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.433532953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.433609962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433656931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.433665037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433676958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.433705091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.433720112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440339088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440351009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440366030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440397024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440408945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440411091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440427065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440445900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440448999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440457106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.440459967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440501928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.440501928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445287943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445334911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445341110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445350885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445369005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445379972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445379972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445390940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445414066 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445427895 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445446014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445457935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.445487022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.445499897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.451261044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451272011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451313019 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.451319933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451359034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.451380968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451394081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451427937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.451443911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451455116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451466084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.451497078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.451519012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457349062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457357883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457396984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457413912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457452059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457464933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457474947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457504034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457525015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457528114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457540035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457551003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.457578897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.457591057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463474035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463491917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463504076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463521957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463529110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463541985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463558912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463769913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463815928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463882923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463893890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463905096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.463928938 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.463943958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.470330954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470349073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470361948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470375061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470402956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.470442057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.470525980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470573902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470575094 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.470587015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470596075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.470618010 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.470639944 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474047899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474091053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474097013 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474102974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474138975 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474154949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474157095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474172115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474203110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474231958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474380016 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474419117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.474432945 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.474469900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479294062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479334116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479345083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479346037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479358912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479382992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479394913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479554892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479604006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479624987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479635954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479645967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.479671001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.479688883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484457970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484477997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484535933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484535933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484566927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484577894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484589100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484616041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484633923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484636068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484647989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484658957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.484692097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.484720945 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.489583015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489594936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489607096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489654064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.489655018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489665985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.489666939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489710093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.489905119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489917994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.489953041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.494288921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494301081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494313002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494324923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494436026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494457960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.494488955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494489908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.494502068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494513035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.494534016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.494550943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.497359037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497370005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497421026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.497453928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497464895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497474909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497503996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497509956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.497515917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497528076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.497529030 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.497560978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.497589111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.501914024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.501924992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.501976967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.502008915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502021074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502032042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502064943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502064943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.502079010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502085924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.502090931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.502125978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.502140999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506587982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506601095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506612062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506623983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506644964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506673098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506717920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506752968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506762028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506776094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506788015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.506794930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506819010 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.506839037 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517524004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517537117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517549038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517580032 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517615080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517677069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517688990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517699957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517728090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517743111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517824888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517837048 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517848969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517860889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.517873049 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.517916918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.518675089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.518687963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.518698931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.518712044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.518738031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.518763065 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.530445099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530456066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530546904 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.530567884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530580044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530590057 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530622959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530633926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530644894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.530643940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.530710936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.541263103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541276932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541287899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541312933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541323900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541336060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541347980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.541354895 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.541394949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.541409016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547251940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547296047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547307014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547326088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547348022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547414064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547455072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547462940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547466993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547498941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547503948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547509909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.547542095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.547580004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.553601980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553617001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553636074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553672075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.553683996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553695917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553709030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553715944 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.553723097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.553735018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554042101 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554054022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554065943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554080009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554080009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554104090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554104090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554112911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554124117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554136038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554147005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.554157019 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.554194927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.560390949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560403109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560416937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560475111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560492992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560595989 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.560648918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560693979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.560722113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.560770035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.564102888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564157963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564169884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564210892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564207077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.564229012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564251900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.564306974 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.564440012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564491987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.564495087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.564546108 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.571213961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571274996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.571368933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571379900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571441889 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.571481943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571494102 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571506023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571518898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.571541071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.571568012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.573405027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.573479891 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.579592943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579682112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579682112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.579694986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579726934 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.579750061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.579823017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579833984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579845905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579859018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.579878092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.579912901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580019951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580065966 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580073118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580120087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580290079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580327988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580342054 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580374002 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580389023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580399990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580410957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.580446959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.580477953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584176064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584197998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584208012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584235907 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584286928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584299088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584310055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584389925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584389925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584389925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584664106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584712982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.584744930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.584788084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.587322950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587373972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.587393999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587405920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587435007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587445974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587455034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.587456942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587477922 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.587505102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.587877035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587888956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.587933064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.592130899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592143059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592154980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592165947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592178106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592184067 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.592189074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592201948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.592212915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.592231035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.592257023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.596642017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596653938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596663952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596676111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596721888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596723080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.596734047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596745014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.596756935 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.596779108 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.596791983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.607415915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607511044 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.607527018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607537985 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607548952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607561111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607579947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607597113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607609987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607621908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.607671976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.607671976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.607671976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.607671976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608161926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608419895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608465910 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608524084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608571053 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608586073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608596087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608623981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608633041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608634949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.608653069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.608675957 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.631246090 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631259918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631272078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631278038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631361008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.631470919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631481886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631493092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631587982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631597996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631609917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631619930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.631628990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.631628990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.631655931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.631839037 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.632428885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.632477045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.632492065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.632524967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.632534981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.632565975 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.637322903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637334108 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637370110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637382030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637379885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.637388945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637412071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.637434006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.637576103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637624025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.637670994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.637727022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.643490076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643546104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643548965 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.643584967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.643901110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643913031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643924952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643942118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.643975973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.643996000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644001961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644007921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644017935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644042015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644062042 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644572973 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644583941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644593954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644633055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644634008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644645929 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644659042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.644665003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644702911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.644726038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665246964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665290117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665302038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665344000 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665400982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665412903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665424109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665436983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665513992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665513992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665513992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665513992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665719032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665730000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665740967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665770054 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665785074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.665957928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665968895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665981054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665992022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.665998936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.666035891 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669471979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669482946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669493914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669526100 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669548988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669665098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669713974 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669745922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669756889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669787884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669795036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669799089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.669830084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.669858932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.670238972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670258999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670269966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670289993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.670310974 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.670325041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670341969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670352936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670366049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.670371056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.670399904 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.670425892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.671164036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671200037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671211004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671214104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.671241999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.671261072 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.671278000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671288967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671298981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671309948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.671334028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.671364069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.674161911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674215078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.674221039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674232006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674269915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.674329042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674346924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674359083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674372911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.674398899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674407005 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.674411058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.674446106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.677510977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677534103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677544117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677620888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677633047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677643061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677649021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.677659035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.677671909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.677687883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.677721977 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.682126045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682146072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682157993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682169914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682183981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682189941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.682195902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682219982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.682256937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.682259083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.682301998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.686367989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686378002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686415911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686434031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.686467886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.686470985 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686481953 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686501026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686515093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686530113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.686563015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.686676025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.686741114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.697658062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697700024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697710037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697740078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697751045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697762966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697793007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.697901964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697912931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697923899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.697952986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.697952986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.697973013 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.698014021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.698029995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.698041916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.698054075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.698060989 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.698065042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.698095083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.698122025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721587896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721600056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721610069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721659899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721671104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721683025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721694946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721760035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721760035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721760035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721760035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721790075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721800089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721817017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721827984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721839905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721843004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721859932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721892118 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.721930027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721941948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.721992970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.727509975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727530956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727544069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727565050 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.727597952 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.727631092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727643013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727653027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727663994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.727859020 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.733565092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733604908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733618975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733640909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.733680010 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.733737946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733748913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733760118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.733793020 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.733812094 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734070063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734106064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734117985 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734121084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734148026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734164953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734199047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734210014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734220982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734234095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734245062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.734246016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734275103 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.734301090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.744294882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744333982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744347095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744369984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744381905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744396925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.744438887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744508028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.744544983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.744544983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.744544983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.748176098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.755184889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755194902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755238056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755278111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.755279064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755314112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755326033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755333900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.755357027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755367994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.755368948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.755398035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.755423069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.759687901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759722948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759736061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759753942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759772062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759777069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.759814024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.759814978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759866953 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759877920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759926081 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.759978056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.759989023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760006905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760025024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760030985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760044098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760051012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760056019 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760082960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760096073 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760374069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760386944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760397911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760430098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760437965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760449886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760449886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760462046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760473967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.760504961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.760519028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.764630079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764652014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764707088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.764800072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764846087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.764887094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764903069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764914036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764929056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764940977 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.764941931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.764971972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.764986992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.767885923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767898083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767910004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767920017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767932892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767946005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767952919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767959118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.767967939 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.768018007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.776638985 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776650906 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776668072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776678085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776689053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776700020 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.776700974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776712894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.776717901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.776737928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.776755095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787587881 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787626982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787638903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787672997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787703991 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787729979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787766933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787776947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787787914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787801027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787813902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787817955 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787826061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787837029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787847996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787849903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787866116 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787889004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.787949085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.787960052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788002014 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.788192034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788202047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788232088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788240910 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.788273096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.788288116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788300037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788341999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.788434029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788445950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788458109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788467884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.788501024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.788501024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.811677933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811734915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811745882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811784029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811795950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.811800003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811810970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811822891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811844110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.811872959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.811906099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811918020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811933994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811944008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.811961889 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.811980963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.812036037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.812046051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.812108994 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.812119961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.812129974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.812165976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.817554951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817565918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817573071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817625046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.817718983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817728996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817740917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817751884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.817778111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.817795992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.824632883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824744940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824754953 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824793100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824804068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824805975 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.824815989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824842930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.824877024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.824879885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824894905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824907064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824918032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824934959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.824953079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.824961901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.825228930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.825241089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.825252056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.825262070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.825272083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.825287104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.825303078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.834635973 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834727049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834737062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834774971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834786892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834788084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.834829092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.834872961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834883928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834894896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.834923983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.834955931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.845477104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845488071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845499992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845525026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845536947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845539093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.845549107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845561028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.845566034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.845594883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.845622063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.849689007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849700928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849711895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849747896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.849760056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.849898100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849909067 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849920988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849935055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.849956989 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.849982023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850033045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850044012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850066900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850079060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850087881 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850090981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850112915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850136042 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850308895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850321054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850332975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850346088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850348949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850370884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850374937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850383043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850395918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850400925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850408077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850420952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.850426912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.850459099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.854643106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854652882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854665995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854706049 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.854758024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854769945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854783058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854789972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.854794979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.854804993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.854836941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.854969025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.855014086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.857965946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.857978106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.857989073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.857999086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.858011007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.858020067 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.858026981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.858038902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.858050108 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.858064890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.858083010 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866507053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866517067 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866534948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866545916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866558075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866571903 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866589069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866602898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866610050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866621017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866652012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866669893 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.866748095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866760969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.866805077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877552986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877593994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877604961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877655983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877681017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877691984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877701998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877717018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877728939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877749920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877772093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877862930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877902985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877942085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877957106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.877981901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877995968 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.877999067 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878031015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878046036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878072977 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878078938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878092051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878098011 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878124952 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878137112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878310919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878331900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878354073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878357887 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878365040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878376961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878396034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878405094 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.878493071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878505945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878518105 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878528118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.878542900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.880161047 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.902492046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902503967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902509928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902579069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902585983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902591944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902599096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902683973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.902857065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902905941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.902925968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902941942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902951956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902964115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902976990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.902993917 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.903011084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.903039932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.903074980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.903115988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911298990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911349058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911362886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911412954 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911427975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911439896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911439896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911475897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911484003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911488056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.911520958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911550045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.911633968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.912347078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930332899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930358887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930370092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930397034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930418968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930432081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930437088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930444956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930474997 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930491924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930515051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930563927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930619001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930639982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930665970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930680037 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930687904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930699110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930741072 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930819035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930830002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930845976 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930867910 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930886030 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.930939913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.930965900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.931013107 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.940032005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940072060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940088987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940138102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.940164089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.940234900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940247059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940258980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940270901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.940306902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.940330982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943073034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943084002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943095922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943130016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943176985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943203926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943214893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943226099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943238974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943247080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943279028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943315983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943327904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943336964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943362951 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943384886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943388939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943401098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943413973 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943439960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943466902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943468094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943480015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943490028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943501949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943521976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943550110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943911076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943922043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943934917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943953991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943957090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.943965912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.943979979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944006920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944032907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944046021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944065094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944082022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944086075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944106102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944120884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944130898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944133997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944144011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.944169998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.944196939 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948195934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948206902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948219061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948230982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948244095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948256016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948282003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948295116 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948323965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948335886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948345900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948358059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948370934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948375940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948383093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948394060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948402882 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948405981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948420048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948442936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.948494911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.948834896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.956513882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956571102 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956598043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956620932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.956648111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.956707001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956724882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956737995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956748962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956760883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.956773996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.956798077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967561960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967585087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967602015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967632055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967643023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967679977 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967732906 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967744112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967781067 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967850924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967863083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967875004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967900038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967928886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967941999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967951059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.967987061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.967994928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968005896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968018055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968030930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968035936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968063116 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968066931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968077898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968100071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968127012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968128920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968142033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968179941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968269110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968281984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968293905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968333960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968337059 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968353033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.968357086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968383074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.968404055 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992511034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992523909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992536068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992566109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992580891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992582083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992593050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992604971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992609978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992624998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992645979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992712975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992773056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992784023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992796898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992808104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992827892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992851973 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992852926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992872000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992886066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:17.992913008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:17.992935896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020364046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020375013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020426035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020462990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020476103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020493984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020509958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020539045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020570040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020582914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020596027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020610094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020611048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020628929 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020646095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020699978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020713091 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020726919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020741940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020754099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020756006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020771027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020771980 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020800114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020839930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.020967007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020977020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.020993948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021004915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021022081 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021033049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021040916 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021045923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021058083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021073103 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021075010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021081924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021101952 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021131992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.021157980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.021195889 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.030213118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030224085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030236959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030272007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.030287027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030297995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030309916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030322075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.030327082 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.030355930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.030379057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.032949924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.032972097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.032984018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.032996893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033025980 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033061028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033061981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033073902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033087969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033099890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033116102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033138990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033446074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033457994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033471107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033520937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033535004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033549070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033565998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033577919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033591032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033605099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033611059 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033636093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033654928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033680916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033732891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033750057 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033775091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033796072 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033839941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033852100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033863068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.033891916 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.033915043 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.034240961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034281969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034291983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034333944 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.034368038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034379959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034390926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034404039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.034420967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.034431934 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.034461975 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038065910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038078070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038089037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038130999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038141966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038152933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038162947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038166046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038181067 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038192034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038194895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038222075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038237095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038259983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038270950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038281918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038294077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038302898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038311958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038322926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038322926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.038352013 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.038371086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.046612978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046623945 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046644926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046655893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046669006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046679020 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.046684980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046696901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.046762943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.046782970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057522058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057562113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057596922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057634115 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057667017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057673931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057677984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057689905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057743073 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057748079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057766914 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057796001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057837963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057851076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057881117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057895899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057918072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057923079 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057929039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057950974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057964087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057964087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.057974100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.057990074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058022976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058032990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058070898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058079004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058105946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058125019 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058149099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058161020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058171034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058197021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058212996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058223963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058224916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058238029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058250904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058267117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058303118 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.058388948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.058437109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082540989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082552910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082560062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082609892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082623005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082637072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082647085 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082648993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082731962 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082746029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082757950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082808018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082828999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082839966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082869053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082870960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082880974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082896948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082905054 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.082906961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.082940102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110450029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110476017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110481977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110543966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110549927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110558033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110563993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110641956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110656023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110656023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110682964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110702991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110714912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110742092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110768080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110769987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110779047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110790968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.110817909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.110832930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120064974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120106936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120120049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120168924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120182037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120193958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120194912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120234966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120238066 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120254040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120260000 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120265961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120291948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120306015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120310068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120321035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120361090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120445013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120456934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120469093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120486975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.120498896 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120517015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.120551109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.122992039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123002052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123008013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123054028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123064041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123065948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123076916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123090029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123102903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123128891 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123156071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123778105 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123790026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123801947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123836994 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123861074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123868942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123879910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123892069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123908043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.123928070 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.123950005 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124106884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124126911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124176025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124277115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124289036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124301910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124315977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124317884 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124346972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124351025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124362946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124375105 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124393940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124406099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124407053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124433041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124460936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124464989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124476910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124516964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124563932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124608040 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124628067 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124639034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124650002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.124674082 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.124696970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.128149033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128171921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128184080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128196955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128243923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128254890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128266096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128312111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128350019 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.128360033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128371954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128391981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.128415108 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128426075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128427982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.128437996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128449917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.128459930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.128498077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.136545897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136555910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136581898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136609077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.136651039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136662960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136672974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136679888 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.136719942 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.136737108 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136748075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.136784077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.136820078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147592068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147604942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147618055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147656918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147663116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147675037 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147686005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147691965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147703886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147706985 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147742987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147770882 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147869110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147881031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147891998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147923946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147927999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147939920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.147953033 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.147979021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.148005009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.148015976 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.148026943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.148056984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.148071051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173238993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173252106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173264027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173285961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173300028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173310041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173316956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173322916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173355103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173367977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173377991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173389912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173414946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173444986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173485994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173487902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173496962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173527956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173567057 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173585892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173598051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173607111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173609018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173635960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173661947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173751116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173768044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173782110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173793077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173813105 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173841000 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173886061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173924923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.173954010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173964977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173976898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.173999071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.174016953 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200529099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200541019 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200548887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200587988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200593948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200599909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200607061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200679064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200716972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200751066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200763941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200782061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200793028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200804949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200805902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200824976 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200840950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.200869083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200877905 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.200877905 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210138083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210150003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210160971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210200071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210211992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210216045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210227966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210242033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210261106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210282087 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210316896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210329056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210340023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210370064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210391045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210402012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210402966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210419893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210437059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.210443974 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210477114 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.210505009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.212977886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213032007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213043928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213094950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213105917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213118076 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213129044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213140965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213152885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213160038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213215113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213684082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213696003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213706970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213720083 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213735104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213748932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213761091 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213762999 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213773012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213784933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213797092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213825941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.213865995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.213905096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214072943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214082956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214124918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214128971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214171886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214198112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214209080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214219093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214243889 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214266062 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214277029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214369059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214380980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214426041 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214431047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214442015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214453936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214483023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214483023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214503050 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214528084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.214576960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214620113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.214672089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218035936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218056917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218106031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218156099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218168020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218179941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218199968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218210936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218210936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218221903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218230009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218256950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218281031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218377113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218388081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218398094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218425989 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218429089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218441963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218451023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218481064 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218513966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218525887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218535900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.218564034 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.218580961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.226604939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226617098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226670027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226675987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.226680994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226691961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226705074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226733923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.226767063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.226768017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226778984 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.226809025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.226830006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237493992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237544060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237555027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237570047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237581968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237593889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237637043 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237658978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237694025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237708092 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237759113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237771034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237813950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237817049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237828016 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237870932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237914085 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237925053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237936020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237957001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237977028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.237977982 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.237987995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.238013029 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.238034010 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263362885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263422012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263428926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263473034 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263484955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263497114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263509989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263529062 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263569117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263691902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263714075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263725996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263753891 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263773918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263797045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263808012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263847113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263919115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263936043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263967037 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.263979912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263992071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.263992071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.264004946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264015913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264036894 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.264066935 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.264071941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264134884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264146090 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264162064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.264190912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.264206886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.290432930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290483952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290496111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290508032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290564060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.290615082 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.290772915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290785074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290796041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290806055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.290831089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.290859938 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300427914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300441980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300451040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300514936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300522089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300527096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300533056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300612926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300625086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300659895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300669909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300673008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300719023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300730944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300731897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300741911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300751925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300775051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300777912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300787926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300791025 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300801039 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300806046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300827026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300851107 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300873995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300884962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300894976 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300908089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.300926924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.300951004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303071976 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303092957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303106070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303183079 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303196907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303210974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303227901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303240061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303262949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303283930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303646088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303667068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303680897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303697109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303702116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303736925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303771973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303791046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303885937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303898096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303910017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.303935051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.303972960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304146051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304157972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304169893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304198027 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304223061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304274082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304285049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304327965 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304379940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304394007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304446936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304488897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304498911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304510117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304521084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304533005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304537058 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304553032 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304584026 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304609060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304620981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.304657936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.304687023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308130980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308142900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308154106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308197021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308213949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308276892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308288097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308303118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308320045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308327913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308331013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308346987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308362007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308388948 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308548927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308561087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308572054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308583021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308602095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.308610916 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308620930 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.308644056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.316927910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.316947937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.316960096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.316971064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.316984892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.316996098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.317008972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.317011118 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.317019939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.317054987 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.317079067 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.333867073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333880901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333893061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333947897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.333950996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333961964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333973885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333980083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.333986998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334029913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.334042072 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.334115982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334126949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334140062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334161997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334168911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.334176064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334187031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.334192038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.334213018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.334239006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358423948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358468056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358480930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358573914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358587980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358599901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358628988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358633995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358645916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358655930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358664036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358669996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358675003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358702898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358715057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358751059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358762980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358772993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358800888 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358831882 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358856916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358867884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358880043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358891010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358905077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358912945 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358964920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.358969927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.358983040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.359023094 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.380907059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.380934954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.380947113 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.381001949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.381014109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.381017923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.381026030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.381038904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.381083965 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.381105900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391110897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391124010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391135931 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391155958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391169071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391181946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391185045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391199112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391210079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391212940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391222000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391235113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391241074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391252995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391258955 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391264915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391277075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391288996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391289949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391302109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391304016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391314983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391329050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391334057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391340971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391354084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391359091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391365051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391376972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.391386986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391413927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.391433001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393002033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393013000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393032074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393090963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393102884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393112898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393126011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393143892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393162966 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393183947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393753052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393923998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393934965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393940926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393948078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393959999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393971920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.393975019 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.393986940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394005060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394036055 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394058943 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394103050 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394179106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394190073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394201994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394213915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394227028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394256115 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394268990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394289970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394301891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394313097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394337893 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394357920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394522905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394534111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394547939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394582033 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394591093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394602060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394613028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394654036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.394794941 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394815922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.394865036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398143053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398196936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398227930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398237944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398293972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398294926 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398305893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398318052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398325920 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398330927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398344040 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398365974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398382902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398386955 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398411036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398444891 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398545980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398556948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398569107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398606062 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398622036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398623943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398633957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398647070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.398677111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.398701906 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.407464981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407529116 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407531023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.407541990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407596111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.407599926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407610893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407623053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407624006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.407635927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.407651901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.407681942 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.418984890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419028997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419042110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419056892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.419109106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.419138908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419148922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419159889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419173002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.419194937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.419209957 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444016933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444027901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444036007 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444041014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444046021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444051981 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444058895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444066048 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444072008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444140911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444238901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444247961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444259882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444268942 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444271088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444283009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444295883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444334984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444370031 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444417000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444456100 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444502115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444511890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444523096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444544077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444557905 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444566011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444577932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444588900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444613934 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444626093 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444686890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444724083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444736958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444780111 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444813967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444824934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444835901 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444847107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.444855928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.444892883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.470899105 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470916033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470921993 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470963955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470968962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470974922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.470982075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.471013069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.471162081 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.480968952 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481010914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481019974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481070042 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481151104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481161118 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481168032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481178999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481256962 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481281996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481293917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481304884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481317043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481348038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481374979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481376886 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481385946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481395960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481408119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481420994 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481432915 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481472969 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481589079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481600046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481611967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481646061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481656075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481667042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481673956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481678009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.481702089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.481729984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.483062983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483074903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483086109 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483120918 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.483133078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483144999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483149052 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.483156919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483169079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.483186007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.483217001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484181881 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484193087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484204054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484239101 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484246969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484258890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484270096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484277964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484314919 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484344959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484355927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484380960 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484391928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484395027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484406948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484426975 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484452009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484457970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484463930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484499931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484520912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484580040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484589100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484631062 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484797001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484808922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484844923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484875917 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484886885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484898090 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484911919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484922886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.484935045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484946012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.484968901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488374949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488426924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488430023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488439083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488487959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488498926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488508940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488522053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488534927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488538027 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488568068 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488595963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488607883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488620043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488631010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488645077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488656998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488657951 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488688946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488703012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488713026 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488764048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.488938093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.488987923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510364056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510409117 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510421038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510468006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510479927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510481119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510492086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510507107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510514021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510524988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510538101 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510548115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510557890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510564089 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510576010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510590076 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510607004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510617971 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.510618925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.510667086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534262896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534281969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534295082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534306049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534317017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534327984 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534337997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534347057 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534348965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534360886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534368992 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534373045 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534384966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534398079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534398079 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534410000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534420013 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534442902 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534467936 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534504890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534518003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534533024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534545898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534548998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534559965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534570932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534574032 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534584999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534611940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534622908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534626007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.534632921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.534672022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.535078049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535089970 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535126925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535128117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.535137892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535151005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535170078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.535188913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.535346031 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535356998 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.535401106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.561168909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561181068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561192989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561238050 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.561269045 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.561423063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561484098 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561496019 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561506987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.561619997 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571355104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571393967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571407080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571468115 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571537018 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571548939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571562052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571574926 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571590900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571607113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571631908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571647882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571660042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571672916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571686029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571688890 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571696997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571700096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571710110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571721077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571731091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571759939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571763039 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571830988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571844101 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571856022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571871996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571883917 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571897030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571908951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.571914911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571929932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.571945906 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573009968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573067904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573080063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573085070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573117018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573136091 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573148966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573160887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573172092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573188066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.573194981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573220015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.573244095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574333906 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574346066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574357033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574385881 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574424028 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574428082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574440002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574449062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574474096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574486017 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574512959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574532032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574548006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574549913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574562073 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574573994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574579000 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574606895 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574625015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574629068 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574636936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574647903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574670076 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574700117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574722052 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574831009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574909925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574919939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574945927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574959040 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.574975967 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574986935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.574997902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.575014114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.575025082 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.575026989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.575048923 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.575074911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.578550100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578572035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578583002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578619003 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.578640938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578649044 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.578650951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578664064 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578676939 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578694105 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.578717947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.578917980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578931093 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578942060 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.578979015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.579003096 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.579180956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.579200029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.579214096 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.579224110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.579225063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.579238892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.579276085 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602490902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602535963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602547884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602562904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602579117 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602617979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602641106 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602658033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602674961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602686882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602699995 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602722883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602730989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602742910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602745056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602756023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602770090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602799892 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.602987051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.602998972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.603035927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624758005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624768972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624779940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624818087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624830008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624830961 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624842882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624850988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624870062 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624892950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624902964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624906063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624916077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.624934912 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.624959946 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625268936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625288963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625303030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625336885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625382900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625422001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625433922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625449896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625462055 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625468016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625498056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625511885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625521898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625533104 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625545979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625555038 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625556946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625575066 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625601053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625602007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.625613928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.625643969 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666101933 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666117907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666136980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666147947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666160107 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666172028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666184902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666189909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666227102 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666244030 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666311979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666323900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666333914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666347980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666359901 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666361094 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666373014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666379929 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666383982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.666407108 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.666435957 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.671922922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.671942949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.671952963 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672007084 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672010899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672019005 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672085047 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672122955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672135115 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672146082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672173023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672190905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672195911 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672204971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672214985 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672231913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672270060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672290087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672301054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672312975 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672343016 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672362089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.672373056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672384977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.672421932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673312902 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673367023 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673389912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673403025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673438072 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673445940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673459053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673490047 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673541069 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673543930 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673554897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673568010 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673578978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673598051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673623085 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673640966 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673652887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673665047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673677921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673693895 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673721075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673742056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673779964 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673914909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673927069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673963070 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673970938 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.673985004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.673995972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674007893 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674021006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674032927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674051046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674072981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674179077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674192905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674202919 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674215078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674226046 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674230099 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674238920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674251080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674256086 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674264908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674273968 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674299002 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674465895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674478054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674489021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674500942 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674504995 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674510956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674525023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674535036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674536943 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674547911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674562931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674575090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674598932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674869061 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674880028 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674896955 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674921036 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674947977 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.674956083 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674968004 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674978971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.674990892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.675005913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.675040960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.675071001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.675081968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.675091982 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.675103903 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.675117970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.675136089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.676820040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.676911116 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.676934958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.676983118 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692365885 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692388058 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692399979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692418098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692441940 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692446947 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692454100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692496061 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692524910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692537069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692575932 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692594051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692605972 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692615986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692631006 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692641973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692643881 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692656040 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692687035 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692718983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692729950 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692739964 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.692768097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.692780018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715017080 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715054989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715066910 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715076923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715104103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715115070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715126038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715133905 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715136051 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715203047 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715297937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715317011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715327978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715358973 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715369940 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715439081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715450048 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715460062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715471983 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715483904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715486050 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715498924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715521097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715536118 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715694904 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715739012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715768099 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715778112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715790033 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715801954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715811014 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715812922 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.715836048 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.715854883 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756139040 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756191015 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756203890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756220102 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756231070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756238937 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756247044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756259918 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756289959 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756316900 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756333113 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756361008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756392956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756403923 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756413937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756427050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756439924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756439924 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756450891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.756474018 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.756501913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762017012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762027979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762038946 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762080908 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762110949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762118101 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762124062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762136936 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762170076 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762172937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762186050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762195110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762227058 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762269974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762281895 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762293100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762309074 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762321949 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762327909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762335062 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762336969 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762363911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.762377024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.762404919 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763252020 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763278008 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763289928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763304949 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763338089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763371944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763382912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763395071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763408899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763421059 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763422966 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763442039 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763473988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763503075 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763514996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763525009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763537884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763559103 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763564110 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763571024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763581991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763590097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763593912 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763613939 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763636112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763637066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763647079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763674974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763679981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763688087 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763708115 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763729095 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763752937 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763765097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763778925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763792992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763798952 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763833046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763865948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763876915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763887882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763906002 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763911963 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763920069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763933897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763946056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.763962030 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.763992071 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764003038 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764014959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764028072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764054060 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764079094 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764120102 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764131069 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764142990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764154911 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764168024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764170885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764230967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764230967 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764250994 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764261961 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764273882 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764285088 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764300108 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764307976 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764332056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764345884 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764419079 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764431000 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764437914 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764451027 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764462948 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764473915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764484882 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764503956 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764525890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764538050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764549971 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.764574051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.764585972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782303095 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782330036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782340050 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782370090 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782373905 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782386065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782413960 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782421112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782430887 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782459021 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782486916 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782515049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782525063 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782536030 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782547951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782563925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782569885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782574892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782586098 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782615900 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782644987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782655954 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782665968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.782692909 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.782710075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805203915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805218935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805239916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805249929 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805263042 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805263996 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805273056 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805284023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805308104 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805346012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805363894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805376053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805386066 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805397987 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805413008 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805438042 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805488110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805499077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805510044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805524111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805535078 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805535078 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805545092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805557966 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805582047 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805836916 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805854082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805866003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805877924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805887938 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.805900097 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805913925 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.805960894 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.845999956 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846021891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846026897 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846080065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846086025 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846091986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846103907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846153021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846164942 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846188068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846203089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846240997 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846240997 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846246958 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846257925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846273899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846297979 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846321106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846350908 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846363068 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846374989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.846405983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.846438885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.852078915 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852088928 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852102041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852139950 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.852155924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852161884 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.852166891 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852178097 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852191925 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852207899 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.852216959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.852252007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.852268934 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853281021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853322029 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853331089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853332996 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853365898 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853368044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853379965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853390932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853413105 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853426933 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853462934 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853481054 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853492022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853523970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853579044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853590965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853600979 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853615999 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853627920 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853629112 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853643894 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853668928 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853703022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853713989 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853724003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853735924 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853754997 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853760004 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853784084 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853797913 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853849888 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853862047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853873014 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853884935 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853898048 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853904009 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853909969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853924990 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853952885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853952885 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.853985071 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.853996992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854007959 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854018927 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854042053 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854057074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854141951 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854154110 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854165077 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854176044 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854190111 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854192972 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854202032 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854221106 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854226112 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854237080 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854260921 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854270935 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854274035 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854305983 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854336977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854348898 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854361057 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854373932 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854393005 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854413986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854460001 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854476929 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854487896 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854501009 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854526997 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854547024 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854617119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854628086 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854639053 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854650974 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854665041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854671001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854676962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854688883 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854690075 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854716063 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854722023 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854743958 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854758978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854775906 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854788065 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854796886 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.854824066 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.854851007 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872395992 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872407913 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872419119 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872457981 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872513056 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872526884 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872539043 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872550011 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872560024 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872572899 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872586012 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872601986 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872610092 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872617006 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872622013 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872632980 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872647047 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872658968 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872667074 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872670889 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872706890 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.872709990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872709990 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.872922897 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895087957 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895101070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895112991 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895153046 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895170927 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895180941 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895181894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895193100 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895205021 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895215988 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895219088 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895241022 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895270109 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895303965 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895313978 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895320892 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895327091 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895344019 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895356894 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895359993 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895401001 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895411968 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895414114 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895425081 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895436049 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895447969 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895461082 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895466089 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895488977 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895489931 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895503998 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895530939 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895559072 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895571947 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895606041 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895606995 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.895617962 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.895658970 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.936069012 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936084986 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936096907 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936141014 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.936156988 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.936170101 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936182022 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936203003 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936217070 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936229944 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936254978 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.936274052 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.936765909 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.936819077 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:18.937000036 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:18.937046051 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.008302927 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.008752108 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.013565063 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.013607025 CEST	5432	49744	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.013679028 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.013711929 CEST	49744	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.013968945 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.018769979 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.698947906 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.699948072 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.700443029 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.702934027 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.702972889 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:19.705286026 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.707871914 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.707881927 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.707885027 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.707937002 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:19.707946062 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.109421015 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.109870911 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.114501953 CEST	5432	49745	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.114559889 CEST	49745	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.114830017 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.114897013 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.115115881 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.119868040 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.412801027 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.412873983 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.812599897 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.812680006 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.813143015 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.815349102 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.815418005 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:20.817869902 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.820101023 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.820164919 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:20.820230007 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.125204086 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.125686884 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.130250931 CEST	5432	49746	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.130341053 CEST	49746	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.130426884 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.130489111 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.133579969 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.138345003 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.486618042 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.486707926 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.830789089 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.830881119 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.831291914 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.833137989 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:21.836214066 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:21.837966919 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:22.298295975 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:22.298702955 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:22.303491116 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:22.303541899 CEST	5432	49747	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:22.303592920 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:22.303621054 CEST	49747	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:22.303864956 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:22.308608055 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:22.690037012 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:22.690095901 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.007153988 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.007260084 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.007674932 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.009536982 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.012458086 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.014425039 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.331823111 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.332250118 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.337102890 CEST	5432	49750	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.337193966 CEST	5432	49748	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.337284088 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.337285042 CEST	49748	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.337512970 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:23.342258930 CEST	5432	49750	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.837491989 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:23.837608099 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.003333092 CEST	5432	49750	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.003426075 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.012388945 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.017126083 CEST	5432	49750	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.045916080 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.048017979 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.050884008 CEST	5432	49750	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.050947905 CEST	49750	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.052843094 CEST	5432	49751	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.052907944 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.053111076 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.057878971 CEST	5432	49751	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.729526997 CEST	5432	49751	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.729697943 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.730099916 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.731769085 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.733782053 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.734853983 CEST	5432	49751	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.736776114 CEST	5432	49751	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.736831903 CEST	49751	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.738594055 CEST	5432	49752	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:24.738656998 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.738854885 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:24.745345116 CEST	5432	49752	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:25.426542044 CEST	5432	49752	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:25.426624060 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.427016973 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.428720951 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.430728912 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.431768894 CEST	5432	49752	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:25.433799028 CEST	5432	49752	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:25.433851957 CEST	49752	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.435576916 CEST	5432	49753	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:25.435646057 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.435858965 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:25.440597057 CEST	5432	49753	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.123868942 CEST	5432	49753	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.124030113 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.124517918 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.127013922 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.129214048 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.129448891 CEST	5432	49753	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.134047985 CEST	5432	49753	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.134113073 CEST	49753	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.134886026 CEST	5432	49754	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.135081053 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.135399103 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.140984058 CEST	5432	49754	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.824384928 CEST	5432	49754	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.824461937 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.824875116 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.826348066 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.828526974 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.829870939 CEST	5432	49754	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.832561970 CEST	5432	49754	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.832623005 CEST	49754	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.833410025 CEST	5432	49755	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:26.833483934 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.833703995 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:26.838505030 CEST	5432	49755	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:27.497577906 CEST	5432	49755	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:27.497641087 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:27.498100042 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:27.500032902 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:28:27.502935886 CEST	5432	49755	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:27.505374908 CEST	5432	49755	5.75.221.27	192.168.2.4
Jul 4, 2024 21:28:27.505424976 CEST	49755	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:33.990200043 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:29:33.990215063 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:29:33.990295887 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:33.990355015 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:33.990427017 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:29:33.990468979 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:56.501095057 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:56.501183987 CEST	49749	5432	192.168.2.4	5.75.221.27
Jul 4, 2024 21:29:56.505975962 CEST	5432	49749	5.75.221.27	192.168.2.4
Jul 4, 2024 21:29:56.506123066 CEST	49749	5432	192.168.2.4	5.75.221.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 4, 2024 21:25:59.174005032 CEST	52770	53	192.168.2.4	1.1.1.1
Jul 4, 2024 21:25:59.184431076 CEST	53	52770	1.1.1.1	192.168.2.4
Jul 4, 2024 21:28:06.534960032 CEST	51561	53	192.168.2.4	1.1.1.1
Jul 4, 2024 21:28:06.542232037 CEST	53	51561	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 4, 2024 21:25:59.174005032 CEST	192.168.2.4	1.1.1.1	0xff2e	Standard query (0)	aeADchOTjdneRFbvgcniIPnKrpAg.aeADchOTjdneRFbvgcniIPnKrpAg	A (IP address)	IN (0x0001)	false
Jul 4, 2024 21:28:06.534960032 CEST	192.168.2.4	1.1.1.1	0xb0c9	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 4, 2024 21:25:59.184431076 CEST	1.1.1.1	192.168.2.4	0xff2e	Name error (3)	aeADchOTjdneRFbvgcniIPnKrpAg.aeADchOTjdneRFbvgcniIPnKrpAg	none	none	A (IP address)	IN (0x0001)	false
Jul 4, 2024 21:28:06.542232037 CEST	1.1.1.1	192.168.2.4	0xb0c9	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	149.154.167.99	443	6232	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

Timestamp	Bytes transferred	Direction	Data
2024-07-04 19:28:07 UTC	85	OUT	GET /bu77un HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-07-04 19:28:07 UTC	512	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 04 Jul 2024 19:28:07 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12314 Connection: close Set-Cookie: stel_ssid=3c003cfef8404f3f36_16086983689075225420; expires=Fri, 05 Jul 2024 19:28:07 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-07-04 19:28:07 UTC	12314	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 62 75 37 37 75 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @bu77un</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent

Target ID:	0
Start time:	15:25:52
Start date:	04/07/2024
Path:	C:\Users\user\Desktop\lem.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lem.exe"
Imagebase:	0x400000
File size:	879'213 bytes
MD5 hash:	7AEC38C6F23F36DBF2698D116EFEBCA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:25:54
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k copy Son Son.cmd & Son.cmd & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:25:54
Start date:	04/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:25:55
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xeb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:25:55
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0xf0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:25:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xeb0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:25:56
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0xf0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:25:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 820565
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:25:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "StudiedForeignTitansCircles" Eos
Imagebase:	0xf0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:25:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Bind + Dow 820565\n
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:25:57
Start date:	04/07/2024
Path:	C:\Users\user\AppData\Local\Temp\820565\Refugees.pif
Wow64 process (32bit):	true
Commandline:	820565\Refugees.pif 820565\n
Imagebase:	0x9a0000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2931166846.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4110915823.0000000001928000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2930884990.0000000001891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2930715397.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2931122159.0000000001AE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4110715685.0000000001756000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2930762938.0000000001929000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4110774990.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000003.2931048751.00000000046D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4110845794.0000000001898000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4111534243.0000000004715000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000A.00000002.4111534243.00000000046D1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	15:25:57
Start date:	04/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5
Imagebase:	0x450000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	1523
Total number of Limit Nodes:	37

Executed Functions

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
OleUninitialize.OLE32(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NCRC, xrefs: 0040397C
Error launching installer, xrefs: 00403A7D
~nsu.tmp, xrefs: 00403AF7
_?=, xrefs: 00403A64
1C, xrefs: 00403B56
SeShutdownPrivilege, xrefs: 00403C16
/D=, xrefs: 004039A6
NSIS Error, xrefs: 004038E2
\Temp, xrefs: 00403A1B

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
detailprint: %s, xrefs: 00401679
Call: %d, xrefs: 0040165A
BringToFront, xrefs: 004016BD
Rename on reboot: %s, xrefs: 00401943
Sleep(%d), xrefs: 0040169D
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Rename: %s, xrefs: 004018F8
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: "%s" created, xrefs: 00401849
Jump: %d, xrefs: 00401602
SetFileAttributes failed., xrefs: 004017A1
SetFileAttributes: "%s":%08X, xrefs: 0040177B

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEdit20A, xrefs: 00405BB6, 00405BBB
@%F, xrefs: 004059F6
.exe, xrefs: 00405A3D
B%F, xrefs: 00405A1F
RichEd20, xrefs: 00405B9D
.DEFAULT\Control Panel\International, xrefs: 00405999
RichEdit, xrefs: 00405BC4
_Nb, xrefs: 00405AD1
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
@rD, xrefs: 00405965
RichEd32, xrefs: 00405BA8

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,open,open,00000000,00000000,open,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
open, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user abort, xrefs: 00401B53
File: error creating "%s", xrefs: 00401AF0
File: error, user cancel, xrefs: 00401B93
File: wrote %d to "%s", xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$open
API String ID: 4286501637-2478300759
Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Error launching installer, xrefs: 004035D7
soft, xrefs: 00403675
Inst, xrefs: 0040366C

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00789A90), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C
open, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$open
API String ID: 1459762280-1711415406
Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00789A90), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Non-executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNEL32(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7
{, xrefs: 00405352

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
@, xrefs: 00404B90
, xrefs: 00404F39
M, xrefs: 00404B43

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@%F, xrefs: 00404674
82D, xrefs: 004046DB
@rD, xrefs: 00404610
A, xrefs: 00404636

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
lstrcatW.KERNEL32(?,00408838), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile failed("%s"), xrefs: 00406DFD

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

GetModuleBaseNameW, xrefs: 00406494
Module32FirstW, xrefs: 004065D3
Process32FirstW, xrefs: 004065BD
EnumProcessModules, xrefs: 0040648A
Module32NextW, xrefs: 004065DE
PSAPI.DLL, xrefs: 00406464
CreateToolhelp32Snapshot, xrefs: 004065B5
Kernel32.DLL, xrefs: 0040659B
EnumProcesses, xrefs: 00406482
Unknown, xrefs: 004064FC
Process32NextW, xrefs: 004065C8

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
EnableWindow.USER32(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: @rD
API String ID: 184305955-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
@%F, xrefs: 004042A7
open, xrefs: 004042DF

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000E000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
open, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WriteINIStr: wrote [%s] %s=%s in %s$open
API String ID: 247603264-1827671502
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1666185902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1666171984.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666199767.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666212750.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1666277985.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_lem.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Refugees.pifPID: 6232, Parent PID: 2004COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	103

Executed Functions

Function 009B5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009B526C
IsDebuggerPresent.KERNEL32 ref: 009B527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 009B52E6

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Part of subcall function 009ABBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009ABC07

SetCurrentDirectoryW.KERNEL32(?), ref: 009B5366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 009F0AAE
SetCurrentDirectoryW.KERNEL32(?), ref: 009F0AE6
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A55230), ref: 009F0B69
ShellExecuteW.SHELL32(00000000), ref: 009F0B70

Part of subcall function 009B514C: GetSysColorBrush.USER32(0000000F), ref: 009B5156
Part of subcall function 009B514C: LoadCursorW.USER32(00000000,00007F00), ref: 009B5165
Part of subcall function 009B514C: LoadIconW.USER32(00000063), ref: 009B517C
Part of subcall function 009B514C: LoadIconW.USER32(000000A4), ref: 009B518E
Part of subcall function 009B514C: LoadIconW.USER32(000000A2), ref: 009B51A0
Part of subcall function 009B514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009B51C6
Part of subcall function 009B514C: RegisterClassExW.USER32(?), ref: 009B521C

Part of subcall function 009B50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009B5109
Part of subcall function 009B50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009B512A
Part of subcall function 009B50DB: ShowWindow.USER32(00000000), ref: 009B513E
Part of subcall function 009B50DB: ShowWindow.USER32(00000000), ref: 009B5147

Part of subcall function 009B59D3: _memset.LIBCMT ref: 009B59F9
Part of subcall function 009B59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009B5A9E

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 009F0AA8
AutoIt, xrefs: 009F0AA3
runas, xrefs: 009F0B64

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 46b80344fbbeff13400de8fc982c4e2fbfd44778a908dd7f5221afbdd67e7999
Instruction ID: 0fa244647cf734d568bfff39e701040a81f4f64034e750004105529042bd926a
Opcode Fuzzy Hash: 46b80344fbbeff13400de8fc982c4e2fbfd44778a908dd7f5221afbdd67e7999
Instruction Fuzzy Hash: F7510271D04248FACF01EBF0ED66FFEBB7CAB89760F144069F551622A2DAB45506CB20

Function 009B5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 009B5D40

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

GetCurrentProcess.KERNEL32(?,00A30A18,00000000,00000000,?), ref: 009B5E07
IsWow64Process.KERNEL32(00000000), ref: 009B5E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 009B5E54
FreeLibrary.KERNEL32(00000000), ref: 009B5E5F
GetSystemInfo.KERNEL32(00000000), ref: 009B5E90
GetSystemInfo.KERNEL32(00000000), ref: 009B5E9C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: e4a6b125e5f69f9ddcfceea2a6ea3615e372dc95a33958e90872660641cb02ff
Instruction ID: 03743cd34dde6b2ed10501284270a67fdd5e8b931bcad329662bc13b20d8c842
Opcode Fuzzy Hash: e4a6b125e5f69f9ddcfceea2a6ea3615e372dc95a33958e90872660641cb02ff
Instruction Fuzzy Hash: D291E531549BC4DEC732CB6495616EAFFE96F29310B880E5ED0C793A01D234F548C799

Function 00A03E72 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C01AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B2A58,?,00008000), ref: 009C01CF

Part of subcall function 00A04E59: GetFileAttributesW.KERNEL32(?,00A03A6B), ref: 00A04E5A

FindFirstFileW.KERNEL32(?,?), ref: 00A03EE9
DeleteFileW.KERNEL32(?,?,?,?), ref: 00A03F39
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A03F4A
FindClose.KERNEL32(00000000), ref: 00A03F61
FindClose.KERNEL32(00000000), ref: 00A03F6A

Strings

\*.*, xrefs: 00A03EBB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4fa5c0631f30ab4bba95d808ac8a85916e83efa416cfaa0f9d535c5d64fa8caa
Instruction ID: d7abc2aaecc997855b97723f3f8fa0c1372e35e59defb118b800c995fac75922
Opcode Fuzzy Hash: 4fa5c0631f30ab4bba95d808ac8a85916e83efa416cfaa0f9d535c5d64fa8caa
Instruction Fuzzy Hash: 763162724083499BC705EB64D9A5AEFB7ECBED5310F444A1DF4E5821D1EB20DA09C763

Function 00A03FB5 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A03FDA
Process32FirstW.KERNEL32(00000000,?), ref: 00A03FE8
Process32NextW.KERNEL32(00000000,?), ref: 00A04008
FindCloseChangeNotification.KERNEL32(00000000), ref: 00A040B2

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: f87108ace6d6e93f9fc0153e82403369a3c93c24ce35c88b20729714864aba29
Instruction ID: ef087b4375ccf0f7fc8e3ad3217c70928d92e12c53863b0f6fd154f491c5e5f2
Opcode Fuzzy Hash: f87108ace6d6e93f9fc0153e82403369a3c93c24ce35c88b20729714864aba29
Instruction Fuzzy Hash: F93191711083059BD300EF60D895BAFBBE8BFD9350F400A2DF681921E1EB719949CB92

Function 009AB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 009B3740: CharUpperBuffW.USER32(?,00A661DC,00000000,?,00000000,00A661DC,?,009A53A5,?,?,?,?), ref: 009B375D

_memmove.LIBCMT ref: 009AB68A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: d1c12d295bc0484438c581cb0dc42925814188d519c70b54dbfc8b9735d3bd6f
Instruction ID: 7269896ac044bc11e0c1a8f2c9a1d262b59e1d0328a1f096851ab34417c91dc1
Opcode Fuzzy Hash: d1c12d295bc0484438c581cb0dc42925814188d519c70b54dbfc8b9735d3bd6f
Instruction Fuzzy Hash: 4AA27A70608341DFD721CF25C484B2AB7E5BF8A304F14896DE89A8B362D775ED85CB92

Function 00A047B7 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,009EFC06), ref: 00A047C7
FindFirstFileW.KERNEL32(?,?), ref: 00A047D8
FindClose.KERNEL32(00000000), ref: 00A047E8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 09cef5a895a1401d7fdb0e47d076c21f0a1ee842a3dfde3ca1967d40ec431085
Instruction ID: 0ea9553ab9f968d2201aff693bd9c4f2a4ed52721c7bfda7a82bab0a2801b786
Opcode Fuzzy Hash: 09cef5a895a1401d7fdb0e47d076c21f0a1ee842a3dfde3ca1967d40ec431085
Instruction Fuzzy Hash: 7AE0DF71810615AB8210A7B8FC4D8EA775CAE0A339F100B56FA31C21E0EBB09D518696

Function 009A94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9fb61ce3bb6ce963ec3045e5b5d0d7ba1421cdaed1bb0bb4047b02b884b2173
Instruction ID: 25594d40ede1861c0a859d216a6997d8a5ffdc1dd7fd530dd9cee5d81b946f8c
Opcode Fuzzy Hash: c9fb61ce3bb6ce963ec3045e5b5d0d7ba1421cdaed1bb0bb4047b02b884b2173
Instruction Fuzzy Hash: EA229C70D0421ADFDB24DF58C490BAAB7B4FF8A300F248569E8569B351E778AD81CBD1

Function 009ABC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009ABF57

Part of subcall function 009A52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A52E6

Sleep.KERNEL32(0000000A,?,?), ref: 009E35E5

Strings

@TRAY_ID, xrefs: 009E3EFD
CALL, xrefs: 009AC277
@COM_EVENTOBJ, xrefs: 009E3C5E
@GUI_WINHANDLE, xrefs: 009E36F1
@GUI_CTRLID, xrefs: 009E369C
@GUI_CTRLHANDLE, xrefs: 009E3746

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: af7cb477ccce5da1ef61476fa6dad400e2eb0dbfa2d7a16ca9fec32ecd403bb8
Instruction ID: 613a9995d7bd61345ef5161c0087e37ea8ec7641be3b22cd55f457c1f60a4044
Opcode Fuzzy Hash: af7cb477ccce5da1ef61476fa6dad400e2eb0dbfa2d7a16ca9fec32ecd403bb8
Instruction Fuzzy Hash: 4EC2D270608381DFC725DF25C854BAAB7E4BF85304F14891DF58A8B2A2DB75ED45CB82

Function 009A33E5 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009A3444
RegisterClassExW.USER32(00000030), ref: 009A346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009A347F
InitCommonControlsEx.COMCTL32(?), ref: 009A349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009A34AC
LoadIconW.USER32(000000A9), ref: 009A34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009A34D1

Strings

0, xrefs: 009A3426
AutoIt v3 GUI, xrefs: 009A3460
+, xrefs: 009A342D
TaskbarCreated, xrefs: 009A3474

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2c424002377acd245cb9891cd72f7cc326e042bff87d40b74d51be808c02f3bb
Instruction ID: b4d85d7b9ada50a6a087dc52a6fd7da1362147942e48a471e7cb321b05718521
Opcode Fuzzy Hash: 2c424002377acd245cb9891cd72f7cc326e042bff87d40b74d51be808c02f3bb
Instruction Fuzzy Hash: BF31E0B1841309AFDB50CFE4EC99BC9BBF4FB09320F10451AF590A62A0D3B55582CF91

Function 009A3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009A3444
RegisterClassExW.USER32(00000030), ref: 009A346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009A347F
InitCommonControlsEx.COMCTL32(?), ref: 009A349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009A34AC
LoadIconW.USER32(000000A9), ref: 009A34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009A34D1

Strings

0, xrefs: 009A3426
AutoIt v3 GUI, xrefs: 009A3460
+, xrefs: 009A342D
TaskbarCreated, xrefs: 009A3474

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4933a08b140b226d2006544562f1b42c34de1435f67240ff11bcc696047d6d42
Instruction ID: 306ad389ecf67a398ef6fd8f2534920c9055fce3574a3679fc9d89c5c5513bb4
Opcode Fuzzy Hash: 4933a08b140b226d2006544562f1b42c34de1435f67240ff11bcc696047d6d42
Instruction Fuzzy Hash: DF21AEB1D00218AFEB40DFE4EC99B9DBBF8FB08710F00411AFA20A62A0D7B155468F95

Function 009B2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009BFFFA: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,009B3094), ref: 009C0018

Part of subcall function 009C07EC: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009B309F), ref: 009C080E

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009B30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009F013A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009F017B
RegCloseKey.ADVAPI32(?), ref: 009F01B9
_wcscat.LIBCMT ref: 009F0212

Strings

\, xrefs: 009F0235
Software\AutoIt v3\AutoIt, xrefs: 009B30D8
Include, xrefs: 009F0131, 009F0172
\Include\, xrefs: 009B309F

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: e15090698eb22b655869d86abf79415ad76852a393329c4e169bc4572c28729a
Instruction ID: 22d0caed1726fd114c56bfd4278643558ece69b475ce11cea7c09d1e5e106b20
Opcode Fuzzy Hash: e15090698eb22b655869d86abf79415ad76852a393329c4e169bc4572c28729a
Instruction Fuzzy Hash: 847188714183019EC314EFA5EDA1AEFBBF8BB94754F80092EF445831A1EB709945CB52

Function 009B514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 009B5156
LoadCursorW.USER32(00000000,00007F00), ref: 009B5165
LoadIconW.USER32(00000063), ref: 009B517C
LoadIconW.USER32(000000A4), ref: 009B518E
LoadIconW.USER32(000000A2), ref: 009B51A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009B51C6
RegisterClassExW.USER32(?), ref: 009B521C

Part of subcall function 009A3411: GetSysColorBrush.USER32(0000000F), ref: 009A3444
Part of subcall function 009A3411: RegisterClassExW.USER32(00000030), ref: 009A346E
Part of subcall function 009A3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009A347F
Part of subcall function 009A3411: InitCommonControlsEx.COMCTL32(?), ref: 009A349C
Part of subcall function 009A3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009A34AC
Part of subcall function 009A3411: LoadIconW.USER32(000000A9), ref: 009A34C2
Part of subcall function 009A3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009A34D1

Strings

0, xrefs: 009B51FA
AutoIt v3, xrefs: 009B520B
#, xrefs: 009B5201

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ad73c309e85ccf480d0b3be8ac97f1a2182b723de371519b9c6d919b7d053d4e
Instruction ID: 457d485d3cece399f7714d7e828e4878325290f89e178959f8804ad8f5a24f00
Opcode Fuzzy Hash: ad73c309e85ccf480d0b3be8ac97f1a2182b723de371519b9c6d919b7d053d4e
Instruction Fuzzy Hash: EE21F2B1E00308AFEB51DFF4ED69BDD7BB4EB08710F00412AF604A62A0D7B659569F94

Function 00A15BE2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00A15C43
inet_addr.WSOCK32(?,?,?), ref: 00A15C88
gethostbyname.WS2_32(?), ref: 00A15C94
IcmpCreateFile.IPHLPAPI ref: 00A15CA2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A15D12
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A15D28
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A15D9D
WSACleanup.WSOCK32 ref: 00A15DA3

Strings

Ping, xrefs: 00A15CC6

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f8d6eb66ac118b1df22e185d8845bf00b096260b131f9ca9e8edc10600183db3
Instruction ID: 7f75fafc87f8d6f16bb76f584e3ae3ac029dc10d73066cdd6cfba2a7c8c58760
Opcode Fuzzy Hash: f8d6eb66ac118b1df22e185d8845bf00b096260b131f9ca9e8edc10600183db3
Instruction Fuzzy Hash: AD515D31A04701DFD720EF64DD49BAA77E4AF88710F044969F595DB2A1DB70EC81DB81

Function 009B4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 009B4E22
KillTimer.USER32(?,00000001), ref: 009B4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009B4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009B4E7A
CreatePopupMenu.USER32 ref: 009B4E8E
PostQuitMessage.USER32(00000000), ref: 009B4EAF

Strings

TaskbarCreated, xrefs: 009B4E75

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d61428becfb2da48dea2e1ec93f46d2cf7f9236f9531879959d9b34d3abf16db
Instruction ID: bbe27d42a247ce62ca62092c17f9027428a493d2ff1b457558a3f2705dcb668e
Opcode Fuzzy Hash: d61428becfb2da48dea2e1ec93f46d2cf7f9236f9531879959d9b34d3abf16db
Instruction Fuzzy Hash: D4412971200209ABDF159FB89E19BFE76ADFB84320F040629F501961A3DBB4EC51A7A1

Function 009B56F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009F0BDB

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

_memset.LIBCMT ref: 009B5787
_wcscpy.LIBCMT ref: 009B57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009B57EB
__swprintf.LIBCMT ref: 009F0C51

Strings

AutoIt - , xrefs: 009B5760
Line %d: , xrefs: 009F0C4B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: e127f125b0e25b566f5b39e5ae3c9d6efafe74689279ca3de8e37f1809d024be
Instruction ID: f44132548eccaabd7072fc566ae23d984f3c90bc8587da5dd8edbc27bd1cd72c
Opcode Fuzzy Hash: e127f125b0e25b566f5b39e5ae3c9d6efafe74689279ca3de8e37f1809d024be
Instruction Fuzzy Hash: 6641E671508304AAC721EB60DDA5FEF77ECAF84364F404A1EF185920A1EF74A649C793

Function 009B50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009B5109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009B512A
ShowWindow.USER32(00000000), ref: 009B513E
ShowWindow.USER32(00000000), ref: 009B5147

Strings

edit, xrefs: 009B5124
AutoIt v3, xrefs: 009B5101, 009B5106, 009B5107

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 895717a7c3121b22b2644f3b870c27d091a7cf33ccaff59d746631fa6eb801d8
Instruction ID: 19a3fbaf56f18a47c4a9939ea02c514d45d9fa7985c7b3dbfe689d99a6955e6f
Opcode Fuzzy Hash: 895717a7c3121b22b2644f3b870c27d091a7cf33ccaff59d746631fa6eb801d8
Instruction Fuzzy Hash: 55F0DA71A412947EEB3197B76C69EA72E7DE7C6F50F01012AF900A21B0C6E51852DAB0

Function 00A09983 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 009B4A8C: _fseek.LIBCMT ref: 009B4AA4

Part of subcall function 00A09B5E: _wcscmp.LIBCMT ref: 00A09C4E
Part of subcall function 00A09B5E: _wcscmp.LIBCMT ref: 00A09C61

_free.LIBCMT ref: 00A09ACC
_free.LIBCMT ref: 00A09AD3
_free.LIBCMT ref: 00A09B3E

Part of subcall function 009C2EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,009C9B84,00000000,009C8C8D,009C58F3), ref: 009C2EC9
Part of subcall function 009C2EB5: GetLastError.KERNEL32(00000000,?,009C9B84,00000000,009C8C8D,009C58F3), ref: 009C2EDB

_free.LIBCMT ref: 00A09B46

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A099FC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: 0206f8e14eee7e9fec5650a75c8573ab4a516d71c653194f509274aac2453a41
Instruction ID: b908c73178bc2d7d76585d19f1a90133ae5eed94dd6b378968521afce7804fa8
Opcode Fuzzy Hash: 0206f8e14eee7e9fec5650a75c8573ab4a516d71c653194f509274aac2453a41
Instruction Fuzzy Hash: 63512CB1D04218ABDF249F64DC41B9EBBB9FF88310F00049EF649A3281DB715A84CF59

Function 009C556D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C55CB
_memcpy_s.LIBCMT ref: 009C563D
__read_nolock.LIBCMT ref: 009C569B
__filbuf.LIBCMT ref: 009C56BE
_memset.LIBCMT ref: 009C5702

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 40f0e3e4b42387ca7955911bcc2e8ce9a5f81517652e94e2cf39f134d86c1722
Instruction ID: a14536ad10e1b02af87b7ff4dc8d17cf936a5da6182f53bfdcc377b1c05d7b14
Opcode Fuzzy Hash: 40f0e3e4b42387ca7955911bcc2e8ce9a5f81517652e94e2cf39f134d86c1722
Instruction Fuzzy Hash: 9851B070E00B05DBDF249F698980F6E77AAEF40320F66872DF825962D1D774AD918B42

Function 009A52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A52E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A534A
TranslateMessage.USER32(?), ref: 009A5356
DispatchMessageW.USER32(?), ref: 009A5360

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: c6d57897fed4e90b00dd4b9916d25fd702571e73661c7e0c3a53ddbe5e04af2c
Instruction ID: 80d14c63290b190a7e832ad38aa11563325cba7a2e5a9b1d9a21b36854311de3
Opcode Fuzzy Hash: c6d57897fed4e90b00dd4b9916d25fd702571e73661c7e0c3a53ddbe5e04af2c
Instruction Fuzzy Hash: 6F31F470A40B06DBEF30CBB49C44FAA37BCAB52344F16445AE421871D1DBF4A88AD7A1

Function 009A1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009A1275,SwapMouseButtons,00000004,?), ref: 009A12A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009A1275,SwapMouseButtons,00000004,?), ref: 009A12C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,009A1275,SwapMouseButtons,00000004,?), ref: 009A12EB

Strings

Control Panel\Mouse, xrefs: 009A12A6

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8e1a514205718d3dc79450498bd76a31e027279cb6ec64ecebd7d96ed95f082e
Instruction ID: 8b0164f4f131390482a6f30f2a44786ec692db526bce87fd5dd43ecd8782b1e4
Opcode Fuzzy Hash: 8e1a514205718d3dc79450498bd76a31e027279cb6ec64ecebd7d96ed95f082e
Instruction Fuzzy Hash: 63115775610208BFDB20CFA4DC84EAEBBBCEF06740F008569F805D7220E6319E409BA4

Function 009B5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009B5B58

Part of subcall function 009B56F8: _memset.LIBCMT ref: 009B5787
Part of subcall function 009B56F8: _wcscpy.LIBCMT ref: 009B57DB
Part of subcall function 009B56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009B57EB

KillTimer.USER32(?,00000001,?,?), ref: 009B5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009B5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009F0CFC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f2a67b00743152000564847ac3766841a9b46455583c0d2c0fd522b9f7a7f119
Instruction ID: c5e79e018bcc3b36a6299c74c1d3fb7a66823d17d45f794d24c47d1d10641951
Opcode Fuzzy Hash: f2a67b00743152000564847ac3766841a9b46455583c0d2c0fd522b9f7a7f119
Instruction Fuzzy Hash: 4421D770904B98AFE772CB24CC95FFABBECAB41318F04048DE7DA56182C7742985CB51

Function 009B278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 009B49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009B27AF,?,00000001), ref: 009B49F4

_free.LIBCMT ref: 009EFA84
_free.LIBCMT ref: 009EFACB

Part of subcall function 009B29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 009B2ADF

Strings

Bad directive syntax error, xrefs: 009EFAB3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 1c1ef8c21e00359f9986b0a26d4e0911071051bea4c4d37d742f94d61e6b20e0
Instruction ID: 61a33d43b4f7d842f0bfcbbee41c69f10806ef7a1e1c109ea6d2cde9748530e6
Opcode Fuzzy Hash: 1c1ef8c21e00359f9986b0a26d4e0911071051bea4c4d37d742f94d61e6b20e0
Instruction Fuzzy Hash: 53917071D10259AFCF15DFA5C9A1AEEB7B4FF44310F10442AF816AB292EB30AE05CB50

Function 00A09B5E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 009B4AB2: __fread_nolock.LIBCMT ref: 009B4AD0

_wcscmp.LIBCMT ref: 00A09C4E
_wcscmp.LIBCMT ref: 00A09C61

Strings

FILE, xrefs: 00A09B9A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 8bdbd933aeb0a639a0d4c48a8329d9af551a6ce291376a968243317129b6ca92
Instruction ID: 3a94d8bd52a1d703e8961ab743be454dc270e0942456e82dbd2db91da84372e7
Opcode Fuzzy Hash: 8bdbd933aeb0a639a0d4c48a8329d9af551a6ce291376a968243317129b6ca92
Instruction Fuzzy Hash: 5E41F931A40219BADF219BA1DC45FDFBBFDEF85710F00446AF900A72C2D671AA458765

Function 009B31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009F02AB
GetOpenFileNameW.COMDLG32(?), ref: 009F02F5

Part of subcall function 009C01AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B2A58,?,00008000), ref: 009C01CF

Part of subcall function 009C08F0: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009C090F

Strings

X, xrefs: 009F02C3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d075841b170c9e6fb32bb9786e74093b8e8ad068a54e7c430cdeee735c5ee3ed
Instruction ID: 5ca9f68d6caa19f6e2b614950ac1c3b859f640de8a159e2b4c057843390ca1ec
Opcode Fuzzy Hash: d075841b170c9e6fb32bb9786e74093b8e8ad068a54e7c430cdeee735c5ee3ed
Instruction Fuzzy Hash: 0A218171A14258ABDB41DFD4C845BEE7BFCAF89311F00405AE804AB241DBB45A8DCFA1

Function 00A1CF8E Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886d46a841e60a507f43438d5fa049fb4dcb3366f46c9016f4587b439db5f860
Instruction ID: 73edd0e08fa6225d38fe54e33428c29d934500491c691586cd8a04cf697faaf4
Opcode Fuzzy Hash: 886d46a841e60a507f43438d5fa049fb4dcb3366f46c9016f4587b439db5f860
Instruction Fuzzy Hash: 3AF116716083019FC714DF28C584AAABBE5FFC9314F14892EF8A99B251D771E985CF82

Function 009B1680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B16DB
_memmove.LIBCMT ref: 009B174C
_memmove.LIBCMT ref: 009B17B9

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0db628e547a2f07469130f4829ca102e704f2c66409be33de61bd49119878591
Instruction ID: f9bbacc8ac1b32e0686af26f63482f558ae11ac2ba3dfc528ac9f7687a0f0676
Opcode Fuzzy Hash: 0db628e547a2f07469130f4829ca102e704f2c66409be33de61bd49119878591
Instruction Fuzzy Hash: 1C61D271A00209EBDF04CF25D991BAA7BB4FF84320F958569EC19CF294EB35D960CB51

Function 009AAAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009C06E6: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C0717
Part of subcall function 009C06E6: MapVirtualKeyW.USER32(00000010,00000000), ref: 009C071F
Part of subcall function 009C06E6: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C072A
Part of subcall function 009C06E6: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C0735
Part of subcall function 009C06E6: MapVirtualKeyW.USER32(00000011,00000000), ref: 009C073D
Part of subcall function 009C06E6: MapVirtualKeyW.USER32(00000012,00000000), ref: 009C0745

Part of subcall function 009BFE77: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,009AAC6B), ref: 009BFED2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009AAD08
OleInitialize.OLE32(00000000), ref: 009AAD85
CloseHandle.KERNEL32(00000000), ref: 009E2E86

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 579c492bde17bad67a7c6fb541b725761778ef8759210e05f63bf0253e5aef49
Instruction ID: fcd473a9692a8624fec94a8386c37b6b0642c787c4677a40e126315ba72809cb
Opcode Fuzzy Hash: 579c492bde17bad67a7c6fb541b725761778ef8759210e05f63bf0253e5aef49
Instruction Fuzzy Hash: EC819BB09012409FC784DFB9EA596557BF5FB98718B10822EE029CB3B2EFB15406CF95

Function 009B59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009B59F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 009B5A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009B5ABB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: b61fc58d2efbd8c52fe51fba2522a0f9517cbe6c2d65805533befcc7dc71c095
Instruction ID: 463a3f50823a5f0a1dc5222439c8f19aebc842d310092c216e5690f935e1ab06
Opcode Fuzzy Hash: b61fc58d2efbd8c52fe51fba2522a0f9517cbe6c2d65805533befcc7dc71c095
Instruction Fuzzy Hash: 1E31C1B09047019FC720EF74D9947D7BBF8FB48314F000A2EE6DA92240E7B1A948CB52

Function 009C586C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 009C5883

Part of subcall function 009CA2CB: __NMSG_WRITE.LIBCMT ref: 009CA2F2
Part of subcall function 009CA2CB: __NMSG_WRITE.LIBCMT ref: 009CA2FC

__NMSG_WRITE.LIBCMT ref: 009C588A

Part of subcall function 009CA328: GetModuleFileNameW.KERNEL32(00000000,00A643BA,00000104,00000004,00000001,009C0F33), ref: 009CA3BA
Part of subcall function 009CA328: ___crtMessageBoxW.LIBCMT ref: 009CA468

Part of subcall function 009C3201: ___crtCorExitProcess.LIBCMT ref: 009C3207
Part of subcall function 009C3201: ExitProcess.KERNEL32 ref: 009C3210

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

RtlAllocateHeap.NTDLL(01490000,00000000,00000001,?,00000004,?,?,009C0F33,?), ref: 009C58AF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e71f163af7e42d2e5c20403d64cb203e34cbea6bf61d649f31a245e81844fd82
Instruction ID: e6593a3bdb515872e532caa8a0e3d967d0e09bcb5f892c243cb5844423cc1228
Opcode Fuzzy Hash: e71f163af7e42d2e5c20403d64cb203e34cbea6bf61d649f31a245e81844fd82
Instruction Fuzzy Hash: 4901F535E80B12ABE6107774DC52F2E279CDFC2B60F62413DF411AA191DEB4AD8247A3

Function 00A09135 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A09143

Part of subcall function 009C2EB5: RtlFreeHeap.NTDLL(00000000,00000000,?,009C9B84,00000000,009C8C8D,009C58F3), ref: 009C2EC9
Part of subcall function 009C2EB5: GetLastError.KERNEL32(00000000,?,009C9B84,00000000,009C8C8D,009C58F3), ref: 009C2EDB

_free.LIBCMT ref: 00A09154
_free.LIBCMT ref: 00A09166

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
Instruction ID: e81d7cf5be102e8d5a09b55f8a32ae4abc9835a56d3202b46c63865820f3f158
Opcode Fuzzy Hash: 144f5af94d943480d36d389951f06cd61afa83af8249d10b620ede2dc82f263b
Instruction Fuzzy Hash: 30E017B1F0160282DA64A778B948F9323EC5F88761B14091EBA4AE72C3CE34E841C168

Function 009A5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 009DE164

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: bf09068762fc7bd81fe3a8dddf55b320893fde6de8830a58f37721d6b4e1f2bc
Instruction ID: 340859e8d274763fd1f9ae296a8fb526941a2bc8a3f9f4011e341d4c672812de
Opcode Fuzzy Hash: bf09068762fc7bd81fe3a8dddf55b320893fde6de8830a58f37721d6b4e1f2bc
Instruction Fuzzy Hash: 22322770608301DFC724DF14C594B6ABBE5BF86304F19896DF89A9B362D735E885CB82

Function 009B48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B48FA

Strings

EA06, xrefs: 009F0821

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e76e4f1308fa8fa1dbf97058ca215be9fd51228e1584579ccbb8e79b0f3fe749
Instruction ID: 374b4a90eb79df0cf55594c23ecb3415d44b09368e62990748f4e1c64b299fcc
Opcode Fuzzy Hash: e76e4f1308fa8fa1dbf97058ca215be9fd51228e1584579ccbb8e79b0f3fe749
Instruction Fuzzy Hash: 8B41DD31A0415C6BDF219B648E517FF7FA98BC1730F5804A5E982EB287C1349D80E7A2

Function 0CB904D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

failed to allocate %u bytes of memory, xrefs: 0CB904E7

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID:
String ID: failed to allocate %u bytes of memory
API String ID: 0-1168259600
Opcode ID: e23b28aafbcfae4eb987cbb417eda097e5dc939306feb403f0869940a78ba6c5
Instruction ID: 14925f13fc42a227b4c6df0eeff28fd50a3c979f331dc1faf453608ad87c8338
Opcode Fuzzy Hash: e23b28aafbcfae4eb987cbb417eda097e5dc939306feb403f0869940a78ba6c5
Instruction Fuzzy Hash: F7D02222ECC22133CA213180FC01ACF3D409B505A1F0101B4FD4C1A330E1698C5893C3

Function 00A1DF01 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00A1DFD4

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

_wcscpy.LIBCMT ref: 00A1E063

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 53f9126c592cd808a1e64faf0546f42b090af6e6783289c325cfb4b9777c4906
Instruction ID: 8ae24c3c78c021e0c0fc2f6355a15ca1ecbfc1bfb8df13aa5363b0d5bb305bd5
Opcode Fuzzy Hash: 53f9126c592cd808a1e64faf0546f42b090af6e6783289c325cfb4b9777c4906
Instruction Fuzzy Hash: 24912835A00514EFCB18DF28C591AA9B7F5EF9A310B55855AEC0A8F3A2DB30ED41CF81

Function 00A06685 Relevance: 3.2, APIs: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A06759
_memmove.LIBCMT ref: 00A06777

Part of subcall function 00A068E0: _memmove.LIBCMT ref: 00A0696E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
Instruction ID: 817822da990e13f050d1ca5bd8f3f1a95f0b6a91de6d5f67adbbefca03cff3a2
Opcode Fuzzy Hash: 7f034399ab0d1848d73dddd4d523cdfdefcfd3c223b9f20a2fa260dd8b6723ad
Instruction Fuzzy Hash: 1C71D07160021C9FDB249F14E855BAA77B6EF85328F28C90DECD55B2C2CB31AD64CB91

Function 00A05FA2 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A05FBB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 4ed1741a8e3cbea5c3c7d93b0f11801f0456b131ea3e4b07c6345bee8056757d
Instruction ID: 9e85eec2183f9d6621782671bc03cd273152441bd0719edeb81ba00f3dac041d
Opcode Fuzzy Hash: 4ed1741a8e3cbea5c3c7d93b0f11801f0456b131ea3e4b07c6345bee8056757d
Instruction Fuzzy Hash: 1A41927294020DEFDB21DF64D8919AEB7B8EF44324F20852EE516D7290EB71DE54CB60

Function 009C0D68 Relevance: 3.1, APIs: 2, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32 ref: 009C0E05
LoadLibraryExW.KERNELBASE ref: 009C0E17

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ChangeCloseFindLibraryLoadNotification
String ID:
API String ID: 1525634188-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b4340c33a315ef048ddc3f0efc0b2f23ff2e0acd5fa6c9a75dd6d6b54e9e105d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1D31B974A00205DBC718DF98C480A69F7AAFF89310F648A99E40ACB656D735EDD1CBD1

Function 009B5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 009B5FEF

Part of subcall function 009C34CE: __lock.LIBCMT ref: 009C34D4
Part of subcall function 009C34CE: DecodePointer.KERNEL32(00000001,?,009B6004,009F8675), ref: 009C34E0
Part of subcall function 009C34CE: EncodePointer.KERNEL32(?,?,009B6004,009F8675), ref: 009C34EB

Part of subcall function 009B5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 009B5F18
Part of subcall function 009B5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 009B5F2D

Part of subcall function 009B5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009B526C
Part of subcall function 009B5240: IsDebuggerPresent.KERNEL32 ref: 009B527E
Part of subcall function 009B5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 009B52E6
Part of subcall function 009B5240: SetCurrentDirectoryW.KERNEL32(?), ref: 009B5366

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 009B602F

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 421cb0dd38936f72962de5e0c9b3565b11d29d94a0f9a520e380b0163b1d37bd
Instruction ID: 2bfb46a66721bc76206b7f98416d520ca04909e52999471b5cdb300823cb15ad
Opcode Fuzzy Hash: 421cb0dd38936f72962de5e0c9b3565b11d29d94a0f9a520e380b0163b1d37bd
Instruction Fuzzy Hash: 94116DB19083019BC301EFB9ED49A9ABFF8EBC4714F00851EF054872A1DBB0A9458B92

Function 009C0F16 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009C586C: __FF_MSGBANNER.LIBCMT ref: 009C5883
Part of subcall function 009C586C: __NMSG_WRITE.LIBCMT ref: 009C588A
Part of subcall function 009C586C: RtlAllocateHeap.NTDLL(01490000,00000000,00000001,?,00000004,?,?,009C0F33,?), ref: 009C58AF

std::exception::exception.LIBCMT ref: 009C0F4C
__CxxThrowException@8.LIBCMT ref: 009C0F61

Part of subcall function 009C86FB: RaiseException.KERNEL32(?,?,?,00A5AE78,?,?,?,?,?,009C0F66,?,00A5AE78,?,00000001), ref: 009C8750

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 694fa7dfe2a29d7a7d0b28c1e2c7c0e472c07b555863026c6004ec89476dbad3
Instruction ID: 1d0d28d0c69a8364fa116dad571c5e38678ace47f0bf22328df384ea8d6c4e29
Opcode Fuzzy Hash: 694fa7dfe2a29d7a7d0b28c1e2c7c0e472c07b555863026c6004ec89476dbad3
Instruction Fuzzy Hash: EEF08131D0821DA6CF20AA69E912FEE7BACAF81350F50496DFC1492181DFB19B8086D6

Function 009C574D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C577C
__lock_file.LIBCMT ref: 009C579D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e801bd7e13a14e5c13e0391a53585939998df44094cf880fe2de8a7716580697
Instruction ID: c66ab80e8ca53f49545c906fe577877715d96db70eac57028a8a0a67e68ea7ef
Opcode Fuzzy Hash: e801bd7e13a14e5c13e0391a53585939998df44094cf880fe2de8a7716580697
Instruction Fuzzy Hash: 54018471C00609EBCF11AF658C01F9F7B65BFC0320F15421DF8285A191DB719AA2DBA3

Function 009C54F6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

__lock_file.LIBCMT ref: 009C553B

Part of subcall function 009C6D6E: __lock.LIBCMT ref: 009C6D91

__fclose_nolock.LIBCMT ref: 009C5546

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 687d4e91e30e1f2c8615b8a0b0564a667f46b6ed5982d98929e2f48ede4cc850
Instruction ID: f626f2b093b9ee79af6157bf3e42d2eac56840c924817c3e5ff1b35ce5fc3f63
Opcode Fuzzy Hash: 687d4e91e30e1f2c8615b8a0b0564a667f46b6ed5982d98929e2f48ede4cc850
Instruction Fuzzy Hash: ECF09071D01B459BD710AB658C02F6E67A1AF80331F16860DB465AB1C2CF7C9E829B53

Function 009C5DB0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 009C5DE4
__ftell_nolock.LIBCMT ref: 009C5DEF

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 0a8e68d9a89e0a3f2c07e7f1e4ac42215cdc7a99ffa28cbf4faee227edae8ebc
Instruction ID: f10a519c7da9a87db4ce94309697ca6a1c130fe70afec3448015033976483df4
Opcode Fuzzy Hash: 0a8e68d9a89e0a3f2c07e7f1e4ac42215cdc7a99ffa28cbf4faee227edae8ebc
Instruction Fuzzy Hash: 69F0A731D51605AAD710BB754C02FAF66906F80331F12460DB011EB1C2CF789F429A97

Function 009B5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009B5AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 009B5B1F

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: f044807be5f22fb684d43d550135c612c3c77b6a29e94704b7f8bcb5f1de576d
Instruction ID: f3b1aef22675319c30124b4f972107cf085106152f07842c58e66a402f71df2b
Opcode Fuzzy Hash: f044807be5f22fb684d43d550135c612c3c77b6a29e94704b7f8bcb5f1de576d
Instruction Fuzzy Hash: C1F0A770D043189FD792CBA4DC45BD57BBC970030CF0401EDEA4896296DBB50B89CF51

Function 00A1C11D Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: 083dd26a4bc6b616cd656644c88826f5e55ffd865e818e39a3ee5bc9108b7f11
Instruction ID: d0beaaa1ecf4d9dfd7589851842640168dbdb4ebfc21781c85ca0443b1e0ba49
Opcode Fuzzy Hash: 083dd26a4bc6b616cd656644c88826f5e55ffd865e818e39a3ee5bc9108b7f11
Instruction Fuzzy Hash: 89B15035A40109EFCB14EF94D851EFEBBB5FF88720F14811AF915AB291DB70A991CB90

Function 009AA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3478e6c1d061cc8b8497cfaff76916654cd9ac0ec172c6a779e5271467c0732e
Instruction ID: 6ca9319060d5a8d7e4f8271b5a5641eecfec4f679c62fa09ba10d967b13dd1cd
Opcode Fuzzy Hash: 3478e6c1d061cc8b8497cfaff76916654cd9ac0ec172c6a779e5271467c0732e
Instruction Fuzzy Hash: CD61BD70600206DFDB10DF54C881B7BB7E9EF8A310F25856DE91A9B291D779ED80CB92

Function 009B343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B351A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2c0cf660d0e4f10e96f5a51a60e5a6f37166e2a5cc8993c5eec2e05e3ccb1bf4
Instruction ID: aeec86fc789a94e225e5ca49a400a32c76ec3e2b7a94e603b09a822517d98011
Opcode Fuzzy Hash: 2c0cf660d0e4f10e96f5a51a60e5a6f37166e2a5cc8993c5eec2e05e3ccb1bf4
Instruction Fuzzy Hash: E131C175604602DFC724DF19D590AA1F7A5FF48320B14C66DE98A8B7A1DB70ED81CB80

Function 009DE20F Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009DE21A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 0975fd96024410b71fda56555f0812a0aef98c9dcd49691ff250746f7b4f317b
Instruction ID: b5b90e5f261bebdeea5bbd1bb29beb36ca3f3866c37698d48f4a2f3305d9d1b8
Opcode Fuzzy Hash: 0975fd96024410b71fda56555f0812a0aef98c9dcd49691ff250746f7b4f317b
Instruction Fuzzy Hash: 84411974508341CFDB24DF14C494B5ABBE5BF85318F0989ACE8998B362C335EC85CB92

Function 009B49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B4B29: FreeLibrary.KERNEL32(00000000,?), ref: 009B4B63

Part of subcall function 009C53AB: __wfsopen.LIBCMT ref: 009C53B6

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,009B27AF,?,00000001), ref: 009B49F4

Part of subcall function 009B4ADE: FreeLibrary.KERNEL32(00000000), ref: 009B4B18

Part of subcall function 009B48B0: _memmove.LIBCMT ref: 009B48FA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 53f694dc21cc87abff3afdbfcceae3f71a4cb97d3f412ddc942b88f9c445d947
Instruction ID: 542c3a2996c9e282f810c96ad868bd853727299fe0eb1176a818cb98acd5aa0a
Opcode Fuzzy Hash: 53f694dc21cc87abff3afdbfcceae3f71a4cb97d3f412ddc942b88f9c445d947
Instruction Fuzzy Hash: 4F11EB31650209BBCF10FBB0CE12FEE77A99F80721F10442DF541A6183DE759A01B754

Function 009B1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B1BFE

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 318c5f7c7d7cd3286f291ec0607ef5a37b780457557490e7402b534527efcf7f
Instruction ID: a2a467b8f79a1c400a3c5dc438dd020199c93f6a2628887f9b74c95f3ea4d810
Opcode Fuzzy Hash: 318c5f7c7d7cd3286f291ec0607ef5a37b780457557490e7402b534527efcf7f
Instruction Fuzzy Hash: ED115E76604601DFC724CF28D591A56FBF9FF89320B60C82EE48ACB261E732E841CB50

Function 009DE2F2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009DE2FE

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c1f09545940886f5b00b4372653728cdb50c19a55b3e7f57d5fde205d3aea5ec
Instruction ID: 65f1beed6448d3e23461ed559f10d1e4b3f99e6acc50d6f543b9b208f2be7db3
Opcode Fuzzy Hash: c1f09545940886f5b00b4372653728cdb50c19a55b3e7f57d5fde205d3aea5ec
Instruction Fuzzy Hash: F6212470908301DFCB24DF54C454B5ABBE4BF85304F09896CF88A8B322C331E849CB92

Function 009FFCDB Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009FFD16

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 35c911cd2398f4784c93c0efd88a5e5c70ab84a347dfa3976c7b08d64d2b32f3
Instruction ID: 2a62d82f4875691064eb32f5ebfd38772e1b748c919a0b6f689152bd7a9dc390
Opcode Fuzzy Hash: 35c911cd2398f4784c93c0efd88a5e5c70ab84a347dfa3976c7b08d64d2b32f3
Instruction Fuzzy Hash: B901A972200215ABDB24DF2DD891E7BB7ADEFC5364714443EF90ACB245E631E901C791

Function 00A1473F Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00A1477C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: d90c3f403130748f5ca0e7693051da55bd48fdaada3813ee7f2b17990579c0c8
Instruction ID: daeb907e56c616cdbc7555682e114be78889c9b8b123d51a8e4fcce9938651cf
Opcode Fuzzy Hash: d90c3f403130748f5ca0e7693051da55bd48fdaada3813ee7f2b17990579c0c8
Instruction Fuzzy Hash: 5AF03131A08209AF9B14EBA5D846DDF77B8EF89320F104159F4049B261DF71B981CBA1

Function 00A07AEC Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

_memset.LIBCMT ref: 00A07B21

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
Instruction ID: a47127c3e784e4eb6a27a655423cf7b82ea5e128f856ef64b246e3fc9ed376a4
Opcode Fuzzy Hash: c34491c4572dc16e51a14d0fcf010cac5864f028c0566f866116d8912fde49fb
Instruction Fuzzy Hash: 9A01F674604204DFD325EF5CD441F05BBE5AF9A310F24849EF5888B3A2DB72E8418B91

Function 009DDB8A Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

_memmove.LIBCMT ref: 009DDBBB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
Instruction ID: 1d5c2caf5454bddd20858a07e09cbf77a1766e48d2012e85a1269a636280ac7f
Opcode Fuzzy Hash: 9c4b4b06b97a342b372b4b1ca5fb652688e856bb2ce843847531830677b80c8a
Instruction Fuzzy Hash: E5F01D74A00101DFE720DF68C981F15BBE5BF9A304F24849DE1898B3A2E777E851CB92

Function 009B4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 009B4AA4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
Instruction ID: a216e48f060cad9e5ef7e4d5cc22c6b6b697f2c542e2cf04c1f94adec8b61beb
Opcode Fuzzy Hash: 0a4098fbca966de150df0e901f011b960a22b5df12848eeca8f12985b6aae40b
Instruction Fuzzy Hash: 3EF085B6800208BFCF108F84DC00DEBBB7DEB85320F00449CF9045A221D232EA21DBA1

Function 009B4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,009B27AF,?,00000001), ref: 009B4A63

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 635b4cd2b098df5a86f7b88c81ca9d315ca0673eb185eb4b206b60999335e1ea
Instruction ID: 630b53d6408d947b293a1a9fbf3feef439dd023b723e76f41f89fd6b85758df7
Opcode Fuzzy Hash: 635b4cd2b098df5a86f7b88c81ca9d315ca0673eb185eb4b206b60999335e1ea
Instruction Fuzzy Hash: D1F01571145701CFCB349F64E99089ABBF4AF143263208A2EE5D683622C731A884EB84

Function 009E09A9 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009E09B4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2c6d407b7c549746fef602036f7b6541f097f3278758d97ff222f181aafe3074
Instruction ID: 3c9bb7d96014b43ca4c457f5b7f355f43495985b0e5fee29df3beb9e08c7e634
Opcode Fuzzy Hash: 2c6d407b7c549746fef602036f7b6541f097f3278758d97ff222f181aafe3074
Instruction Fuzzy Hash: 4CE02B71B081894EEB318FA59809B66FBD8BBC1314F20885ED495C1142D3F55CD497E1

Function 009B4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009B4AD0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
Instruction ID: 1aa68b71d09e4dbbbcb2bba738c30fc828110b3f25fbb678626ffb842f072f0e
Opcode Fuzzy Hash: c46de0973e4316ba83ebc5d8e55475f12f35eb36bfefe38a98de0559b640b685
Instruction Fuzzy Hash: 85F0F87240020DFFDF05CF94C941EAABB79FB58314F208589F9148A212D336EA61AB91

Function 009C08F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 009C090F

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: ab5ff62bde36c2e05588053a76952e0eab376146025ac3b2e94df0353709cdb7
Instruction ID: ee627df68dadae4c1b4eb8496f4cf3868740a38224d935f5bddcd7a6bd222074
Opcode Fuzzy Hash: ab5ff62bde36c2e05588053a76952e0eab376146025ac3b2e94df0353709cdb7
Instruction Fuzzy Hash: A5E08632A001285BC721D6D89C15FEA77DDEBC86A0F0441B6FC09D7304D9605C8186D1

Function 00A04E59 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A03A6B), ref: 00A04E5A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 3174850f9e7a2b0d23d044704362c152408493f0b71f2215dae7369865ff4c17
Instruction ID: 8d62e640674b9ad8865cb19a042d3bce8cf2791064222e2c187571be00cc58fc
Opcode Fuzzy Hash: 3174850f9e7a2b0d23d044704362c152408493f0b71f2215dae7369865ff4c17
Instruction Fuzzy Hash: 12B092B400060446ED680BB8A9185D933007A867E9FE81B80E9B4858E282398C5BA610

Function 009C53AB Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 009C53B6

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 242f8bb68ef4b422f287519355797511f987dcedb80a0f0cc1906faa23c2aeee
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 5BB0927684024CB7CE012A82EC02F493B199B806A8F408020FB0C18162A6B7B6A0968A

Function 00A0C0DD Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A03E72: FindFirstFileW.KERNEL32(?,?), ref: 00A03EE9
Part of subcall function 00A03E72: DeleteFileW.KERNEL32(?,?,?,?), ref: 00A03F39
Part of subcall function 00A03E72: FindNextFileW.KERNEL32(00000000,00000010), ref: 00A03F4A
Part of subcall function 00A03E72: FindClose.KERNEL32(00000000), ref: 00A03F61

GetLastError.KERNEL32 ref: 00A0C0FF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 2ab1f3187a4fb07be4100f6909241667ff745cf760b624e55c6ca01b8a0243f4
Instruction ID: 2817c9672b59aa8136591838194a4f7b656f3a1e92fd04f08857fd6e92a15514
Opcode Fuzzy Hash: 2ab1f3187a4fb07be4100f6909241667ff745cf760b624e55c6ca01b8a0243f4
Instruction Fuzzy Hash: E9F082362001048FCB10EF59E850F69B7E4AFC4320F048459F9468B392CB74BC41CB90

Non-executed Functions

Function 00A2CEDF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A2CF5A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A2CFB8
GetWindowLongW.USER32(?,000000F0), ref: 00A2CFF9
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A2D023
SendMessageW.USER32 ref: 00A2D04C
_wcsncpy.LIBCMT ref: 00A2D0B8
GetKeyState.USER32(00000011), ref: 00A2D0D9
GetKeyState.USER32(00000009), ref: 00A2D0E6
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A2D0FC
GetKeyState.USER32(00000010), ref: 00A2D106
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A2D12F
SendMessageW.USER32 ref: 00A2D156
SendMessageW.USER32(?,00001030,?,00A2B735), ref: 00A2D25A
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A2D270
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A2D283
SetCapture.USER32(?), ref: 00A2D28C
ClientToScreen.USER32(?,?), ref: 00A2D2F1
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A2D2FE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A2D318
ReleaseCapture.USER32 ref: 00A2D323
GetCursorPos.USER32(?), ref: 00A2D35D
ScreenToClient.USER32(?,?), ref: 00A2D36A
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A2D3C6
SendMessageW.USER32 ref: 00A2D3F4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A2D431
SendMessageW.USER32 ref: 00A2D460
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A2D481
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A2D490
GetCursorPos.USER32(?), ref: 00A2D4B0
ScreenToClient.USER32(?,?), ref: 00A2D4BD
GetParent.USER32(?), ref: 00A2D4DD
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A2D546
SendMessageW.USER32 ref: 00A2D577
ClientToScreen.USER32(?,?), ref: 00A2D5D5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A2D605
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A2D62F
SendMessageW.USER32 ref: 00A2D652
ClientToScreen.USER32(?,?), ref: 00A2D6A4
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A2D6D8

Part of subcall function 009A29AB: GetWindowLongW.USER32(?,000000EB), ref: 009A29BC

GetWindowLongW.USER32(?,000000F0), ref: 00A2D774

Strings

@GUI_DRAGID, xrefs: 00A2D2BF
F, xrefs: 00A2D658

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 3186607436ff4a8e28d4cd01353567d9489101beff7c8dc9bd1ec3f5e3673629
Instruction ID: 66878ab9268e323aea1b2a02114ec1a14fe71b669f3bf21a3ee48ef4aed98aef
Opcode Fuzzy Hash: 3186607436ff4a8e28d4cd01353567d9489101beff7c8dc9bd1ec3f5e3673629
Instruction Fuzzy Hash: 3E42AE30204311AFDB20CF68DD48EAABBF5FF89760F144929F699872A1C771E855CB91

Function 009F8D11 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009F917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009F91C6
Part of subcall function 009F917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009F91F3
Part of subcall function 009F917C: GetLastError.KERNEL32 ref: 009F9200

_memset.LIBCMT ref: 009F8D54
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009F8DA6
CloseHandle.KERNEL32(?), ref: 009F8DB7
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009F8DCE
GetProcessWindowStation.USER32 ref: 009F8DE7
SetProcessWindowStation.USER32(00000000), ref: 009F8DF1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009F8E0B

Part of subcall function 009F8BCC: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009F8D0A), ref: 009F8BE1
Part of subcall function 009F8BCC: CloseHandle.KERNEL32(?,?,009F8D0A), ref: 009F8BF3

Strings

, xrefs: 009F8D63
winsta0, xrefs: 009F8DC9
default, xrefs: 009F8E06

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e643b7c40c7fccd000c55911502634ac8f053208ae465f646d1a8cb6f996dc9c
Instruction ID: c712f0dff0efb96af071d3d8ec12a0919ecdfe88d92005e0aa220b0c41cef284
Opcode Fuzzy Hash: e643b7c40c7fccd000c55911502634ac8f053208ae465f646d1a8cb6f996dc9c
Instruction Fuzzy Hash: C68146B190020DAFDF51DFA4CC49EFFBBBAEF44304F14415AFA11A62A1DB318A559B60

Function 00A14416 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00A30980), ref: 00A14440
IsClipboardFormatAvailable.USER32(0000000D), ref: 00A1444E
GetClipboardData.USER32(0000000D), ref: 00A14456
CloseClipboard.USER32 ref: 00A14462
GlobalLock.KERNEL32(00000000), ref: 00A1447E
CloseClipboard.USER32 ref: 00A14488
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A1449D
IsClipboardFormatAvailable.USER32(00000001), ref: 00A144AA
GetClipboardData.USER32(00000001), ref: 00A144B2
GlobalLock.KERNEL32(00000000), ref: 00A144BF
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00A144F3
CloseClipboard.USER32 ref: 00A14603

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 1c5365214362535af5c31d1ff618b302525c3494e5947a227179068724b672bd
Instruction ID: cfb3672e4e6fa08c4aaea980a14aba8111b99c9a8b5c33b197bc156533f16d12
Opcode Fuzzy Hash: 1c5365214362535af5c31d1ff618b302525c3494e5947a227179068724b672bd
Instruction Fuzzy Hash: F351AF31204301AFD300EFA4EC6AFAF77A8AFC8B11F004529F656D21A1DB70D945CB62

Function 00A0CC0C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A0CC3D
FindClose.KERNEL32(00000000), ref: 00A0CC91
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A0CCB6
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A0CCCD
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A0CCF4
__swprintf.LIBCMT ref: 00A0CD40
__swprintf.LIBCMT ref: 00A0CD83

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

__swprintf.LIBCMT ref: 00A0CDD7

Part of subcall function 009C37FA: __woutput_l.LIBCMT ref: 009C3853

__swprintf.LIBCMT ref: 00A0CE25

Part of subcall function 009C37FA: __flsbuf.LIBCMT ref: 009C3875
Part of subcall function 009C37FA: __flsbuf.LIBCMT ref: 009C388D

__swprintf.LIBCMT ref: 00A0CE74
__swprintf.LIBCMT ref: 00A0CEC3
__swprintf.LIBCMT ref: 00A0CF12

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A0CD3A
%4d, xrefs: 00A0CD7D
%02d, xrefs: 00A0CDCB, 00A0CDD5, 00A0CE23, 00A0CE72, 00A0CEC1, 00A0CF10

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: c91fa37716a77fdfc00c2377b9154bf3698a874f5700206d48f002832ef9aa8e
Instruction ID: f41cbc0b5c85c98ce8e56c6640a928d60d50e590e8677fa4ba1fac0c543f77c6
Opcode Fuzzy Hash: c91fa37716a77fdfc00c2377b9154bf3698a874f5700206d48f002832ef9aa8e
Instruction Fuzzy Hash: B7A139B1404304ABD710EFA4D996EAFB7ECBFD5704F404919B58586191EB70EA08CBA2

Function 00A0F445 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A0F466
_wcscmp.LIBCMT ref: 00A0F47B
_wcscmp.LIBCMT ref: 00A0F492
GetFileAttributesW.KERNEL32(?), ref: 00A0F4A4
SetFileAttributesW.KERNEL32(?,?), ref: 00A0F4BE
FindNextFileW.KERNEL32(00000000,?), ref: 00A0F4D6
FindClose.KERNEL32(00000000), ref: 00A0F4E1
FindFirstFileW.KERNEL32(*.*,?), ref: 00A0F4FD
_wcscmp.LIBCMT ref: 00A0F524
_wcscmp.LIBCMT ref: 00A0F53B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A0F54D
SetCurrentDirectoryW.KERNEL32(00A598F8), ref: 00A0F56B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0F575
FindClose.KERNEL32(00000000), ref: 00A0F582
FindClose.KERNEL32(00000000), ref: 00A0F594

Strings

*.*, xrefs: 00A0F4F8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 39573c85619a723a92d9443321cbe30dbb69ae6ba046f10dad7653a40f3feea2
Instruction ID: 9df55dc708b4caf15c9a9d601e25ee08c3c50c6ba943827b0af25c13833ccd26
Opcode Fuzzy Hash: 39573c85619a723a92d9443321cbe30dbb69ae6ba046f10dad7653a40f3feea2
Instruction Fuzzy Hash: 86318C3160021DAFDB20DFA4AC59EDF77ACAF49321F104566F914E21D0EB34EA858B60

Function 00A20C7F Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A20D7B
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A30980,00000000,?,00000000,?,?), ref: 00A20DE9
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A20E31
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A20EBA
RegCloseKey.ADVAPI32(?), ref: 00A211DA
RegCloseKey.ADVAPI32(00000000), ref: 00A211E7

Strings

REG_DWORD, xrefs: 00A210AB
REG_SZ, xrefs: 00A20EF8
REG_MULTI_SZ, xrefs: 00A20FA2
REG_BINARY, xrefs: 00A21175
REG_EXPAND_SZ, xrefs: 00A20E57
REG_QWORD, xrefs: 00A21128

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cfdea00601804be53ffbc30bbb3a59e89cefa0c7c962e39e9a1c028cda637c8b
Instruction ID: e7bf448057230167256f35d112f7b241691d8ea97eb0bc1ae2c8772f76bd2e3c
Opcode Fuzzy Hash: cfdea00601804be53ffbc30bbb3a59e89cefa0c7c962e39e9a1c028cda637c8b
Instruction Fuzzy Hash: 760248752006119FC714EF28D851E2AB7E5FF89720F05896DF98A9B2A2CB70FD41CB81

Function 00A0F5A2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A0F5C3
_wcscmp.LIBCMT ref: 00A0F5D8
_wcscmp.LIBCMT ref: 00A0F5EF

Part of subcall function 00A046E2: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A046FD

FindNextFileW.KERNEL32(00000000,?), ref: 00A0F61E
FindClose.KERNEL32(00000000), ref: 00A0F629
FindFirstFileW.KERNEL32(*.*,?), ref: 00A0F645
_wcscmp.LIBCMT ref: 00A0F66C
_wcscmp.LIBCMT ref: 00A0F683
SetCurrentDirectoryW.KERNEL32(?), ref: 00A0F695
SetCurrentDirectoryW.KERNEL32(00A598F8), ref: 00A0F6B3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0F6BD
FindClose.KERNEL32(00000000), ref: 00A0F6CA
FindClose.KERNEL32(00000000), ref: 00A0F6DC

Strings

*.*, xrefs: 00A0F640

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8d4f8accf4a5cf1008444f366a5ba75b3bba6da9a38373d1a6eb6502c671e65e
Instruction ID: a352351d63a7c5d82fd36743de1e9b29922ed1777d8c8e983ace3cf91c8e85c5
Opcode Fuzzy Hash: 8d4f8accf4a5cf1008444f366a5ba75b3bba6da9a38373d1a6eb6502c671e65e
Instruction Fuzzy Hash: 9D31F23290024E7FDB20DFA0EC59EDA77ACAF45320F1041A5F904B31E0EB328E85CA60

Function 00A0E0CA Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A0E18C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00A0E19C
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A0E1A8
__wsplitpath.LIBCMT ref: 00A0E206
_wcscat.LIBCMT ref: 00A0E21E
_wcscat.LIBCMT ref: 00A0E230
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A0E245
SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E259
SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E28B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A0E2AC
_wcscpy.LIBCMT ref: 00A0E2B8
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A0E2F7

Strings

*.*, xrefs: 00A0E2B2

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f3868a723de0b71239f9a30b90857399805db439d9eacb0e4ea26e0a90fd8a43
Instruction ID: 48f0e9e01736289bdf5548f880d9434ebb088c32bd70663af68edffe342a880c
Opcode Fuzzy Hash: f3868a723de0b71239f9a30b90857399805db439d9eacb0e4ea26e0a90fd8a43
Instruction Fuzzy Hash: AF613A726042099FCB10EF64D895A9FB3E9FF89310F04891EF98997291DB31E945CB92

Function 009F86B0 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F8C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F8C1F
Part of subcall function 009F8C03: GetLastError.KERNEL32(?,009F86E3,?,?,?), ref: 009F8C29
Part of subcall function 009F8C03: GetProcessHeap.KERNEL32(00000008,?,?,009F86E3,?,?,?), ref: 009F8C38
Part of subcall function 009F8C03: HeapAlloc.KERNEL32(00000000,?,009F86E3,?,?,?), ref: 009F8C3F
Part of subcall function 009F8C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F8C56

Part of subcall function 009F8CA0: GetProcessHeap.KERNEL32(00000008,009F86F9,00000000,00000000,?,009F86F9,?), ref: 009F8CAC
Part of subcall function 009F8CA0: HeapAlloc.KERNEL32(00000000,?,009F86F9,?), ref: 009F8CB3
Part of subcall function 009F8CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009F86F9,?), ref: 009F8CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009F8714
_memset.LIBCMT ref: 009F8729
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009F8748
GetLengthSid.ADVAPI32(?), ref: 009F8759
GetAce.ADVAPI32(?,00000000,?), ref: 009F8796
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009F87B2
GetLengthSid.ADVAPI32(?), ref: 009F87CF
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009F87DE
HeapAlloc.KERNEL32(00000000), ref: 009F87E5
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009F8806
CopySid.ADVAPI32(00000000), ref: 009F880D
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009F883E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009F8864
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009F8878

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 96642d1c0ec7c843db8aa3dbfc96ded1e4175df3923ed3653a7c45aa76f90649
Instruction ID: d0a6d7bc80495e2e832fe96e170e439bee14cfe7172c8ed5bf7ab67002db6381
Opcode Fuzzy Hash: 96642d1c0ec7c843db8aa3dbfc96ded1e4175df3923ed3653a7c45aa76f90649
Instruction Fuzzy Hash: 9861477190020AAFDF44DFA4DC55EBEBB79FF44704F048269FA25A7290DB319A16CB60

Function 00A20802 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A21242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A201D5,?,?), ref: 00A21259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A208D4

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A20973
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A20A0B
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A20C4A
RegCloseKey.ADVAPI32(00000000), ref: 00A20C57

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: a1dbf5438e65cfcd424e287db78e8727de341fc30e42463640e94e5b0f5c5c45
Instruction ID: 08d7196c21506409e5113f9ac332306bb9082c2ea76defe66e1e2cd1bfc9be99
Opcode Fuzzy Hash: a1dbf5438e65cfcd424e287db78e8727de341fc30e42463640e94e5b0f5c5c45
Instruction Fuzzy Hash: 95E15D71204214AFC714DF29D995E6BBBE9EF89314F04856DF84AD72A2DB30E901CB91

Function 00A042AA Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00A042BE
__swprintf.LIBCMT ref: 00A042CB

Part of subcall function 009C37FA: __woutput_l.LIBCMT ref: 009C3853

FindResourceW.KERNEL32(?,?,0000000E), ref: 00A042F5
LoadResource.KERNEL32(?,00000000), ref: 00A04301
LockResource.KERNEL32(00000000), ref: 00A0430E
FindResourceW.KERNEL32(?,?,00000003), ref: 00A0432E
LoadResource.KERNEL32(?,00000000), ref: 00A04340
SizeofResource.KERNEL32(?,00000000), ref: 00A0434F
LockResource.KERNEL32(?), ref: 00A0435B
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00A043BC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 32ae00c31925ba236240b3bc5a2bcafa98d65a67f933a56272d999900b87ba24
Instruction ID: d371b77ef99b00bccc84e7fbc97096fdab118836371489b77a7f799027292844
Opcode Fuzzy Hash: 32ae00c31925ba236240b3bc5a2bcafa98d65a67f933a56272d999900b87ba24
Instruction Fuzzy Hash: 1B318CB160420AABCB11DFA1AD98EBF7BBCFF08301F004459FA16D6190D770D922CBA1

Function 00A14614 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A1463B
EmptyClipboard.USER32 ref: 00A14641
GlobalAlloc.KERNEL32(00000002,?), ref: 00A14656
CloseClipboard.USER32 ref: 00A146F5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 75334e4792a209278804f761fcd9ef368e3f6fefb904a67045ea6065054335b0
Instruction ID: 3254c752cfdcecb728e568234ec5d38d90b0c820fa993be1402fdac4b21381c4
Opcode Fuzzy Hash: 75334e4792a209278804f761fcd9ef368e3f6fefb904a67045ea6065054335b0
Instruction Fuzzy Hash: DC21D8313012109FDB11EFA4EC29F6E77A8EF85715F018019F9169B2A1CBB0AC42CB95

Function 00A03B4F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009C01AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B2A58,?,00008000), ref: 009C01CF

Part of subcall function 00A04E59: GetFileAttributesW.KERNEL32(?,00A03A6B), ref: 00A04E5A

FindFirstFileW.KERNEL32(?,?), ref: 00A03C03
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A03CAB
MoveFileW.KERNEL32(?,?), ref: 00A03CBE
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A03CDB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A03CFD
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A03D19

Strings

\*.*, xrefs: 00A03BAE, 00A03BB7, 00A03BCC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 08a6926e9930cc2c9072a8719333d9d44c510e3607b5ecf1e3610c55da2c7761
Instruction ID: 648254e45c9fd6186fb8d6f6c00436b587557a4a148d8303354c7293b598b47e
Opcode Fuzzy Hash: 08a6926e9930cc2c9072a8719333d9d44c510e3607b5ecf1e3610c55da2c7761
Instruction Fuzzy Hash: 6E51837280110DAADF15EBE0DE66EEDB779AF51310F604159E442B7192EF316F09CB60

Function 00A0F8A3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A0F8F0
FindClose.KERNEL32(00000000), ref: 00A0FA03

Part of subcall function 009A52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009A52E6

Sleep.KERNEL32(0000000A), ref: 00A0F920
_wcscmp.LIBCMT ref: 00A0F934
_wcscmp.LIBCMT ref: 00A0F94F
FindNextFileW.KERNEL32(?,?), ref: 00A0F9ED

Strings

*.*, xrefs: 00A0F8D5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: c466c0bd2da0d12fb88fd5700ac48fa7fd000c7f16a9e101b3d983752b0076ee
Instruction ID: 6369a36f50090a9b52d07e71211ff17ac33ab160edf19b71c60853a1863f1d03
Opcode Fuzzy Hash: c466c0bd2da0d12fb88fd5700ac48fa7fd000c7f16a9e101b3d983752b0076ee
Instruction Fuzzy Hash: FC417A7190021EAFDF24DFA4DD59BEEBBB4FF45350F144566E814A3291EB309A84CB90

Function 00A055E5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009F917C: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009F91C6
Part of subcall function 009F917C: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009F91F3
Part of subcall function 009F917C: GetLastError.KERNEL32 ref: 009F9200

ExitWindowsEx.USER32(?,00000000), ref: 00A05621

Strings

, xrefs: 00A0560F
SeShutdownPrivilege, xrefs: 00A055F1
@, xrefs: 00A05614

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 810f8598ceab5c33cda8eef3ec937bd2cf5dd439bfe2d5826c66f6f54bc1ef71
Instruction ID: dd1821148ecd7111067c2a8e61a0b889ce2963de82f00f1644b06aef2cb3dd52
Opcode Fuzzy Hash: 810f8598ceab5c33cda8eef3ec937bd2cf5dd439bfe2d5826c66f6f54bc1ef71
Instruction Fuzzy Hash: 2501F231E9461D6BEB28A7F8BC5AFBB726CEB05741F580520F917D20D2DAA25C008E95

Function 00A16733 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A1678C
WSAGetLastError.WSOCK32(00000000), ref: 00A1679B
bind.WSOCK32(00000000,?,00000010), ref: 00A167B7
listen.WSOCK32(00000000,00000005), ref: 00A167C6
WSAGetLastError.WSOCK32(00000000), ref: 00A167E0
closesocket.WSOCK32(00000000,00000000), ref: 00A167F4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: fd5ef06bbdc1e54dfeb7a6496beb59cb92c9436a0603fede9b5b669eb9fac810
Instruction ID: 6be1eebb224579244316cebe52c674c82a6ebe1d28bb6e51587724eb3bc13236
Opcode Fuzzy Hash: fd5ef06bbdc1e54dfeb7a6496beb59cb92c9436a0603fede9b5b669eb9fac810
Instruction Fuzzy Hash: A621CE30200604AFCB10EF64CD95FAEB3A9EF89324F108559F966E72D1CB70AC41CB90

Function 009A1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 009A1DD6
GetSysColor.USER32(0000000F), ref: 009A1E2A
SetBkColor.GDI32(?,00000000), ref: 009A1E3D

Part of subcall function 009A166C: DefDlgProcW.USER32(?,00000020,?), ref: 009A16B4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: b7b7667c0285b8358f6fff757cad49d32967ac790057f3fc4ee751d2c0ad0462
Instruction ID: d517b1f07e020b30886bc430aba7f7a1fde242815026d73eace51ed990205248
Opcode Fuzzy Hash: b7b7667c0285b8358f6fff757cad49d32967ac790057f3fc4ee751d2c0ad0462
Instruction Fuzzy Hash: 72A15874105414FEE62CAB7D9C45E7F356EEF83315F26891BF442D62D2CA289D0182F2

Function 00A0C16C Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A0C196
_wcscmp.LIBCMT ref: 00A0C1C6
_wcscmp.LIBCMT ref: 00A0C1DB
FindNextFileW.KERNEL32(00000000,?), ref: 00A0C1EC
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00A0C21C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 93fa0c3bab22adc1545b7ed758c78c550982d27f496740e4c467e404fa82fe58
Instruction ID: cfd91a56a825a81c93ba012bb6bcb9ba93e76d5a3831ed2d1987966ccb71e8fa
Opcode Fuzzy Hash: 93fa0c3bab22adc1545b7ed758c78c550982d27f496740e4c467e404fa82fe58
Instruction Fuzzy Hash: 3A518E75A046069FD714EFA8E890E9AB3E4FF89320F10465DF95A877A1DB30ED04CB91

Function 00A16BF7 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A18268

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A16C4E
WSAGetLastError.WSOCK32(00000000), ref: 00A16C77
bind.WSOCK32(00000000,?,00000010), ref: 00A16CB0
WSAGetLastError.WSOCK32(00000000), ref: 00A16CBD
closesocket.WSOCK32(00000000,00000000), ref: 00A16CD1

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c82db2be6dd3139a4f42841da032927441b9ed2314d05b162826a74ba04c7866
Instruction ID: 44e9b982cd8b24a0cfaadaab3d09e2839746b3978ea555b5bf0ee685d463e75a
Opcode Fuzzy Hash: c82db2be6dd3139a4f42841da032927441b9ed2314d05b162826a74ba04c7866
Instruction Fuzzy Hash: 9941E575740610AFDB10AF649C86FBE73A8DF85710F058458F956AB3D2CBB0AD018BE1

Function 00A2577B Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A257CA
IsWindowEnabled.USER32 ref: 00A257D8
GetForegroundWindow.USER32(?,?,00000001), ref: 00A257E5
IsIconic.USER32 ref: 00A257F3
IsZoomed.USER32 ref: 00A25801

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8567d815b1c00a005bc75642ec7c2752984da28bdc4438cf1b2594fb7a3edb3b
Instruction ID: 8fb74537189f349bfbf894da8082d2dd7d0518656d23a9c17c7547c46423f45e
Opcode Fuzzy Hash: 8567d815b1c00a005bc75642ec7c2752984da28bdc4438cf1b2594fb7a3edb3b
Instruction Fuzzy Hash: B9118231B40A219FE7215F7AAC45B2EBB99FF85761F458439F845D7241CB70E9028AE0

Function 0CB6298C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384COMMON

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 0CD52A1F
IsValidCodePage.KERNEL32(00000000), ref: 0CD52A56
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0CD52C3A

Strings

utf8, xrefs: 0CD52B28

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: CodeInfoLocalePageValid
String ID: utf8
API String ID: 790303815-905460609
Opcode ID: 7fff901c6450279e5400e861a9c556798ce5b640293d6083edba00046fa7b436
Instruction ID: eca71ebd68aaaef83e7c5704dc0c3f872a514474cb85762670d9a9cb7ac964aa
Opcode Fuzzy Hash: 7fff901c6450279e5400e861a9c556798ce5b640293d6083edba00046fa7b436
Instruction Fuzzy Hash: D571E671B01206AAEF25AF75CC85BFA73A8FF04700F150169ED05DB1A0FB74E94D86A1

Function 0CB62C8E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0CD048A7
IsDebuggerPresent.KERNEL32 ref: 0CD04973
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0CD04993
UnhandledExceptionFilter.KERNEL32(?), ref: 0CD0499D

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: dbee49125a61cdeca8777bb6000f3ec959dce7f0981639ee8638d2ddd607f81b
Instruction ID: d0a7818ab192ffc308b467c4096772f785c105176d402d4c4dc7a31897f598ea
Opcode Fuzzy Hash: dbee49125a61cdeca8777bb6000f3ec959dce7f0981639ee8638d2ddd607f81b
Instruction Fuzzy Hash: E7310875E012189BDB50DF64D949BCCBBB8BF08300F1041EAE50DA7290EB749A89DF45

Function 00A1279E Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00A12891
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A128C8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: f7baa433445248a6ae0ce68617e7406768e47bfe63011d1ba8ae70d4f7e33ef2
Instruction ID: 56f5c4144d524588719204bd754f056d026abb7ca768ff05dd5fc8cc32bb193e
Opcode Fuzzy Hash: f7baa433445248a6ae0ce68617e7406768e47bfe63011d1ba8ae70d4f7e33ef2
Instruction Fuzzy Hash: 19418471904209BFEB20DB95DD85FFB77BCEB40724F10406EF601A6241DA71EE919B64

Function 009F917C Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009F91C6
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009F91F3
GetLastError.KERNEL32 ref: 009F9200

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 3e8c9e91976585e0f37969859f436f4e787ea60e4051dfecfbfb565f5542feca
Instruction ID: 58353e4a569754ad91e2340d94e7efcedb2c8d720973f26b6af351ab5122e45a
Opcode Fuzzy Hash: 3e8c9e91976585e0f37969859f436f4e787ea60e4051dfecfbfb565f5542feca
Instruction Fuzzy Hash: E81191B1918209AFD728EF54DC89E7BB7BCEB84711B20856EF45697240EB70BC41CB60

Function 00A040C1 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A040DE
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A0411F
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A0412A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 48aa9a0b1f6b86739a093a221328c092aaab0c9c1346e758a2b3ad304f874de4
Instruction ID: 880324a6b6632acd501b62c7b3b3df1957f740661a37610f330677ade5ac129f
Opcode Fuzzy Hash: 48aa9a0b1f6b86739a093a221328c092aaab0c9c1346e758a2b3ad304f874de4
Instruction Fuzzy Hash: 421130B5E01228BBDB10CF95AC44FAFBBBCEB49B60F104155FA04E7290D6715A018BA1

Function 00A04D89 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A04DB2
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A04DC9
FreeSid.ADVAPI32(?), ref: 00A04DD9

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e703c0dd9cf16827f0d5357ec730e69c3c2f3cdf55f4de99ba17813ff54fb921
Instruction ID: 9728168fe4de7bf7c354624de54b48e03f482fecfea29ad0ac94ab7475ad820a
Opcode Fuzzy Hash: e703c0dd9cf16827f0d5357ec730e69c3c2f3cdf55f4de99ba17813ff54fb921
Instruction Fuzzy Hash: 2DF04975A1130CBFDF04DFE0DC99EAEBBBCEF08301F1044A9AA02E2180E6306A048B50

Function 0CB62112 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

GetEnabledXStateFeatures, xrefs: 0CD40C61

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID:
String ID: GetEnabledXStateFeatures
API String ID: 0-1068256093
Opcode ID: 36061dc183ae5c17dd45b35db157ec4e7d21e34265b30325cec859fd18ff0712
Instruction ID: e848ab9392094326c543a8921cc44bba17c8a932c8bb3c589ba7c1cd0ee7b970
Opcode Fuzzy Hash: 36061dc183ae5c17dd45b35db157ec4e7d21e34265b30325cec859fd18ff0712
Instruction Fuzzy Hash: 64F06831641238B7DB113F61ED04AAE7E65EF80A60F050011FF4A66234DA75992597D5

Function 00A050A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00A050DB

Strings

DOWN, xrefs: 00A050C0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 01a57fc85fa587d6af1ae3259d39359f036da936773a2f3bbc8d36e24c1823fa
Instruction ID: 19e9b42d261f01a2fd76f3d6425723adae2a2e8d7b455de4db4921ba9a6e0398
Opcode Fuzzy Hash: 01a57fc85fa587d6af1ae3259d39359f036da936773a2f3bbc8d36e24c1823fa
Instruction Fuzzy Hash: 6DE0867295CB217DF9641A347C26FFF034C9B12335B208146F804954C2E9D42D8659AD

Function 00A01932 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A0196D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A01980

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: edaebaa51295bb35ea85db1b2f72622e8e69ee345f63b842f27b2e208cc7a1a4
Instruction ID: ee4bcbb9829e7bb3dd7e6882fe62ba96f0788c885c4affe0dbe152fcf7c0c89a
Opcode Fuzzy Hash: edaebaa51295bb35ea85db1b2f72622e8e69ee345f63b842f27b2e208cc7a1a4
Instruction Fuzzy Hash: 77F0447190020DABEB00CF94C806BFEBBB4EF08315F00804AF955AA2A2C3798616DF94

Function 00A0A51A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00A1991A,?,00A3098C,?), ref: 00A0A547
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00A1991A,?,00A3098C,?), ref: 00A0A559

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 603791c91f4dce83cf35c097def4a567da136db56015ebf3dcf7458dd62a4dfc
Instruction ID: a8f690ce8c35a07b830e7fc70e21f54bf7503ca859f9687387492ee8512a99c6
Opcode Fuzzy Hash: 603791c91f4dce83cf35c097def4a567da136db56015ebf3dcf7458dd62a4dfc
Instruction Fuzzy Hash: 3DF0823551522DBBDB20AFE4DC58FEA776CBF08761F008155B909D6181D630AA40CBA1

Function 009F8BCC Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009F8D0A), ref: 009F8BE1
CloseHandle.KERNEL32(?,?,009F8D0A), ref: 009F8BF3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9fb6828c74d44efe12cbe54be3418c80e0360f29a027062b77d6066b386ba973
Instruction ID: 30c23d5c246091c02eeb69b886ebb4252b1eb9dcb1d71837357d0abe2f579a37
Opcode Fuzzy Hash: 9fb6828c74d44efe12cbe54be3418c80e0360f29a027062b77d6066b386ba973
Instruction Fuzzy Hash: 1FE04672014600EFEB262BA0ED1AEB37BA9EB40311B108A2DB49680430CB32AC91DB50

Function 009CA2B5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,009C8EB7,?,?,?,00000001), ref: 009CA2BA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009CA2C3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 23b47764a0d97291222940ced2b0bcdbaab114f92030a554867644b4bd43b137
Instruction ID: 469ca79d6c81d4c479e702d8a15acb12ca8d9352bcbec7b41f070fcc3d570cb2
Opcode Fuzzy Hash: 23b47764a0d97291222940ced2b0bcdbaab114f92030a554867644b4bd43b137
Instruction Fuzzy Hash: 34B09231064208ABCA406BD1EC19F883F68EB45A62F004010F60D49060CB6254528A91

Function 0CD3FF17 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(0CD3FF01,00000001,0CD9D298,0000000C,0CD40A92,?), ref: 0CD3FF4F

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 8590e2a800ddf238e5085f4da66602bdd4755c8e84577f3d264886eeaf3819f3
Instruction ID: 7fcd274054b8809302264ae3e2c6c309eefbe5bdfbf1605f201e4f92f7727fe5
Opcode Fuzzy Hash: 8590e2a800ddf238e5085f4da66602bdd4755c8e84577f3d264886eeaf3819f3
Instruction Fuzzy Hash: 8AF01476A00204DFEB40EF98E941B9D77F0FB09725F0041AAE9149B3A0C7B98908CB80

Function 00A143B9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00A143D4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2cd275d87c5457acb0018d93da7bfa150a2374487b6e8aac32b48d1f3d98399b
Instruction ID: 2dd046a562f29c7cf7b4f058db3705abbc7fe97744c5f4bd05857773d0f677e9
Opcode Fuzzy Hash: 2cd275d87c5457acb0018d93da7bfa150a2374487b6e8aac32b48d1f3d98399b
Instruction Fuzzy Hash: 1DE04F312006159FD710EFA9E805E9AF7E8AF99760F018426FD49DB351DBB0EC518BD0

Function 009F914C Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009F8D8A), ref: 009F916C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 49eeec9952b668368aa0e7c483926f17ed3819b269b2177a71732097abdd6914
Instruction ID: 7676717b80449a8639cbe6141b6e9e8f4386bf38444b40d82e7021f851ae10a6
Opcode Fuzzy Hash: 49eeec9952b668368aa0e7c483926f17ed3819b269b2177a71732097abdd6914
Instruction Fuzzy Hash: 99D05E3226450EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C775D835AB60

Function 009E0652 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 009E0664

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9ec835621e3340bf207a166d271d6d8f46fa5f17a6130730f44c2b712c0c2e0a
Instruction ID: b8bb9305f030bdd3508540e9d4792304d412a5542dd206b38eb04a508e0963f1
Opcode Fuzzy Hash: 9ec835621e3340bf207a166d271d6d8f46fa5f17a6130730f44c2b712c0c2e0a
Instruction Fuzzy Hash: 53C04CF1800119DBCB05DB90D998DEE77BCAB05305F104456A142F2100D7789B448A71

Function 009CA284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 009CA28A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0bba8a31d99e910b1321431dbe32e8edd2f9406eebf2d8ee34f535a591b155d9
Instruction ID: 4b68138bc9364071f530a3d72023ad24a49ccbfb5e10bd45bf722d2c45e9c599
Opcode Fuzzy Hash: 0bba8a31d99e910b1321431dbe32e8edd2f9406eebf2d8ee34f535a591b155d9
Instruction Fuzzy Hash: F6A0223002020CFBCF002FC2FC08C88BFACEB022A0B008020F80C0A032CB33A8228AC0

Function 00A17CB8 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A17D0D
DeleteObject.GDI32(00000000), ref: 00A17D1F
DestroyWindow.USER32 ref: 00A17D2D
GetDesktopWindow.USER32 ref: 00A17D47
GetWindowRect.USER32(00000000), ref: 00A17D4E
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A17E8F
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A17E9F
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17EE7
GetClientRect.USER32(00000000,?), ref: 00A17EF3
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A17F2D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F4F
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F62
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F6D
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F76
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F85
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F8E
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17F95
GlobalFree.KERNEL32(00000000), ref: 00A17FA0
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A17FB2
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A33C7C,00000000), ref: 00A17FC8
GlobalFree.KERNEL32(00000000), ref: 00A17FD8
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A17FFE
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A1801D
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A1803F
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A1822C

Strings

, xrefs: 00A181B2
DISPLAY, xrefs: 00A1808F
static, xrefs: 00A17F27, 00A1807E
AutoIt v3, xrefs: 00A17EDF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 71bb8c3b00d0d3432d2be0fc2a24c9a0db735c25de5e089a8a1df3c9014176ac
Instruction ID: 4664b29759cb78656b9fc8f877ae452a1d4710890bd978818f30a2e66c77c9c2
Opcode Fuzzy Hash: 71bb8c3b00d0d3432d2be0fc2a24c9a0db735c25de5e089a8a1df3c9014176ac
Instruction Fuzzy Hash: E6026F71900119AFDB14DFA4DC99EAE7BB9FF49310F048158F915AB2A1CB74AD42CFA0

Function 00A23971 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A30980), ref: 00A23A2D
IsWindowVisible.USER32(?), ref: 00A23A51

Strings

SETCURRENTSELECTION, xrefs: 00A23BBC
ISCHECKED, xrefs: 00A23C3F
GETLINECOUNT, xrefs: 00A23CCC
EDITPASTE, xrefs: 00A23D65
CHECK, xrefs: 00A23C73
GETSELECTED, xrefs: 00A23CA9
ADDSTRING, xrefs: 00A23B1C
ISENABLED, xrefs: 00A23A71
ISVISIBLE, xrefs: 00A23A3D
TABLEFT, xrefs: 00A23A8D
GETCURRENTCOL, xrefs: 00A23D2E
FINDSTRING, xrefs: 00A23B7C
SENDCOMMANDID, xrefs: 00A23DE0
GETLINE, xrefs: 00A23DA1
DELSTRING, xrefs: 00A23B4F
TABRIGHT, xrefs: 00A23AA3
HIDEDROPDOWN, xrefs: 00A23B06
SHOWDROPDOWN, xrefs: 00A23AE6
CURRENTTAB, xrefs: 00A23AC3
UNCHECK, xrefs: 00A23C89
SELECTSTRING, xrefs: 00A23C0C
GETCURRENTLINE, xrefs: 00A23CF3
GETCURRENTSELECTION, xrefs: 00A23BE9

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 92a3cd90968a71cefe278f1e44ff9f16c6f673f9ff80b8f31ff91afcd1c8d930
Instruction ID: f84810350e12743971150d422c25cb26eaa8a1e9a6e1b0765a7fabae4b9fa623
Opcode Fuzzy Hash: 92a3cd90968a71cefe278f1e44ff9f16c6f673f9ff80b8f31ff91afcd1c8d930
Instruction Fuzzy Hash: B1D1AE312042109BCB04EF14D852F7E7BA5BFD6340F444968B9965B2E2CB75EE0ACB92

Function 00A2A9C7 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A2AA1D
GetSysColorBrush.USER32(0000000F), ref: 00A2AA4E
GetSysColor.USER32(0000000F), ref: 00A2AA5A
SetBkColor.GDI32(?,000000FF), ref: 00A2AA74
SelectObject.GDI32(?,00000000), ref: 00A2AA83
InflateRect.USER32(?,000000FF,000000FF), ref: 00A2AAAE
GetSysColor.USER32(00000010), ref: 00A2AAB6
CreateSolidBrush.GDI32(00000000), ref: 00A2AABD
FrameRect.USER32(?,?,00000000), ref: 00A2AACC
DeleteObject.GDI32(00000000), ref: 00A2AAD3
InflateRect.USER32(?,000000FE,000000FE), ref: 00A2AB1E
FillRect.USER32(?,?,00000000), ref: 00A2AB50
GetWindowLongW.USER32(?,000000F0), ref: 00A2AB7B

Part of subcall function 00A2ACB7: GetSysColor.USER32(00000012), ref: 00A2ACF0
Part of subcall function 00A2ACB7: SetTextColor.GDI32(?,?), ref: 00A2ACF4
Part of subcall function 00A2ACB7: GetSysColorBrush.USER32(0000000F), ref: 00A2AD0A
Part of subcall function 00A2ACB7: GetSysColor.USER32(0000000F), ref: 00A2AD15
Part of subcall function 00A2ACB7: GetSysColor.USER32(00000011), ref: 00A2AD32
Part of subcall function 00A2ACB7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A2AD40
Part of subcall function 00A2ACB7: SelectObject.GDI32(?,00000000), ref: 00A2AD51
Part of subcall function 00A2ACB7: SetBkColor.GDI32(?,00000000), ref: 00A2AD5A
Part of subcall function 00A2ACB7: SelectObject.GDI32(?,?), ref: 00A2AD67
Part of subcall function 00A2ACB7: InflateRect.USER32(?,000000FF,000000FF), ref: 00A2AD86
Part of subcall function 00A2ACB7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A2AD9D
Part of subcall function 00A2ACB7: GetWindowLongW.USER32(00000000,000000F0), ref: 00A2ADB2
Part of subcall function 00A2ACB7: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A2ADDA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 58f549b4c503f9143e8df2c92ac9796a0d7ef7dffa6f7eed202d2653376365fe
Instruction ID: 506f26b5390ef65991252f981fd80be8374fa6c328d87e7f503ae04c654a81ae
Opcode Fuzzy Hash: 58f549b4c503f9143e8df2c92ac9796a0d7ef7dffa6f7eed202d2653376365fe
Instruction Fuzzy Hash: 2D918C72408311AFC711DFA4EC18E6BBBA9FF88321F104B29F9A2961A0D771D945CF52

Function 009A2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 009A3072
DeleteObject.GDI32(00000000), ref: 009A30B8
DeleteObject.GDI32(00000000), ref: 009A30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 009A30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 009A30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 009DC6AC
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009DC6E5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009DCB0E

Part of subcall function 009A1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009A2412,?,00000000,?,?,?,?,009A1AA7,00000000,?), ref: 009A1F76

SendMessageW.USER32(?,00001053), ref: 009DCB4B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009DCB62
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009DCB78
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 009DCB83

Strings

0, xrefs: 009DC9A2

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 03d4ddd6db4ca8c2139c62a38e8cf31b32cc11ce124f3abfa71b82a69cff6a96
Instruction ID: a0d5c353951deefd66acda2e058a44087dab464f0e62b88d0bb424f6154f5be4
Opcode Fuzzy Hash: 03d4ddd6db4ca8c2139c62a38e8cf31b32cc11ce124f3abfa71b82a69cff6a96
Instruction Fuzzy Hash: D112AE70640612EFCB25CF24C894BA9BBE9BF49300F14856AF995DB262C731ED42DF91

Function 009B27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

__wcsnicmp.LIBCMT ref: 009B286A
__wcsnicmp.LIBCMT ref: 009B287E
__wcsnicmp.LIBCMT ref: 009B2896
__wcsnicmp.LIBCMT ref: 009B28AE
__wcsnicmp.LIBCMT ref: 009B28C6
__wcsnicmp.LIBCMT ref: 009B28DE
__wcsnicmp.LIBCMT ref: 009B28F6
__wcsnicmp.LIBCMT ref: 009B290A
__wcsnicmp.LIBCMT ref: 009B2948
__wcsnicmp.LIBCMT ref: 009B295C
__wcsnicmp.LIBCMT ref: 009B2970
__wcsnicmp.LIBCMT ref: 009B2984

Strings

#cs, xrefs: 009B2904, 009B2956
", xrefs: 009EFB09
#include-once, xrefs: 009B28C0
', xrefs: 009EFB1F
#include, xrefs: 009B28D8
Bad directive syntax error, xrefs: 009EFB53, 009EFB70
Unterminated group of comments, xrefs: 009EFC7A
#requireadmin, xrefs: 009B2890
#comments-end, xrefs: 009B296A
#ce, xrefs: 009B297E
#pragma compile, xrefs: 009B2864
#OnAutoItStartRegister, xrefs: 009B28A8
#comments-start, xrefs: 009B28F0, 009B2942
Cannot parse #include, xrefs: 009EFC65
#notrayicon, xrefs: 009B2878

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: 02b1f289943126e4656cb911a2029bf65d6af4b4255cf59f9d76e34abf9853a5
Instruction ID: d031f785e2ca62a1c1526489d88ca997b28f0809bfe869be280d7e3a65c3fc12
Opcode Fuzzy Hash: 02b1f289943126e4656cb911a2029bf65d6af4b4255cf59f9d76e34abf9853a5
Instruction Fuzzy Hash: E3A1AD31A0020ABBCB15AF21DE52FEE77B8FF85710F144429F809AB292EB719E51D751

Function 00A1795A Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A1798D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A17A4C
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A17A8A
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A17A9C
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A17AE2
GetClientRect.USER32(00000000,?), ref: 00A17AEE
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A17B32
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A17B41
GetStockObject.GDI32(00000011), ref: 00A17B51
SelectObject.GDI32(00000000,00000000), ref: 00A17B55
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A17B65
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A17B6E
DeleteDC.GDI32(00000000), ref: 00A17B77
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A17BA3
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A17BBA
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A17BF5
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A17C09
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A17C1A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A17C4A
GetStockObject.GDI32(00000011), ref: 00A17C55
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A17C60
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A17C6A

Strings

DISPLAY, xrefs: 00A17B37
static, xrefs: 00A17B2C, 00A17C44
AutoIt v3, xrefs: 00A17ADA
msctls_progress32, xrefs: 00A17BEB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fa28941a44a2284a6776b330f9682f1c2066a67728d10cda627b4cbac0c76594
Instruction ID: 5661e15b2382906c788ded2e0541732e2c1faf39d461535a0eaa77b8f6c3a1de
Opcode Fuzzy Hash: fa28941a44a2284a6776b330f9682f1c2066a67728d10cda627b4cbac0c76594
Instruction Fuzzy Hash: A9A16071A40619BFEB14DBA5DC5AFEE7BB9EB44710F004214FA15A72E0D7B0AD41CBA0

Function 00A0B1C0 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A0B1CE
GetDriveTypeW.KERNEL32(?,00A32C4C,?,\\.\,00A30980), ref: 00A0B2AB
SetErrorMode.KERNEL32(00000000,00A32C4C,?,\\.\,00A30980), ref: 00A0B409

Strings

1394, xrefs: 00A0B38B
SATA, xrefs: 00A0B3BC
SSD, xrefs: 00A0B336
Fibre, xrefs: 00A0B399
SSA, xrefs: 00A0B392
Virtual, xrefs: 00A0B3D1
FileBackedVirtual, xrefs: 00A0B3D8
RAID, xrefs: 00A0B3A7
Removable, xrefs: 00A0B2FD
CDROM, xrefs: 00A0B2DF
iSCSI, xrefs: 00A0B3AE
ATA, xrefs: 00A0B384
SAS, xrefs: 00A0B3B5
PhysicalDrive, xrefs: 00A0B257
\\.\, xrefs: 00A0B220
ATAPI, xrefs: 00A0B37D
SCSI, xrefs: 00A0B376
RAMDisk, xrefs: 00A0B2D5
Fixed, xrefs: 00A0B2F3
Unknown, xrefs: 00A0B2CB, 00A0B36F
Network, xrefs: 00A0B2E9
MMC, xrefs: 00A0B3CA
USB, xrefs: 00A0B3A0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a03e96e1e9871ebc0bc8703bc333e22ebfab8019d7fc7a5699c450efc07b412a
Instruction ID: ba404831754e5465290429e8fbb71f75836568cfd448430496d6795623cd8a86
Opcode Fuzzy Hash: a03e96e1e9871ebc0bc8703bc333e22ebfab8019d7fc7a5699c450efc07b412a
Instruction Fuzzy Hash: BA518D3066020DEBCB00DB50FBA2DBE73B1BB44341B704865E906AFAD1D7B09D56DB62

Function 00A2ACB7 Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A2ACF0
SetTextColor.GDI32(?,?), ref: 00A2ACF4
GetSysColorBrush.USER32(0000000F), ref: 00A2AD0A
GetSysColor.USER32(0000000F), ref: 00A2AD15
CreateSolidBrush.GDI32(?), ref: 00A2AD1A
GetSysColor.USER32(00000011), ref: 00A2AD32
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A2AD40
SelectObject.GDI32(?,00000000), ref: 00A2AD51
SetBkColor.GDI32(?,00000000), ref: 00A2AD5A
SelectObject.GDI32(?,?), ref: 00A2AD67
InflateRect.USER32(?,000000FF,000000FF), ref: 00A2AD86
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A2AD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00A2ADB2
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A2ADDA
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A2AE01
InflateRect.USER32(?,000000FD,000000FD), ref: 00A2AE1F
DrawFocusRect.USER32(?,?), ref: 00A2AE2A
GetSysColor.USER32(00000011), ref: 00A2AE38
SetTextColor.GDI32(?,00000000), ref: 00A2AE40
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A2AE54
SelectObject.GDI32(?,00A2A9E7), ref: 00A2AE6B
DeleteObject.GDI32(?), ref: 00A2AE76
SelectObject.GDI32(?,?), ref: 00A2AE7C
DeleteObject.GDI32(?), ref: 00A2AE81
SetTextColor.GDI32(?,?), ref: 00A2AE87
SetBkColor.GDI32(?,?), ref: 00A2AE91

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 55d04cd057b4c20796965629f668c0bac77bc377e68d1315eb02808964a80d06
Instruction ID: 4697d1229b02cfbf516b85bbcc0b05a6816d6f0a7e9cbb30d54c814be5b8e9c1
Opcode Fuzzy Hash: 55d04cd057b4c20796965629f668c0bac77bc377e68d1315eb02808964a80d06
Instruction Fuzzy Hash: 06514B71900218BFDB11DFA8EC49EAEBB79FF48320F218215F915AB2A1D7719941DF90

Function 00A28DC2 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A28EAE
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A28EBF
CharNextW.USER32(0000014E), ref: 00A28EEE
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A28F2F
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A28F45
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A28F56
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A28F73
SetWindowTextW.USER32(?,0000014E), ref: 00A28FC5
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A28FDB
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A2900C
_memset.LIBCMT ref: 00A29031
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A2907A
_memset.LIBCMT ref: 00A290D9
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A29103
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A2915B
SendMessageW.USER32(?,0000133D,?,?), ref: 00A29208
InvalidateRect.USER32(?,00000000,00000001), ref: 00A2922A
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A29274
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A292A1
DrawMenuBar.USER32(?), ref: 00A292B0
SetWindowTextW.USER32(?,0000014E), ref: 00A292D8

Strings

0, xrefs: 00A29242

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: c55c98f5c91742f65a529f8318c1e5c8eda58b92d7c8de32c945a2a0b236cee9
Instruction ID: e91556f771abe9b05282acf0213eba580e0c32d52dca7ad61390670918685a84
Opcode Fuzzy Hash: c55c98f5c91742f65a529f8318c1e5c8eda58b92d7c8de32c945a2a0b236cee9
Instruction Fuzzy Hash: 4CE19070901228EFDB20DF98DC85EEF7BB8EF45710F10816AF915AA290DB748985DF60

Function 00A24C94 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A24DCF
GetDesktopWindow.USER32 ref: 00A24DE4
GetWindowRect.USER32(00000000), ref: 00A24DEB
GetWindowLongW.USER32(?,000000F0), ref: 00A24E4D
DestroyWindow.USER32(?), ref: 00A24E79
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A24EA2
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A24EC0
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A24EE6
SendMessageW.USER32(?,00000421,?,?), ref: 00A24EFB
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A24F0E
IsWindowVisible.USER32(?), ref: 00A24F2E
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A24F49
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A24F5D
GetWindowRect.USER32(?,?), ref: 00A24F75
MonitorFromPoint.USER32(?,?,00000002), ref: 00A24F9B
GetMonitorInfoW.USER32(00000000,?), ref: 00A24FB5
CopyRect.USER32(?,?), ref: 00A24FCC
SendMessageW.USER32(?,00000412,00000000), ref: 00A25037

Strings

0, xrefs: 00A24D7A
(, xrefs: 00A24FA8
tooltips_class32, xrefs: 00A24E9B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7f5db6dd1b542c794f17fd1a4e039fa501918e70cb2ea3f59c2320251e2c0f1f
Instruction ID: 45c2316533b270e2bcd840374cb1ab53d76a8288177933fcf499402b2c9ac1e5
Opcode Fuzzy Hash: 7f5db6dd1b542c794f17fd1a4e039fa501918e70cb2ea3f59c2320251e2c0f1f
Instruction Fuzzy Hash: 0EB19A70608750AFDB04DF68D945F6ABBE4BF89710F008A2CF5999B2A1D771EC05CB92

Function 00A047F7 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A04809
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A0482F
_wcscpy.LIBCMT ref: 00A0485D
_wcscmp.LIBCMT ref: 00A04868
_wcscat.LIBCMT ref: 00A0487E
_wcsstr.LIBCMT ref: 00A04889
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A048A5
_wcscat.LIBCMT ref: 00A048EE
_wcscat.LIBCMT ref: 00A048F5
_wcsncpy.LIBCMT ref: 00A04920

Strings

%u.%u.%u.%u, xrefs: 00A04983
\VarFileInfo\Translation, xrefs: 00A0489D
StringFileInfo\, xrefs: 00A04878
04090000, xrefs: 00A048DB
DefaultLangCodepage, xrefs: 00A04908

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4c1f496294c514b2a5b694004038e0c6f1f953ff1958075cd2047722801d6e41
Instruction ID: 09937aecdfe11c40319a88640536872c402b60d6858bbdc8b599b8009569ef3b
Opcode Fuzzy Hash: 4c1f496294c514b2a5b694004038e0c6f1f953ff1958075cd2047722801d6e41
Instruction Fuzzy Hash: 5341E671A00208BBDB15B7649D43FBF7BACFF85750F00456DF904A71D2EB749A0186A6

Function 009A2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009A2C8C
GetSystemMetrics.USER32(00000007), ref: 009A2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009A2CBF
GetSystemMetrics.USER32(00000008), ref: 009A2CC7
GetSystemMetrics.USER32(00000004), ref: 009A2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009A2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009A2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009A2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009A2D60
GetClientRect.USER32(00000000,000000FF), ref: 009A2D7E
GetStockObject.GDI32(00000011), ref: 009A2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 009A2DA5

Part of subcall function 009A2714: GetCursorPos.USER32(?), ref: 009A2727
Part of subcall function 009A2714: ScreenToClient.USER32(00A667B0,?), ref: 009A2744
Part of subcall function 009A2714: GetAsyncKeyState.USER32(00000001), ref: 009A2769
Part of subcall function 009A2714: GetAsyncKeyState.USER32(00000002), ref: 009A2777

SetTimer.USER32(00000000,00000000,00000028,009A1473), ref: 009A2DCC

Strings

AutoIt v3 GUI, xrefs: 009A2D44

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 7efd9d4e36466cc471c70e4c6294e2ee20839f5745f899591d4b887434788305
Instruction ID: bece82c2c3bed0c60a2ceb4886521c9a293c2117944d7a884d079b6b7d42262f
Opcode Fuzzy Hash: 7efd9d4e36466cc471c70e4c6294e2ee20839f5745f899591d4b887434788305
Instruction Fuzzy Hash: 9FB16C71A4020AAFDB14DFA8CC55BAE7BB5FB48314F108229FA15A7290DB74E851CF90

Function 009C0354 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

GetForegroundWindow.USER32(00A30980,?,?,?,?,?), ref: 009C040E
IsWindow.USER32(?), ref: 009F64A0

Strings

REGEXPCLASS, xrefs: 009F62EB
REGEXPTITLE, xrefs: 009F6299
HANDLE, xrefs: 009F6283
ALL, xrefs: 009F6407
INSTANCE, xrefs: 009F63DF
TITLE, xrefs: 009F6435
LAST, xrefs: 009F6257
ACTIVE, xrefs: 009F626D
CLASS, xrefs: 009F62CA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: ae1221f7d76a682cd9614d59c370fd2aef2fa65702c54fcfdd0957792da430c1
Instruction ID: 9e2554f98d1e350b41087a8808c22505f419702f6f6a477adb6d9c3843827b44
Opcode Fuzzy Hash: ae1221f7d76a682cd9614d59c370fd2aef2fa65702c54fcfdd0957792da430c1
Instruction Fuzzy Hash: B7D10730504306EBCB08EF60C551FBABBA9BFD4354F404A1DF6A6531A2DB70E959CB92

Function 00A241E7 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A24274
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A24334

Strings

SELECT, xrefs: 00A243CE
GETSELECTEDCOUNT, xrefs: 00A24317
GETSELECTED, xrefs: 00A24462
SELECTALL, xrefs: 00A2439B
SELECTCLEAR, xrefs: 00A243B3
VIEWCHANGE, xrefs: 00A244F3
FINDITEM, xrefs: 00A244A7
ISSELECTED, xrefs: 00A2433F
GETTEXT, xrefs: 00A242DD
SELECTINVERT, xrefs: 00A24404
DESELECT, xrefs: 00A24422
GETSUBITEMCOUNT, xrefs: 00A242BF
GETITEMCOUNT, xrefs: 00A242A6

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: c2cfb5716ea2a9e29b04e2333f7fbeeba5b207add7724120230bdeb20e8ba60a
Instruction ID: 3db2f1c2a7017394b892d042985034a70d01c4b4a49fd5e118a53ddd0ebac0af
Opcode Fuzzy Hash: c2cfb5716ea2a9e29b04e2333f7fbeeba5b207add7724120230bdeb20e8ba60a
Instruction Fuzzy Hash: 56A14F302546119FCB14EF24D952F7AB3A5BFC9314F10496CB9AA5B2D2DB70EC05CB92

Function 009FAF1D Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 009FAF5E
__swprintf.LIBCMT ref: 009FAFFF
_wcscmp.LIBCMT ref: 009FB012
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009FB067
_wcscmp.LIBCMT ref: 009FB0A3
GetClassNameW.USER32(?,?,00000400), ref: 009FB0DA
GetDlgCtrlID.USER32(?), ref: 009FB12C
GetWindowRect.USER32(?,?), ref: 009FB162
GetParent.USER32(?), ref: 009FB180
ScreenToClient.USER32(00000000), ref: 009FB187
GetClassNameW.USER32(?,?,00000100), ref: 009FB201
_wcscmp.LIBCMT ref: 009FB215
GetWindowTextW.USER32(?,?,00000400), ref: 009FB23B
_wcscmp.LIBCMT ref: 009FB24F

Part of subcall function 009C378E: _iswctype.LIBCMT ref: 009C3796

Strings

%s%u, xrefs: 009FAFF9

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5a9e1c03333078755d2fd7fc15d6cc1cd70806bdcd6967afa9953769862d9e30
Instruction ID: 150610abdf5e7382bba76ea037aa4bccbeb3eca9ed19c1b21a5d29d2e7909635
Opcode Fuzzy Hash: 5a9e1c03333078755d2fd7fc15d6cc1cd70806bdcd6967afa9953769862d9e30
Instruction Fuzzy Hash: 92A1BA7120420AAFD714DF64C894FFAB7ACFF54354F108629FAA992190DB30EA55CB91

Function 009FB850 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 009FB894
_wcscmp.LIBCMT ref: 009FB8A5
GetWindowTextW.USER32(00000001,?,00000400), ref: 009FB8CD
CharUpperBuffW.USER32(?,00000000), ref: 009FB8EA
_wcscmp.LIBCMT ref: 009FB908
_wcsstr.LIBCMT ref: 009FB919
GetClassNameW.USER32(00000018,?,00000400), ref: 009FB951
_wcscmp.LIBCMT ref: 009FB961
GetWindowTextW.USER32(00000002,?,00000400), ref: 009FB988
GetClassNameW.USER32(00000018,?,00000400), ref: 009FB9D1
_wcscmp.LIBCMT ref: 009FB9E1
GetClassNameW.USER32(00000010,?,00000400), ref: 009FBA09
GetWindowRect.USER32(00000004,?), ref: 009FBA72

Strings

@, xrefs: 009FB875
ThumbnailClass, xrefs: 009FB95C, 009FB9DC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b35cb6acb1ac5fec86e755a447d39197b8ad9c0614f50ebdbd7030f473819cd9
Instruction ID: d4f63385b9c5ab51e7423574875b0cae3007039e6f94b3926b0c59c3d03cdcc2
Opcode Fuzzy Hash: b35cb6acb1ac5fec86e755a447d39197b8ad9c0614f50ebdbd7030f473819cd9
Instruction Fuzzy Hash: 9981AF71004209ABDB04DF14C991FBA7BECFF84318F148469FE858A096DB70DD86CBA1

Function 009FB699 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009FB6F8

Strings

[ACTIVE, xrefs: 009FB6E5
[ALL, xrefs: 009FB79E
[REGEXPTITLE:, xrefs: 009FB720
REGEXP=, xrefs: 009FB70D
HANDLE=, xrefs: 009FB6F1
CLASSNAME=, xrefs: 009FB735
ALL, xrefs: 009FB78C
[HANDLE:, xrefs: 009FB704
[CLASS:, xrefs: 009FB748
LAST, xrefs: 009FB6BD
[LAST, xrefs: 009FB7A5
ACTIVE, xrefs: 009FB6D3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2f1d002753497c1cc10a84cf6c2367492d0b30231b0916a3509da8ddbfd00643
Instruction ID: 8a966c0cb8be6e30a99980dc741af9793a97c8be9c5e6a3cfc55985a70c8fe1c
Opcode Fuzzy Hash: 2f1d002753497c1cc10a84cf6c2367492d0b30231b0916a3509da8ddbfd00643
Instruction Fuzzy Hash: 4D31D031940209B6DB14FA60CD63FFD73A8BF907A1F60092AFA02714E2EF655E08C751

Function 009FC97A Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009FC98D
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009FC99F
SetWindowTextW.USER32(?,?), ref: 009FC9B6
GetDlgItem.USER32(?,000003EA), ref: 009FC9CB
SetWindowTextW.USER32(00000000,?), ref: 009FC9D1
GetDlgItem.USER32(?,000003E9), ref: 009FC9E1
SetWindowTextW.USER32(00000000,?), ref: 009FC9E7
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009FCA08
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009FCA22
GetWindowRect.USER32(?,?), ref: 009FCA2B
SetWindowTextW.USER32(?,?), ref: 009FCA96
GetDesktopWindow.USER32 ref: 009FCA9C
GetWindowRect.USER32(00000000), ref: 009FCAA3
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009FCAEF
GetClientRect.USER32(?,?), ref: 009FCAFC
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009FCB21
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009FCB4C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 7f8047055e02dca7e4cb09724d90441c5401aaefb6a1acea13c3e69da4b0ea85
Instruction ID: 56d79a9779bed10b2f0cabe0e41f5ea1f70f31479af4ac219cf8c831adf451c0
Opcode Fuzzy Hash: 7f8047055e02dca7e4cb09724d90441c5401aaefb6a1acea13c3e69da4b0ea85
Instruction Fuzzy Hash: C3515A7190070DAFDB20DFA8CE86F6EBBB9FF44705F004919F686A25A0C7B4A955CB50

Function 00A154AD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A154C3
LoadCursorW.USER32(00000000,00007F00), ref: 00A154CE
LoadCursorW.USER32(00000000,00007F03), ref: 00A154D9
LoadCursorW.USER32(00000000,00007F8B), ref: 00A154E4
LoadCursorW.USER32(00000000,00007F01), ref: 00A154EF
LoadCursorW.USER32(00000000,00007F81), ref: 00A154FA
LoadCursorW.USER32(00000000,00007F88), ref: 00A15505
LoadCursorW.USER32(00000000,00007F80), ref: 00A15510
LoadCursorW.USER32(00000000,00007F86), ref: 00A1551B
LoadCursorW.USER32(00000000,00007F83), ref: 00A15526
LoadCursorW.USER32(00000000,00007F85), ref: 00A15531
LoadCursorW.USER32(00000000,00007F82), ref: 00A1553C
LoadCursorW.USER32(00000000,00007F84), ref: 00A15547
LoadCursorW.USER32(00000000,00007F04), ref: 00A15552
LoadCursorW.USER32(00000000,00007F02), ref: 00A1555D
LoadCursorW.USER32(00000000,00007F89), ref: 00A15568
GetCursorInfo.USER32(?), ref: 00A15578

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 6c5bad0d7f1f0aa46476066c0bfdb29ed3a33c379fa87388080f399747469846
Instruction ID: e79a2b2f8bab57a6fde1aeb649ec88deb73bd6c2ef789778a28df751a3561a6f
Opcode Fuzzy Hash: 6c5bad0d7f1f0aa46476066c0bfdb29ed3a33c379fa87388080f399747469846
Instruction Fuzzy Hash: 283115B0D48319AADF109FB68C8999EBFE9FF44760F50452AA50CE7280DB78A5408F91

Function 00A2A5A6 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2A646
DestroyWindow.USER32(?,?), ref: 00A2A6C0

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A2A73A
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A2A75C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A2A76F
DestroyWindow.USER32(00000000), ref: 00A2A791
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009A0000,00000000), ref: 00A2A7C8
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A2A7E1
GetDesktopWindow.USER32 ref: 00A2A7FA
GetWindowRect.USER32(00000000), ref: 00A2A801
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A2A819
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A2A831

Part of subcall function 009A29AB: GetWindowLongW.USER32(?,000000EB), ref: 009A29BC

Strings

tooltips_class32, xrefs: 00A2A733, 00A2A7C1
0, xrefs: 00A2A65C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: dbdcfff06f8e0cf0a369b7ca8b72ca6213a9d2c25f0bc6e20d33620ec1b55f62
Instruction ID: a8d62e09628597ff54760b192206daebd8c5f6450d00ba3da511f19ed76de48a
Opcode Fuzzy Hash: dbdcfff06f8e0cf0a369b7ca8b72ca6213a9d2c25f0bc6e20d33620ec1b55f62
Instruction Fuzzy Hash: CE716770140305AFE721CF68DC59F6A7BF9FB98704F044A2DF985872A1D7B0A916CB92

Function 00A2CA21 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

DragQueryPoint.SHELL32(?,?), ref: 00A2CA4A

Part of subcall function 00A2AF24: ClientToScreen.USER32(?,?), ref: 00A2AF4D
Part of subcall function 00A2AF24: GetWindowRect.USER32(?,?), ref: 00A2AFC3
Part of subcall function 00A2AF24: PtInRect.USER32(?,?,00A2C437), ref: 00A2AFD3

SendMessageW.USER32(?,000000B0,?,?), ref: 00A2CAB3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A2CABE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A2CAE1
_wcscat.LIBCMT ref: 00A2CB11
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A2CB28
SendMessageW.USER32(?,000000B0,?,?), ref: 00A2CB41
SendMessageW.USER32(?,000000B1,?,?), ref: 00A2CB58
SendMessageW.USER32(?,000000B1,?,?), ref: 00A2CB7A
DragFinish.SHELL32(?), ref: 00A2CB81
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A2CC74

Strings

@GUI_DRAGFILE, xrefs: 00A2CC23
@GUI_DROPID, xrefs: 00A2CBA1
@GUI_DRAGID, xrefs: 00A2CBEC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 251756efb51c672256f0e9576d37c9db7e35514fd544781395bff3f882de8505
Instruction ID: 047ac8709a54690dd96a3ca6214ded1fc656e7dd1755e4d0357e891ff32b55e6
Opcode Fuzzy Hash: 251756efb51c672256f0e9576d37c9db7e35514fd544781395bff3f882de8505
Instruction Fuzzy Hash: 88615871508300AFC701DFA4DD95E9FBBE8EFC9750F000A2DF596921A1DB709A49CB92

Function 00A08142 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00A08187
VariantCopy.OLEAUT32(00000000,?), ref: 00A08190
VariantClear.OLEAUT32(00000000), ref: 00A0819C
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A0828A
__swprintf.LIBCMT ref: 00A082BA
VarR8FromDec.OLEAUT32(?,?), ref: 00A082E6
VariantInit.OLEAUT32(?), ref: 00A08397
SysFreeString.OLEAUT32(?), ref: 00A0842B
VariantClear.OLEAUT32(?), ref: 00A08485
VariantClear.OLEAUT32(?), ref: 00A08494
VariantInit.OLEAUT32(00000000), ref: 00A084D2

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00A082B4
Default, xrefs: 00A08347

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: cd159d84d7bc0a120e92dc662d1c2e859d0e0c3e736cca99a4e410ee552adc06
Instruction ID: 75d178b816b9a8d771925f78171f8079244580d6d8148318dae70d79e3b3d2eb
Opcode Fuzzy Hash: cd159d84d7bc0a120e92dc662d1c2e859d0e0c3e736cca99a4e410ee552adc06
Instruction Fuzzy Hash: 8DD10330A0051EDBDB20DFA5E844BADB7B4BF45700F148659E495AB2C1DF38EC41DBA5

Function 00A24797 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A24829
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A24874

Strings

ISCHECKED, xrefs: 00A249F7
SELECT, xrefs: 00A24A25
CHECK, xrefs: 00A24894
GETTOTALCOUNT, xrefs: 00A2485B
GETSELECTED, xrefs: 00A24984
EXISTS, xrefs: 00A248DD
UNCHECK, xrefs: 00A24A50
COLLAPSE, xrefs: 00A248BA
EXPAND, xrefs: 00A24926
GETTEXT, xrefs: 00A249C7
GETITEMCOUNT, xrefs: 00A24956

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 291239509a18f00d9dfeaf26e5d80d69d483dca8454fd0ec79d433b05721b864
Instruction ID: e3a7e57e297123177460b787088c5db9bb53149db2f7284f77bec28baeb38237
Opcode Fuzzy Hash: 291239509a18f00d9dfeaf26e5d80d69d483dca8454fd0ec79d433b05721b864
Instruction Fuzzy Hash: 06917C706047119FCB04EF24C451B6AB7A1BFD9354F40896CF8A65B3A2CB71ED4ACB92

Function 00A2BBEB Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A2BCA1
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A295AF), ref: 00A2BCFD
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A2BD36
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A2BD79
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A2BDB0
FreeLibrary.KERNEL32(?), ref: 00A2BDBC
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A2BDCC
DestroyIcon.USER32(?,?,?,?,?,00A295AF), ref: 00A2BDDB
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A2BDF8
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A2BE04

Part of subcall function 009C305F: __wcsicmp_l.LIBCMT ref: 009C30E8

Strings

.icl, xrefs: 00A2BC17
.exe, xrefs: 00A2BC37
.dll, xrefs: 00A2BC5A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 0d0f083ecdea6a55013ff2fc729d52ec052fc85ca4121d99a09246e93d99c1ad
Instruction ID: a8a3e3ef84c301c953ec37fc38670579313529c47f9bc3a5d0e17d42ffc89a6b
Opcode Fuzzy Hash: 0d0f083ecdea6a55013ff2fc729d52ec052fc85ca4121d99a09246e93d99c1ad
Instruction Fuzzy Hash: 7A61E271A10625BBEB14DF68DC41FFE77A8FB08710F10822AF915D60D1DBB4A991CBA0

Function 00A0A0E8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A0A12F

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A0A150
__swprintf.LIBCMT ref: 00A0A1A9
__swprintf.LIBCMT ref: 00A0A1C2
_wprintf.LIBCMT ref: 00A0A269
_wprintf.LIBCMT ref: 00A0A287

Strings

"%s" (%d) : ==> %s:, xrefs: 00A0A282
^ ERROR , xrefs: 00A0A1FE
Line %d (File "%s"):, xrefs: 00A0A1A3, 00A0A1BC
Incorrect parameters to object property !, xrefs: 00A0A20B
"%s" (%d) : ==> %s:%s%s, xrefs: 00A0A264
Error: , xrefs: 00A0A231

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 315dad413ea0500925c0f1119ff9073711b9656e3a3621f0fcded73c5af036bd
Instruction ID: dbec92a03c4438587d7195dd0eb50e23e047b5549123ac9d183fdfec61d61bd3
Opcode Fuzzy Hash: 315dad413ea0500925c0f1119ff9073711b9656e3a3621f0fcded73c5af036bd
Instruction Fuzzy Hash: 91518972900209AACF15EBE0DE66FEEB778BF58351F504165F405A20A2EB712F58CB61

Function 00A0A802 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

CharLowerBuffW.USER32(?,?), ref: 00A0A87B
GetDriveTypeW.KERNEL32 ref: 00A0A8C8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A0A910
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A0A947
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A0A975

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Strings

open , xrefs: 00A0A8D7
close cd wait, xrefs: 00A0A960
closed, xrefs: 00A0A88F, 00A0A898
close, xrefs: 00A0A881
wait, xrefs: 00A0A932
open, xrefs: 00A0A8A2
set cd door , xrefs: 00A0A916
type cdaudio alias cd wait, xrefs: 00A0A8F3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f0ade84c1af3813dabe6b8a13b67741313661bc1cd5e1b656763835d06835be2
Instruction ID: 5e0cf342ef7653a7e9cdde7f73c21b58713b2a2913f54f51a9c010616db4e99f
Opcode Fuzzy Hash: f0ade84c1af3813dabe6b8a13b67741313661bc1cd5e1b656763835d06835be2
Instruction Fuzzy Hash: DB515D711043049FC700EF60D991AAAB7E4FFD4758F50891DF895572A1DB31ED09CB92

Function 00A0A69F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A0A6BF
__swprintf.LIBCMT ref: 00A0A6E1
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A0A71E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A0A743
_memset.LIBCMT ref: 00A0A762
_wcsncpy.LIBCMT ref: 00A0A79E
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A0A7D3
CloseHandle.KERNEL32(00000000), ref: 00A0A7DE
RemoveDirectoryW.KERNEL32(?), ref: 00A0A7E7
CloseHandle.KERNEL32(00000000), ref: 00A0A7F1

Strings

\, xrefs: 00A0A6F7
:, xrefs: 00A0A702
\??\%s, xrefs: 00A0A6DB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7808c566fa9f46a29c1e27f0b70143b132b1586e2d638f653b6e8e506b4caed9
Instruction ID: 9a7745d94a9cb0f192bf13e3c5799f666af6a936ecf79b2141d9c5b574cd6f1f
Opcode Fuzzy Hash: 7808c566fa9f46a29c1e27f0b70143b132b1586e2d638f653b6e8e506b4caed9
Instruction Fuzzy Hash: 6F31857190021DABDB21DFA0DC49FEB77BCEF88700F1041B6F909D61A0E77096858B25

Function 00A2C5CF Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A2C61F
GetFocus.USER32 ref: 00A2C62F
GetDlgCtrlID.USER32(00000000), ref: 00A2C63A
_memset.LIBCMT ref: 00A2C765
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A2C790
GetMenuItemCount.USER32(?), ref: 00A2C7B0
GetMenuItemID.USER32(?,00000000), ref: 00A2C7C3
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A2C7F7
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A2C83F
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A2C877
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A2C8AC

Strings

0, xrefs: 00A2C75D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8f3e0f74fb0af7e40f619f9064f76bccb8656929bee7b4dd837cd783c7b1598d
Instruction ID: e26ed161510725077b8fe401df1670989a51d76bba9b8cdab2e9f1f3ed7b9882
Opcode Fuzzy Hash: 8f3e0f74fb0af7e40f619f9064f76bccb8656929bee7b4dd837cd783c7b1598d
Instruction Fuzzy Hash: D0816C706083219FD710CF18E984A6FBBE9FB88724F00892EF99597291D770D905CFA2

Function 009F88AD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F8C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F8C1F
Part of subcall function 009F8C03: GetLastError.KERNEL32(?,009F86E3,?,?,?), ref: 009F8C29
Part of subcall function 009F8C03: GetProcessHeap.KERNEL32(00000008,?,?,009F86E3,?,?,?), ref: 009F8C38
Part of subcall function 009F8C03: HeapAlloc.KERNEL32(00000000,?,009F86E3,?,?,?), ref: 009F8C3F
Part of subcall function 009F8C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F8C56

Part of subcall function 009F8CA0: GetProcessHeap.KERNEL32(00000008,009F86F9,00000000,00000000,?,009F86F9,?), ref: 009F8CAC
Part of subcall function 009F8CA0: HeapAlloc.KERNEL32(00000000,?,009F86F9,?), ref: 009F8CB3
Part of subcall function 009F8CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009F86F9,?), ref: 009F8CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009F8911
_memset.LIBCMT ref: 009F8926
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009F8945
GetLengthSid.ADVAPI32(?), ref: 009F8956
GetAce.ADVAPI32(?,00000000,?), ref: 009F8993
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009F89AF
GetLengthSid.ADVAPI32(?), ref: 009F89CC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009F89DB
HeapAlloc.KERNEL32(00000000), ref: 009F89E2
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009F8A03
CopySid.ADVAPI32(00000000), ref: 009F8A0A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009F8A3B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009F8A61
SetUserObjectSecurity.USER32(?,00000004,?), ref: 009F8A75

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: b06f87b06d3a7af0e190e95b7fbe47620c0f4644a60659b7dd02e8aa89cb4f54
Instruction ID: e7dfbc41c25ee8a00708e3ca63c10d0276c40343c4803f251c1b0cfe4ea80576
Opcode Fuzzy Hash: b06f87b06d3a7af0e190e95b7fbe47620c0f4644a60659b7dd02e8aa89cb4f54
Instruction Fuzzy Hash: 2E6159B190020AAFDF45CFA0DC55EBEBB79FF45700F04816AFA15A6290DB31DA16CB60

Function 00A177C9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A1783E
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A1784A
CreateCompatibleDC.GDI32(?), ref: 00A17856
SelectObject.GDI32(00000000,?), ref: 00A17863
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A178B7
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A178F3
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A17917
SelectObject.GDI32(00000006,?), ref: 00A1791F
DeleteObject.GDI32(?), ref: 00A17928
DeleteDC.GDI32(00000006), ref: 00A1792F
ReleaseDC.USER32(00000000,?), ref: 00A1793A

Strings

(, xrefs: 00A178BF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 51838def2399c9539a4ad6f796c28293f4bd6370a69a2c73b97be664214a50cf
Instruction ID: 49dbe13e1aacdd3aca1c08a36167d7e764b264f07670f3aa4cbc6c15b4a4b754
Opcode Fuzzy Hash: 51838def2399c9539a4ad6f796c28293f4bd6370a69a2c73b97be664214a50cf
Instruction Fuzzy Hash: 4F515A71904309EFCB15CFA8DC89EAEBBB9EF49310F14851DF95AA7250C731A881CB90

Function 00A0A2FA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A0A341

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00A0A363
__swprintf.LIBCMT ref: 00A0A3BC
__swprintf.LIBCMT ref: 00A0A3D5
_wprintf.LIBCMT ref: 00A0A48B
_wprintf.LIBCMT ref: 00A0A4A9

Strings

"%s" (%d) : ==> %s:, xrefs: 00A0A4A4
Line %d (File "%s"):, xrefs: 00A0A3B6, 00A0A3CF
^ ERROR, xrefs: 00A0A42D
"%s" (%d) : ==> %s:%s%s, xrefs: 00A0A486
Error: , xrefs: 00A0A453

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 7d2433dcbcafd6e0789a026039a6c6bcf4306fa3a69e54008056072811ec5938
Instruction ID: 13afc90efebc3e185e1784860d2d295a46824521995fdb6bfc3e569a7c3b3a52
Opcode Fuzzy Hash: 7d2433dcbcafd6e0789a026039a6c6bcf4306fa3a69e54008056072811ec5938
Instruction Fuzzy Hash: 7F518972800209AACF15EBE0DEA6FEEB778BF54350F504165F405A20A2EB712E59CB61

Function 00A0957D Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09387: __time64.LIBCMT ref: 00A09391

Part of subcall function 009B4A8C: _fseek.LIBCMT ref: 009B4AA4

__wsplitpath.LIBCMT ref: 00A0965C

Part of subcall function 009C424E: __wsplitpath_helper.LIBCMT ref: 009C428E

_wcscpy.LIBCMT ref: 00A0966F
_wcscat.LIBCMT ref: 00A09682
__wsplitpath.LIBCMT ref: 00A096A7
_wcscat.LIBCMT ref: 00A096BD
_wcscat.LIBCMT ref: 00A096D0

Part of subcall function 00A093CD: _memmove.LIBCMT ref: 00A09406
Part of subcall function 00A093CD: _memmove.LIBCMT ref: 00A09415

_wcscmp.LIBCMT ref: 00A09617

Part of subcall function 00A09B5E: _wcscmp.LIBCMT ref: 00A09C4E
Part of subcall function 00A09B5E: _wcscmp.LIBCMT ref: 00A09C61

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A0987A
_wcsncpy.LIBCMT ref: 00A098ED
DeleteFileW.KERNEL32(?,?), ref: 00A09923
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A09939
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A0994A
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A0995C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 205cdab5310b8ae5517d2ed2d02a7513d646500976154a637db1f88088add9bc
Instruction ID: 8be612e88b028b182cf08726debde9ded2898db860bcde05dfa715ce7c6bb082
Opcode Fuzzy Hash: 205cdab5310b8ae5517d2ed2d02a7513d646500976154a637db1f88088add9bc
Instruction Fuzzy Hash: 71C119B1D0021DAADF21DF95DD85EDFB7BDAF84310F0040AAF609E6152EB709A848F65

Function 009B5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009B5BF1
GetMenuItemCount.USER32(00A66890), ref: 009F0DFB
GetMenuItemCount.USER32(00A66890), ref: 009F0EAB
GetCursorPos.USER32(?), ref: 009F0EEF
SetForegroundWindow.USER32(00000000), ref: 009F0EF8
TrackPopupMenuEx.USER32(00A66890,00000000,?,00000000,00000000,00000000), ref: 009F0F0B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009F0F17

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 54ac0d9ef366079f80dc9fe393bb42121bb8e341a6d8cf7106162b4f8a2758ea
Instruction ID: 905647eda8d30514af598f3d5170f2348da630ba125371e2d0756d263eb607e6
Opcode Fuzzy Hash: 54ac0d9ef366079f80dc9fe393bb42121bb8e341a6d8cf7106162b4f8a2758ea
Instruction Fuzzy Hash: 0E71B070640709BEFB209B94DC49FEABF6DFF84764F204216F624AA1D2C7B16850DB90

Function 009F81DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

_memset.LIBCMT ref: 009F826C
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009F82A1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009F82BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009F82D9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009F8303
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009F832B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F8336
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009F833B

Strings

SOFTWARE\Classes\, xrefs: 009F820D
\CLSID, xrefs: 009F8223
\IPC$, xrefs: 009F8283

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 7826c6a0bd3ca342ddab42821559afe5ec521b79581198dc21c48bd2f9a2db4a
Instruction ID: 1e4bd06c25cf3fe6c08f3c7808bb10ffe5db340c0be8df550f2e9f7ec4494215
Opcode Fuzzy Hash: 7826c6a0bd3ca342ddab42821559afe5ec521b79581198dc21c48bd2f9a2db4a
Instruction Fuzzy Hash: E4411572C1022DABCF15EBA4DCA5EEEB778FF48750B404129F911B2161EB70AE05CB90

Function 00A21242 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A201D5,?,?), ref: 00A21259

Strings

HKEY_CURRENT_USER, xrefs: 00A21338
HKEY_CLASSES_ROOT, xrefs: 00A212EC
HKCC, xrefs: 00A21327
HKEY_USERS, xrefs: 00A2135A
HKLM, xrefs: 00A212D7
HKCR, xrefs: 00A21301
HKCU, xrefs: 00A21349
HKEY_CURRENT_CONFIG, xrefs: 00A21316
HKEY_LOCAL_MACHINE, xrefs: 00A212C2
HKU, xrefs: 00A2136B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 913b08226de6f60b2318f05560d3e47d2c10562a500a7bf7e793b467369acc7d
Instruction ID: 8e1e9d603839cf98447fd1558fa1bb4354fc3096f989f7e927770232887f3468
Opcode Fuzzy Hash: 913b08226de6f60b2318f05560d3e47d2c10562a500a7bf7e793b467369acc7d
Instruction Fuzzy Hash: EC415C3065025A8BCF04EF54E951BFE3726BFA1314F804628FDA60B692DB70DD1ACB61

Function 00A056EF Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Part of subcall function 009B153B: _memmove.LIBCMT ref: 009B15C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A05758
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A0576E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A0577F
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A05791
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A057A2

Strings

play PlayMe, xrefs: 00A0579D
open , xrefs: 00A05707
status PlayMe mode, xrefs: 00A05753
close PlayMe, xrefs: 00A05769, 00A05796
play PlayMe wait, xrefs: 00A0578C
alias PlayMe, xrefs: 00A05731

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f02a4cce474bb71e1dcbe67944288f2d30788725b441307c1cf93ac539dd1e60
Instruction ID: a3769ce33268bca41d8aca11469a1cf2cefd356d8dd234416db04e5e09812d86
Opcode Fuzzy Hash: f02a4cce474bb71e1dcbe67944288f2d30788725b441307c1cf93ac539dd1e60
Instruction Fuzzy Hash: 6111827095015DB9DB20A7B1ED6AEFF7B7CFFD1B51F400829B811A60D1DAB01909C9A0

Function 00A04A79 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A04A94
gethostname.WSOCK32(?,00000100), ref: 00A04AAE
gethostbyname.WSOCK32(?), ref: 00A04ABB
_wcscpy.LIBCMT ref: 00A04AE3
_memmove.LIBCMT ref: 00A04AF6
inet_ntoa.WSOCK32(?), ref: 00A04B01
_strcat.LIBCMT ref: 00A04B0F
_wcscpy.LIBCMT ref: 00A04B26
WSACleanup.WSOCK32 ref: 00A04B34
_wcscpy.LIBCMT ref: 00A04B42

Strings

0.0.0.0, xrefs: 00A04ADD

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 04068a91855a90364b2f4fd01831dc76e7c926715906bbb81fd9e5f88cf50da9
Instruction ID: 2b70c29479f257ca3b1a881a30cb498a8ba3f188a22b8bd2ef719f939ece8aae
Opcode Fuzzy Hash: 04068a91855a90364b2f4fd01831dc76e7c926715906bbb81fd9e5f88cf50da9
Instruction Fuzzy Hash: 7511E77290420CABCB24E7B1AC16FDB7BBCEF95711F040169F505A6091EF70D9858A92

Function 00A0539D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A053A2

Part of subcall function 009C074E: timeGetTime.WINMM(?,00000002,009AC22C), ref: 009C0752

Sleep.KERNEL32(0000000A), ref: 00A053CE
EnumThreadWindows.USER32(?,Function_00065350,00000000), ref: 00A053F2
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A05414
SetActiveWindow.USER32 ref: 00A05433
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A05441
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A05460
Sleep.KERNEL32(000000FA), ref: 00A0546B
IsWindow.USER32 ref: 00A05477
EndDialog.USER32(00000000), ref: 00A05488

Strings

BUTTON, xrefs: 00A05406

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 1f9e9dcd20de2ca91789cef3cf02996bb6eaae82d9ff6772f231cb64ef8bd51a
Instruction ID: bf6ef5febcb100455683d834a0698b79e57ecb7b48b8ce67dedd140f8a1f45c6
Opcode Fuzzy Hash: 1f9e9dcd20de2ca91789cef3cf02996bb6eaae82d9ff6772f231cb64ef8bd51a
Instruction Fuzzy Hash: 3B218E70604A0CAFE701DBB0FDA9E6B3B7EEB4438AF101454F402861E1DBE18C528E22

Function 00A0DA3D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

CoInitialize.OLE32(00000000), ref: 00A0DA9A
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A0DB2D
SHGetDesktopFolder.SHELL32(?), ref: 00A0DB41
CoCreateInstance.OLE32(00A33D4C,00000000,00000001,00A59BEC,?), ref: 00A0DB8D
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A0DBFC
CoTaskMemFree.OLE32(?,?), ref: 00A0DC54
_memset.LIBCMT ref: 00A0DC91
SHBrowseForFolderW.SHELL32(?), ref: 00A0DCCD
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A0DCF0
CoTaskMemFree.OLE32(00000000), ref: 00A0DCF7
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A0DD2E
CoUninitialize.OLE32(00000001,00000000), ref: 00A0DD30

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 3765fc3f53009e18d6225ae7751339aff75205375f8913f110edefdf909e9e09
Instruction ID: a23c28917a141203ef2ee760361a0124ccbf6ca22a27482b8d69f759dfff3597
Opcode Fuzzy Hash: 3765fc3f53009e18d6225ae7751339aff75205375f8913f110edefdf909e9e09
Instruction Fuzzy Hash: AEB10B75A00109AFDB04DFA4D898EAEBBB9FF89304F148459F909EB261DB30ED41CB50

Function 00A00687 Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A00702
SetKeyboardState.USER32(?), ref: 00A0076D
GetAsyncKeyState.USER32(000000A0), ref: 00A0078D
GetKeyState.USER32(000000A0), ref: 00A007A4
GetAsyncKeyState.USER32(000000A1), ref: 00A007D3
GetKeyState.USER32(000000A1), ref: 00A007E4
GetAsyncKeyState.USER32(00000011), ref: 00A00810
GetKeyState.USER32(00000011), ref: 00A0081E
GetAsyncKeyState.USER32(00000012), ref: 00A00847
GetKeyState.USER32(00000012), ref: 00A00855
GetAsyncKeyState.USER32(0000005B), ref: 00A0087E
GetKeyState.USER32(0000005B), ref: 00A0088C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9f89ccc9090016716455cf6ad8b257120ed60c29060ee357c2a88f163766e34f
Instruction ID: d6011206dd7713b79460b68166a484d9e5b7f1ad49fe3456eb5298e8d5d4782f
Opcode Fuzzy Hash: 9f89ccc9090016716455cf6ad8b257120ed60c29060ee357c2a88f163766e34f
Instruction Fuzzy Hash: 9551D92090478C29FB34E7B0A954FEBBFB59F01340F08859ED5C6571C3DA94AA8CCBA1

Function 009FCBE3 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 009FCBFF
GetWindowRect.USER32(00000000,?), ref: 009FCC11
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009FCC6F
GetDlgItem.USER32(?,00000002), ref: 009FCC7A
GetWindowRect.USER32(00000000,?), ref: 009FCC8C
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009FCCE0
GetDlgItem.USER32(?,000003E9), ref: 009FCCEE
GetWindowRect.USER32(00000000,?), ref: 009FCCFF
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009FCD42
GetDlgItem.USER32(?,000003EA), ref: 009FCD50
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009FCD6D
InvalidateRect.USER32(?,00000000,00000001), ref: 009FCD7A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 672817a3c16a3f20526370d5f7deded4f52f9e329fdd5133c487a9450e7e3f35
Instruction ID: f1e588f9dc956cca5d0f9957089c6d71578a29813806939591a4fca5106ba28e
Opcode Fuzzy Hash: 672817a3c16a3f20526370d5f7deded4f52f9e329fdd5133c487a9450e7e3f35
Instruction Fuzzy Hash: 6F5134B1B00209AFDB18CFA9DD95EADBBB9EB88310F14852DF615D7294D7B09D018B50

Function 009A23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 009A1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009A2412,?,00000000,?,?,?,?,009A1AA7,00000000,?), ref: 009A1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009A24AF
KillTimer.USER32(-00000001,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009A254A
DestroyAcceleratorTable.USER32(00000000), ref: 009DBF17
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DBF48
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DBF5F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,009A1AA7,00000000,?,?,009A1EBE,?,?), ref: 009DBF7B
DeleteObject.GDI32(00000000), ref: 009DBF8D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: de1d3ac3764c124ac847a2b553bcd77aa1ee8c4889bf89635a07453f833ab1f0
Instruction ID: 90761a1695b2cf17ac5bf9152a9c1198c7acbb345bd74b15e275f7d3dc42ce55
Opcode Fuzzy Hash: de1d3ac3764c124ac847a2b553bcd77aa1ee8c4889bf89635a07453f833ab1f0
Instruction Fuzzy Hash: 0061B931500601DFDB25EF68CD58B2ABBF5FB86316F108929E0425BA70C7B5A892DFD0

Function 009A2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009A29AB: GetWindowLongW.USER32(?,000000EB), ref: 009A29BC

GetSysColor.USER32(0000000F), ref: 009A25AF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 87c2034587779d47e29f6b3b0560790a998e9360fd27dc8018d2ad1a0cb76f4d
Instruction ID: b14f64e75ea0cc27f2778151cdce29a29d3663d40b2264069cd12e8de2b686e3
Opcode Fuzzy Hash: 87c2034587779d47e29f6b3b0560790a998e9360fd27dc8018d2ad1a0cb76f4d
Instruction Fuzzy Hash: BD41C331005114AFDB259F6CDC98BB93B79EB17331F198262FD658A2E6C7308C42DBA1

Function 009B29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 009C0AB6: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,009B2A3E,?,00008000), ref: 009C0AD2

Part of subcall function 009C01AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009B2A58,?,00008000), ref: 009C01CF

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 009B2ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 009B2C2C

Part of subcall function 009B3EBE: _wcscpy.LIBCMT ref: 009B3EF6

Part of subcall function 009C379F: _iswctype.LIBCMT ref: 009C37A7

Strings

Error opening the file, xrefs: 009EFCB3, 009EFD2A
Unterminated string, xrefs: 009F0056
AU3!, xrefs: 009B2A93
Bad directive syntax error, xrefs: 009F000F
EA06, xrefs: 009EFCC8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 009EFC97

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 06c942067af9e0a96099ac6ae80d2eb6fddb4ba6c8e32043a1982cda04391917
Instruction ID: 89428ee076d0e5df8de3cf6ae6a4007405128c3c35102b9b9a058431d97358b0
Opcode Fuzzy Hash: 06c942067af9e0a96099ac6ae80d2eb6fddb4ba6c8e32043a1982cda04391917
Instruction Fuzzy Hash: 5B029E705083459FC725EF24C991AAFBBE5EFC9324F00492EF495972A2DB30DA49CB42

Function 00A0AD57 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A30980), ref: 00A0ADBB
GetDriveTypeW.KERNEL32(00000061,00A59970,00000061), ref: 00A0AE85
_wcscpy.LIBCMT ref: 00A0AEAF

Strings

cdrom, xrefs: 00A0ADD7
ramdisk, xrefs: 00A0AE2F
all, xrefs: 00A0ADC1
unknown, xrefs: 00A0AE46
network, xrefs: 00A0AE19
fixed, xrefs: 00A0AE03
removable, xrefs: 00A0ADED

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 3f900b74948ff493585ac3bedeb6345ffbe0c61583e74cde1883e65616d57790
Instruction ID: 8fae0eb38926d1310c8b7c8161538c50fb1f3f8cb030bef7a444ce3741c93058
Opcode Fuzzy Hash: 3f900b74948ff493585ac3bedeb6345ffbe0c61583e74cde1883e65616d57790
Instruction Fuzzy Hash: FE519B305083059BC314EF14E892BABB7A9FFD5710F50481DF9965B2E2DBB19E09CA93

Function 009A4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009A4D62
__swprintf.LIBCMT ref: 009A4DAC
__i64tow.LIBCMT ref: 009DDA6B

Strings

%.15g, xrefs: 009A4DA6
0x%p, xrefs: 009DDA4D
False, xrefs: 009DDA33
True, xrefs: 009DDA2C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 7844c92535a53429c6c393eba4aae9b292ffee2a933c0c1356c0fc4c61fc5562
Instruction ID: 5c61d97a85b8000450cc075f7ef1e9fefcae7fe6a3c56a289c9ffced2980c920
Opcode Fuzzy Hash: 7844c92535a53429c6c393eba4aae9b292ffee2a933c0c1356c0fc4c61fc5562
Instruction Fuzzy Hash: 3E410671945209AFDB24DF74C942F7AB3E8FF85300F20885FE049DB281EA71A941CB51

Function 00A2753F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A27557
CreateMenu.USER32 ref: 00A27572
SetMenu.USER32(?,00000000), ref: 00A27581
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A2760E
IsMenu.USER32(?), ref: 00A27624
CreatePopupMenu.USER32 ref: 00A2762E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A2765B
DrawMenuBar.USER32 ref: 00A27663

Strings

F, xrefs: 00A2764F
0, xrefs: 00A2754D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: bfbe51ff83832cc9b77f00e9209170d4cdb6f53b40661c2069d9669f4335a192
Instruction ID: 54f31ebd5616b21fbe2f2706acb08f274ab1185162528ea96a3ab3449944afd3
Opcode Fuzzy Hash: bfbe51ff83832cc9b77f00e9209170d4cdb6f53b40661c2069d9669f4335a192
Instruction Fuzzy Hash: EF415974A04219EFDB10DFA9E884F9ABBB6FF48340F144029F94597360D770AA11CF90

Function 00A278A8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A2794B
CreateCompatibleDC.GDI32(00000000), ref: 00A27952
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A27965
SelectObject.GDI32(00000000,00000000), ref: 00A2796D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A27978
DeleteDC.GDI32(00000000), ref: 00A27981
GetWindowLongW.USER32(?,000000EC), ref: 00A2798B
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A2799F
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A279AB

Strings

static, xrefs: 00A278E3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 385f4edc0805f8981cc35fe00084be835604a90c1c2e3c1c2a6445a6870262ae
Instruction ID: e223be0088c482a1a31edd897007abf9f712669c35a105088db6039cbfc0c100
Opcode Fuzzy Hash: 385f4edc0805f8981cc35fe00084be835604a90c1c2e3c1c2a6445a6870262ae
Instruction Fuzzy Hash: A1316D32104229BFDF129FA8EC09FDE3B69FF09320F110224FA55A61A0C771D961DBA4

Function 009C6F60 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C6F9B

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

__gmtime64_s.LIBCMT ref: 009C7034
__gmtime64_s.LIBCMT ref: 009C706A
__gmtime64_s.LIBCMT ref: 009C7087
__allrem.LIBCMT ref: 009C70DD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C70F9
__allrem.LIBCMT ref: 009C7110
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C712E
__allrem.LIBCMT ref: 009C7145
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009C7163
__invoke_watson.LIBCMT ref: 009C71D4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 152db9d0b97ede060ccce44c660ddc8705b130d28dcac1657e8435b5066ede46
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 4271F572E44716ABD714DFB9CC82F6AB3A8AF45364F14822EF514D7281EB74D9008BD2

Function 00A02B3A Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A02B55
GetMenuItemInfoW.USER32(00A66890,000000FF,00000000,00000030), ref: 00A02BB6
SetMenuItemInfoW.USER32(00A66890,00000004,00000000,00000030), ref: 00A02BEC
Sleep.KERNEL32(000001F4), ref: 00A02BFE
GetMenuItemCount.USER32(?), ref: 00A02C42
GetMenuItemID.USER32(?,00000000), ref: 00A02C5E
GetMenuItemID.USER32(?,-00000001), ref: 00A02C88
GetMenuItemID.USER32(?,?), ref: 00A02CCD
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A02D13
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A02D27
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A02D48

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8418611bfc0dd4219242e9deae9582b44b75c57df53eb2a6df4aa68aab44c78f
Instruction ID: 77d67325260862cf749520051fab96e5e3ba970e2120c3fb76dbec319d29cd2f
Opcode Fuzzy Hash: 8418611bfc0dd4219242e9deae9582b44b75c57df53eb2a6df4aa68aab44c78f
Instruction Fuzzy Hash: AD617BB090034DAFEB11CFA4ED98EAEBBB8EB41308F144559F841A7291D771AD46DB21

Function 00A27310 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A27392
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A27395
GetWindowLongW.USER32(?,000000F0), ref: 00A273B9
_memset.LIBCMT ref: 00A273CA
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A273DC
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A27454

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8488f8af9f93a1929046574e4ad654fdc3c7ee1910a11108969b82e359bb178e
Instruction ID: 31cafe72ff91fd6ad18411bb5cd338a21a6ab3f3d4fe9d44b4c9648510a8eb81
Opcode Fuzzy Hash: 8488f8af9f93a1929046574e4ad654fdc3c7ee1910a11108969b82e359bb178e
Instruction Fuzzy Hash: 19617B75900218AFDB10DFA8DC81EEE77F8EB49714F100169FA15E72A1C770AE46DBA0

Function 009F7599 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009F75C0
SafeArrayAllocData.OLEAUT32(?), ref: 009F7619
VariantInit.OLEAUT32(?), ref: 009F762B
SafeArrayAccessData.OLEAUT32(?,?), ref: 009F764B
VariantCopy.OLEAUT32(?,?), ref: 009F769E
SafeArrayUnaccessData.OLEAUT32(?), ref: 009F76B2
VariantClear.OLEAUT32(?), ref: 009F76C7
SafeArrayDestroyData.OLEAUT32(?), ref: 009F76D4
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009F76DD
VariantClear.OLEAUT32(?), ref: 009F76EF
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009F76FA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8467d522f2f987b4fcba77cc05d083897ee72198d84615a4b8efd3e83f9d5f8f
Instruction ID: 54375b68c6cc561e948f3728805816774b49ef718a0b202fe3a195412acbddfa
Opcode Fuzzy Hash: 8467d522f2f987b4fcba77cc05d083897ee72198d84615a4b8efd3e83f9d5f8f
Instruction Fuzzy Hash: D3415E35A0021D9FCB04DFA8DC54EADBBB9FF48354F008069FA55E7261CB70AA46CB90

Function 00A00374 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A0039C
GetAsyncKeyState.USER32(000000A0), ref: 00A0041D
GetKeyState.USER32(000000A0), ref: 00A00438
GetAsyncKeyState.USER32(000000A1), ref: 00A00452
GetKeyState.USER32(000000A1), ref: 00A00467
GetAsyncKeyState.USER32(00000011), ref: 00A0047F
GetKeyState.USER32(00000011), ref: 00A00491
GetAsyncKeyState.USER32(00000012), ref: 00A004A9
GetKeyState.USER32(00000012), ref: 00A004BB
GetAsyncKeyState.USER32(0000005B), ref: 00A004D3
GetKeyState.USER32(0000005B), ref: 00A004E5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3288dadf4608e35d38719b76a031c9f8ab3627d3088bcc7772301ecb90b12c79
Instruction ID: 61941f5b95416e07dcf85da33fc205c95f4ca6a20b6a0095ddfc89b705f128d9
Opcode Fuzzy Hash: 3288dadf4608e35d38719b76a031c9f8ab3627d3088bcc7772301ecb90b12c79
Instruction Fuzzy Hash: 2441EB305447CDAAFF318774A854FB5BEA06F11344F04805AD6C64A1C2EBA599D4CBA6

Function 00A1886D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

CoInitialize.OLE32 ref: 00A188B5
CoUninitialize.OLE32 ref: 00A188C0
CoCreateInstance.OLE32(?,00000000,00000017,00A33BBC,?), ref: 00A18920
IIDFromString.OLE32(?,?), ref: 00A18993
VariantInit.OLEAUT32(?), ref: 00A18A2D
VariantClear.OLEAUT32(?), ref: 00A18A8E

Strings

Failed to create object, xrefs: 00A1892B, 00A189E1
NULL Pointer assignment, xrefs: 00A18965
Invalid parameter, xrefs: 00A189AC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a69a0c1ecf2632ffcc95a0049fbf0333f37d071fb6072e01a4d3fff90b81dbd2
Instruction ID: 8730afd239aecc446654e7bb087190c2d3e3a46d531e3152fea73e3cd14040e8
Opcode Fuzzy Hash: a69a0c1ecf2632ffcc95a0049fbf0333f37d071fb6072e01a4d3fff90b81dbd2
Instruction Fuzzy Hash: CD618D70608711AFD710DF64C849FAEBBE8AF85754F00490EF9859B291CB74ED89CB92

Function 00A0B973 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A0B980
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A0B9F6
GetLastError.KERNEL32 ref: 00A0BA00
SetErrorMode.KERNEL32(00000000,READY), ref: 00A0BA6D

Strings

NOTREADY, xrefs: 00A0BA2C
INVALID, xrefs: 00A0BA3F
READONLY, xrefs: 00A0BA38
UNKNOWN, xrefs: 00A0BA25
READY, xrefs: 00A0BA46

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ce27c96f73b19ffb1d1180eeeec63a55d56a813cec36b3db8c0dce0d4b8484ce
Instruction ID: e369d8ffeb898f998c5e2d0ed4dd0713ad74bd92be0f67d0f379e1a7da365556
Opcode Fuzzy Hash: ce27c96f73b19ffb1d1180eeeec63a55d56a813cec36b3db8c0dce0d4b8484ce
Instruction Fuzzy Hash: C031A135B10209EFDB00EBA4E995EEEBBB4FB88750F108025F9019B2D1DB719945CBA1

Function 009F992A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009F99AF
GetDlgCtrlID.USER32 ref: 009F99BA
GetParent.USER32 ref: 009F99D6
SendMessageW.USER32(00000000,?,00000111,?), ref: 009F99D9
GetDlgCtrlID.USER32(?), ref: 009F99E2
GetParent.USER32(?), ref: 009F99FE
SendMessageW.USER32(00000000,?,?,00000111), ref: 009F9A01

Strings

ComboBox, xrefs: 009F9937
ListBox, xrefs: 009F996C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: ef84378346cc1ca45b6926fd85d6d41811779d8823ae4ff4f23900ec8271cebf
Instruction ID: db9f4e717da43c46d181dbe93adcbaffcfc692f044440c35e3860f4ded43f311
Opcode Fuzzy Hash: ef84378346cc1ca45b6926fd85d6d41811779d8823ae4ff4f23900ec8271cebf
Instruction Fuzzy Hash: E821C470A00208BFDF04EBA0CCA5EFEBB69EF95310F504115F961932A5DB795815DB20

Function 009F9A15 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009F9A98
GetDlgCtrlID.USER32 ref: 009F9AA3
GetParent.USER32 ref: 009F9ABF
SendMessageW.USER32(00000000,?,00000111,?), ref: 009F9AC2
GetDlgCtrlID.USER32(?), ref: 009F9ACB
GetParent.USER32(?), ref: 009F9AE7
SendMessageW.USER32(00000000,?,?,00000111), ref: 009F9AEA

Strings

ComboBox, xrefs: 009F9A22
ListBox, xrefs: 009F9A57

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 85ddccfe784223351663d2879de00f16565d510eb8d0a1f19ede43e667b02cdb
Instruction ID: 1cc45819ed36c4152f7f4a59af5e68e68d7499df7fcbeae8550f1c1679860987
Opcode Fuzzy Hash: 85ddccfe784223351663d2879de00f16565d510eb8d0a1f19ede43e667b02cdb
Instruction Fuzzy Hash: BE21A175A00108BFDB00EBA4CC95FFEBBA9EF95300F500115B96197295DBB99925DB20

Function 009F9AFE Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009F9B0A
GetClassNameW.USER32(00000000,?,00000100), ref: 009F9B1F
_wcscmp.LIBCMT ref: 009F9B31
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009F9BAC

Strings

SHELLDLL_DefView, xrefs: 009F9B2B
largeicons, xrefs: 009F9B40
list, xrefs: 009F9B8E
details, xrefs: 009F9B5A
smallicons, xrefs: 009F9B74

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2438648db053efed0104999f6dfcd75fd46237e73d52774c0e321a6a204f8ce0
Instruction ID: 6c8bd820d1c25c8ec9ca58cce3490f5d7c26ad7232d62b3bf6bdbc8ed6bd1a4d
Opcode Fuzzy Hash: 2438648db053efed0104999f6dfcd75fd46237e73d52774c0e321a6a204f8ce0
Instruction Fuzzy Hash: 0A11EB7654430AFAF6106A11EC07FB6339CAB55732B204016FE05B50E2EEA558514655

Function 00A18D5D Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A18D89
CoInitialize.OLE32(00000000), ref: 00A18DB6
CoUninitialize.OLE32 ref: 00A18DC0
GetRunningObjectTable.OLE32(00000000,?), ref: 00A18EC0
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A18FED
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A33BDC), ref: 00A19021
CoGetObject.OLE32(?,00000000,00A33BDC,?), ref: 00A19044
SetErrorMode.KERNEL32(00000000), ref: 00A19057
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A190D7
VariantClear.OLEAUT32(?), ref: 00A190E7

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: df09dc5e75559536d8b9e88eca6a655d1859ede572ddaa1438429db9f716eb25
Instruction ID: c09ee5239778be3cbd8ab8cd6326c887c6d781f71a3b7cca7f9a0811e5a21e94
Opcode Fuzzy Hash: df09dc5e75559536d8b9e88eca6a655d1859ede572ddaa1438429db9f716eb25
Instruction Fuzzy Hash: 23C13371608305AFD700EF68C894A6BB7E9FF89348F00491DF58A9B251DB71ED46CB92

Function 00A01839 Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A0185B
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A008D3,?,00000001), ref: 00A0186F
GetWindowThreadProcessId.USER32(00000000), ref: 00A01876
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A008D3,?,00000001), ref: 00A01885
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A01897
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A008D3,?,00000001), ref: 00A018B0
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A008D3,?,00000001), ref: 00A018C2
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A008D3,?,00000001), ref: 00A01907
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A008D3,?,00000001), ref: 00A0191C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A008D3,?,00000001), ref: 00A01927

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: df1d2d145fde2dd3ef377f940e00e84b416971d7929a468ed120c5f95a301647
Instruction ID: 03cb81559ffaf2b0abd51575f5d88d1675e88e70ca79685749dc8126acbca885
Opcode Fuzzy Hash: df1d2d145fde2dd3ef377f940e00e84b416971d7929a468ed120c5f95a301647
Instruction Fuzzy Hash: E8318C7261020CABEB11DB94ECA9FBE77B9EB55359F104019F910962D0D7B89E42CB60

Function 009DC013 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009A260D
SetTextColor.GDI32(?,000000FF), ref: 009A2617
SetBkMode.GDI32(?,00000001), ref: 009A262C
GetStockObject.GDI32(00000005), ref: 009A2634
GetClientRect.USER32(?), ref: 009DC02C
SendMessageW.USER32(?,00001328,00000000,?), ref: 009DC043
GetWindowDC.USER32(?), ref: 009DC04F
GetPixel.GDI32(00000000,?,?), ref: 009DC05E
ReleaseDC.USER32(?,00000000), ref: 009DC070
GetSysColor.USER32(00000005), ref: 009DC08E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 256f1ad9cc4d76703d68e3cfdbefe985a3bfd04e24ab3a20b5d7f4a00e11bdce
Instruction ID: 3549ca62e4a79b764ce35c81043db278fd46acc57d41d172ad9912bc0566ab57
Opcode Fuzzy Hash: 256f1ad9cc4d76703d68e3cfdbefe985a3bfd04e24ab3a20b5d7f4a00e11bdce
Instruction Fuzzy Hash: 75115B31540205FFDB61AFA4EC19FE97B79FB09321F108262FA26951E1CB720952EF51

Function 009AAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009AADE1
OleUninitialize.OLE32(?,00000000), ref: 009AAE80
UnregisterHotKey.USER32(?), ref: 009AAFD7
DestroyWindow.USER32(?), ref: 009E2E94
FreeLibrary.KERNEL32(?), ref: 009E2EF9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 009E2F26

Strings

close all, xrefs: 009AADDC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ea99c4ec75837e51dc7a96f616fbfde9fb1449936d6138ea1d04d554840a5eaa
Instruction ID: e8f5e3646aa58607f3b45cd62f7344f8bace0ac729bfc2794852e20e803ad643
Opcode Fuzzy Hash: ea99c4ec75837e51dc7a96f616fbfde9fb1449936d6138ea1d04d554840a5eaa
Instruction Fuzzy Hash: 83A17E30701222CFCB2AEF55C995F69F768BF55710F1046ADE80AAB261CB31AD12CF91

Function 009FAB4C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,009FAF1D), ref: 009FAE5B

Strings

REGEXPCLASS, xrefs: 009FAC20
CLASSNN, xrefs: 009FABFD
TEXT, xrefs: 009FAD92
INSTANCE, xrefs: 009FAD69
NAME, xrefs: 009FAC8D
CLASS, xrefs: 009FABDA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a958ffa1bc79d4bcb84cfb103018bb1f950fc4f4fab46b260a883d418ebd55ed
Instruction ID: f29b5cdd90cd5cb8c0512c4b266256ed622dd8e843e7f93e26f17431d566f6db
Opcode Fuzzy Hash: a958ffa1bc79d4bcb84cfb103018bb1f950fc4f4fab46b260a883d418ebd55ed
Instruction Fuzzy Hash: 7491A6B0900509EBCB08DF60C452BFEFB79BF84354F508119DA5EA7291DF30A959DBA2

Function 009A31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 009A327E

Part of subcall function 009A218F: GetClientRect.USER32(?,?), ref: 009A21B8
Part of subcall function 009A218F: GetWindowRect.USER32(?,?), ref: 009A21F9
Part of subcall function 009A218F: ScreenToClient.USER32(?,?), ref: 009A2221

GetDC.USER32 ref: 009DCFA3
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009DCFB6
SelectObject.GDI32(00000000,00000000), ref: 009DCFC4
SelectObject.GDI32(00000000,00000000), ref: 009DCFD9
ReleaseDC.USER32(?,00000000), ref: 009DCFE1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009DD06C

Strings

U, xrefs: 009DCF41

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: e200e6cf0d48b43590ba89520fe14fc7e0a2ca8bddfc58483590d3757731b0b2
Instruction ID: 69dd23a573d3f37ddebafc8512ceca327a7ab7a28f95b6890fe4a3c1aa292593
Opcode Fuzzy Hash: e200e6cf0d48b43590ba89520fe14fc7e0a2ca8bddfc58483590d3757731b0b2
Instruction Fuzzy Hash: 2371D330501205EFCF21CFA8CC84AFA7BB9FF8A350F14866AFD555A2A5C7359942DB90

Function 00A2C3AF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

Part of subcall function 009A2714: GetCursorPos.USER32(?), ref: 009A2727
Part of subcall function 009A2714: ScreenToClient.USER32(00A667B0,?), ref: 009A2744
Part of subcall function 009A2714: GetAsyncKeyState.USER32(00000001), ref: 009A2769
Part of subcall function 009A2714: GetAsyncKeyState.USER32(00000002), ref: 009A2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00A2C417
ImageList_EndDrag.COMCTL32 ref: 00A2C41D
ReleaseCapture.USER32 ref: 00A2C423
SetWindowTextW.USER32(?,00000000), ref: 00A2C4CD
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A2C4E0
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00A2C5C2

Strings

@GUI_DRAGFILE, xrefs: 00A2C557
@GUI_DROPID, xrefs: 00A2C514

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 38678d24e4022d4fee69bdd54b5a3b09b21a60bc9a558b2a17156821b70ee3d1
Instruction ID: 27aaaf61e2f99156f8c271682fa144e4297fb1dd97aca2f75da3348ce5250e5d
Opcode Fuzzy Hash: 38678d24e4022d4fee69bdd54b5a3b09b21a60bc9a558b2a17156821b70ee3d1
Instruction Fuzzy Hash: 41517970204305AFD714EF64DD66FAA7BE5AF84320F008A29F995872E1CB70A955CB92

Function 00A190F8 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A30980), ref: 00A191DA
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A30980), ref: 00A1920E
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A19388
SysFreeString.OLEAUT32(?), ref: 00A193B2

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8268114634260109448a8202b39f36a1516cd4550a8069a0c850af514424e837
Instruction ID: 46af1de9584a76eb813ebf0ef1620182a173952ed79541cbb87661734a9a2b53
Opcode Fuzzy Hash: 8268114634260109448a8202b39f36a1516cd4550a8069a0c850af514424e837
Instruction Fuzzy Hash: 45F11A71A00219EFDB04DF94C894EEEB7B9FF89314F148158F915AB251D731AE86CB90

Function 00A1FB45 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A1FB66
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A1FCF9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A1FD1D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A1FD5D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A1FD7F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A1FEFB
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A1FF2D
CloseHandle.KERNEL32(?), ref: 00A1FF5C
CloseHandle.KERNEL32(?), ref: 00A1FFD3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: de55464a8cf892922fdbfb0524f30145e22e510a00332540b79bd2bb0b97d604
Instruction ID: 7362a747aacb2e04cd0bf671d7dfa7f6cebc3296f0b67c9cc33890434c7036df
Opcode Fuzzy Hash: de55464a8cf892922fdbfb0524f30145e22e510a00332540b79bd2bb0b97d604
Instruction Fuzzy Hash: 8FE19231604341DFC714EF24D991BAABBE1AFC5314F14856DF8999B2A2CB71EC81CB92

Function 00A050E9 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A039F7,?), ref: 00A04A4D

Part of subcall function 00A04A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A039F7,?), ref: 00A04A66

Part of subcall function 00A04E59: GetFileAttributesW.KERNEL32(?,00A03A6B), ref: 00A04E5A

lstrcmpiW.KERNEL32(?,?), ref: 00A05168
_wcscmp.LIBCMT ref: 00A05182
MoveFileW.KERNEL32(?,?), ref: 00A0519D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 8dc06e8578e71ec4b91d999281c87813f56b59e7fde05e5c866f2382c42707e6
Instruction ID: 538d1d51a4c78f662cb9257850a73a364895b6bbca23413c623727569cb18629
Opcode Fuzzy Hash: 8dc06e8578e71ec4b91d999281c87813f56b59e7fde05e5c866f2382c42707e6
Instruction Fuzzy Hash: 64519AB24087899BC724EBA0DD91EDF73ECAF84350F40491EF589D3191EF70A6888B56

Function 00A28A32 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A28AEC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 5d6b498ebd2f2b04a7053fabba8eaf637303723951d3411f01e10cb09e425806
Instruction ID: bb49177cc5c1a24991eae5fa4e7ab4da3f03b5a4b93c5cb27a06d0e377518911
Opcode Fuzzy Hash: 5d6b498ebd2f2b04a7053fabba8eaf637303723951d3411f01e10cb09e425806
Instruction Fuzzy Hash: 2551A0B0903224BFEF209B6CEC85F9D7BB4EF05350F204526F514E61A1CFBDA9948A90

Function 009A2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009DC568
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009DC58A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009DC5A2
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009DC5C0
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009DC5E1
DestroyIcon.USER32(00000000), ref: 009DC5F0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009DC60D
DestroyIcon.USER32(?), ref: 009DC61C

Part of subcall function 00A2A89C: DeleteObject.GDI32(00000000), ref: 00A2A8D5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 22622e4066355933b7ca9e61ec30b94dc51102410ae6782caec04806fa42a7a5
Instruction ID: e7687a2c6608745a1a72ca335ee688a7c4ad7946ea8c61a1030c143db7a4d7e0
Opcode Fuzzy Hash: 22622e4066355933b7ca9e61ec30b94dc51102410ae6782caec04806fa42a7a5
Instruction Fuzzy Hash: D0517BB060020AEFDB24DF68DD45FAA7BB9FB49310F104529F94297290DBB4ED91DB90

Function 009FA009 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 009FB310: GetWindowThreadProcessId.USER32(?,00000000), ref: 009FB330
Part of subcall function 009FB310: GetCurrentThreadId.KERNEL32 ref: 009FB337
Part of subcall function 009FB310: AttachThreadInput.USER32(00000000,?,009FA01E,?,00000001), ref: 009FB33E

MapVirtualKeyW.USER32(00000025,00000000), ref: 009FA029
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009FA046
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009FA049
MapVirtualKeyW.USER32(00000025,00000000), ref: 009FA052
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009FA070
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA073
MapVirtualKeyW.USER32(00000025,00000000), ref: 009FA07C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009FA093
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009FA096

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2c6e0f8a9057aeb55379fb10b1dd86f6546f457073f2f549c522a69f7a09f318
Instruction ID: b3482ff82e5f832935d52460cda192b5fbc25c03e608b4e213e6eed468b66e11
Opcode Fuzzy Hash: 2c6e0f8a9057aeb55379fb10b1dd86f6546f457073f2f549c522a69f7a09f318
Instruction Fuzzy Hash: A1110871950618BEF610AFA0DC8AF6A3F1DDB8C755F100415F3446B090CAF25C519BA4

Function 009F92BC Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009F8F3D,00000B00,?,?), ref: 009F92C5
HeapAlloc.KERNEL32(00000000,?,009F8F3D,00000B00,?,?), ref: 009F92CC
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009F8F3D,00000B00,?,?), ref: 009F92E1
GetCurrentProcess.KERNEL32(?,00000000,?,009F8F3D,00000B00,?,?), ref: 009F92E9
DuplicateHandle.KERNEL32(00000000,?,009F8F3D,00000B00,?,?), ref: 009F92EC
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009F8F3D,00000B00,?,?), ref: 009F92FC
GetCurrentProcess.KERNEL32(009F8F3D,00000000,?,009F8F3D,00000B00,?,?), ref: 009F9304
DuplicateHandle.KERNEL32(00000000,?,009F8F3D,00000B00,?,?), ref: 009F9307
CreateThread.KERNEL32(00000000,00000000,009F932D,00000000,00000000,00000000), ref: 009F9321

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e5f067c31de3bbece08f8a969c4838390ba804e25f9219d09f25a2564fc4d469
Instruction ID: 8bfc99f7f146eaeef51db79c0401287c1410098a457c9bc9c4ad27931c81dffd
Opcode Fuzzy Hash: e5f067c31de3bbece08f8a969c4838390ba804e25f9219d09f25a2564fc4d469
Instruction Fuzzy Hash: FB01B6B5240308BFE750EBA5DC4DF6B7BACEB88B11F408511FA05DB2A1CAB09805DB20

Function 00A195C5 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A19619
VariantInit.OLEAUT32(?), ref: 00A196EA
VariantInit.OLEAUT32(?), ref: 00A197EB
VariantClear.OLEAUT32(?), ref: 00A197F5
VariantClear.OLEAUT32(?), ref: 00A19852

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A1967A, 00A197A8, 00A19860
Incorrect Object type in FOR..IN loop, xrefs: 00A197CE

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 4cc6daa1f84807637e52e0c45b568f7dc4b5aa787af81254e4cce895ec8e64e0
Instruction ID: d519af25c00d0ec41d53461057fc8cb0832797e639efe29149160a1186a01e1c
Opcode Fuzzy Hash: 4cc6daa1f84807637e52e0c45b568f7dc4b5aa787af81254e4cce895ec8e64e0
Instruction Fuzzy Hash: 5A916D71A00219ABDF24CFA5C854FEFBBB8EF45710F108559F919AB281D770A984CFA0

Function 00A2716D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A27211
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A27225
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A2723F
_wcscat.LIBCMT ref: 00A2729A
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A272B1
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A272DF

Strings

SysListView32, xrefs: 00A271E3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 0bb79fd024db28b7f88a0935ad8c42203d12cf5428de8f4b1ef237faa595f876
Instruction ID: f0c60a3c0eaf62b826628b1039516b5a767cc270e5af252dcff5db983a45d48f
Opcode Fuzzy Hash: 0bb79fd024db28b7f88a0935ad8c42203d12cf5428de8f4b1ef237faa595f876
Instruction Fuzzy Hash: FF418271A04318AFEB21DFA8DC85FEE77A9EF48350F10052AF985A7191D7719E848B60

Function 00A1EDE4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A03FB5: CreateToolhelp32Snapshot.KERNEL32 ref: 00A03FDA
Part of subcall function 00A03FB5: Process32FirstW.KERNEL32(00000000,?), ref: 00A03FE8
Part of subcall function 00A03FB5: FindCloseChangeNotification.KERNEL32(00000000), ref: 00A040B2

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A1EE55
GetLastError.KERNEL32 ref: 00A1EE68
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A1EE97
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A1EF14
GetLastError.KERNEL32(00000000), ref: 00A1EF1F
CloseHandle.KERNEL32(00000000), ref: 00A1EF54

Strings

SeDebugPrivilege, xrefs: 00A1EE73

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 1701285019-2896544425
Opcode ID: dee8127ea00820c6eb76ab4244217ac923b79c8f8118bd86d44771d7a7b2d7dc
Instruction ID: 11760e25ae033308cd63b07aca30f5a86d8935ec30ae430df2c05a72e722e12b
Opcode Fuzzy Hash: dee8127ea00820c6eb76ab4244217ac923b79c8f8118bd86d44771d7a7b2d7dc
Instruction Fuzzy Hash: 6A41CD312002059FDB11EF64DCA5FAEB7A5AF85710F048018FD469F2C2CBB1A885CB91

Function 00A0334A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A033E9

Strings

question, xrefs: 00A033A2
stop, xrefs: 00A033BA
blank, xrefs: 00A0336B
warning, xrefs: 00A033D2
info, xrefs: 00A0338A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0c056b118b2bdc1e32cf17ff4d5968d579cc83250c2239ef6f89f820cd34103c
Instruction ID: 576e633d5f8d4f41cc855a216a700e05eaa1952127d654e25414a9af4b6262b6
Opcode Fuzzy Hash: 0c056b118b2bdc1e32cf17ff4d5968d579cc83250c2239ef6f89f820cd34103c
Instruction Fuzzy Hash: 0E11383374870AFAEB028F14BC82EAB37ACEF15321B10401AF9049E1C2EAB59B544166

Function 00A04655 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A0466F
LoadStringW.USER32(00000000), ref: 00A04676
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A0468C
LoadStringW.USER32(00000000), ref: 00A04693
_wprintf.LIBCMT ref: 00A046B9
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A046D7

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A046B4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e001f356751dfa27da1e188becd57a0b9bae0d7ed6c8a2b485e27dd2b44381b3
Instruction ID: 8302bca31da5777ce1e22b50a704261f9f5460c9b47b39bcd580d5af16f588bf
Opcode Fuzzy Hash: e001f356751dfa27da1e188becd57a0b9bae0d7ed6c8a2b485e27dd2b44381b3
Instruction Fuzzy Hash: 76014BF2944208BFE711EBE09D89EFB776CEB08301F004595BB4AE2041EB749E858B71

Function 00A2D861 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

GetSystemMetrics.USER32(0000000F), ref: 00A2D89F
GetSystemMetrics.USER32(0000000F), ref: 00A2D8BF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A2DAFA
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A2DB18
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A2DB39
ShowWindow.USER32(00000003,00000000), ref: 00A2DB58
InvalidateRect.USER32(?,00000000,00000001), ref: 00A2DB7D
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A2DBA0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c2968ff03b7be13172f99616ba19b970137f610cc123e12a8db97fb04a9a66b8
Instruction ID: 91e0fea973b385220950d87bdd082a928bf3e7ec5b47f5a98ea41b6b988eeeae
Opcode Fuzzy Hash: c2968ff03b7be13172f99616ba19b970137f610cc123e12a8db97fb04a9a66b8
Instruction Fuzzy Hash: EBB18A31600225AFDF14CF6CD995BAD7BB1FF04711F098179EC48AB29AD735A990CB90

Function 00A20139 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 00A21242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A201D5,?,?), ref: 00A21259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A20216

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: ff6130e307c1f63ae5525bd715a4665cd5452000da216e25e81669116bb7998a
Instruction ID: 8977e27ee632efcaee1e600ce0a464fe03e2afb01a95e51c79ee46b4248f52cf
Opcode Fuzzy Hash: ff6130e307c1f63ae5525bd715a4665cd5452000da216e25e81669116bb7998a
Instruction Fuzzy Hash: A1A1BC302042159FC714EF58D895F6EBBE5EF84314F04892DFA969B2A2DB30E845CB82

Function 009A2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009DC438,00000004,00000000,00000000,00000000), ref: 009A2E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,009DC438,00000004,00000000,00000000,00000000,000000FF), ref: 009A2EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,009DC438,00000004,00000000,00000000,00000000), ref: 009DC48B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,009DC438,00000004,00000000,00000000,00000000), ref: 009DC4F7

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: aca2cda5829b8ae54ba40f29f21f197c8a01f1fe5a764f68b1613c60f1710555
Instruction ID: a6e42538d40e8446e81cc70782057998b5db46890302d8cde2f0d291440fefaf
Opcode Fuzzy Hash: aca2cda5829b8ae54ba40f29f21f197c8a01f1fe5a764f68b1613c60f1710555
Instruction Fuzzy Hash: E241FA706046819AC7398B6C8D9CB7A7B9AAB93310F34C81EF447466B1C775A8C1D790

Function 00A074EE Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A07505

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A0753C
EnterCriticalSection.KERNEL32(?), ref: 00A07558
_memmove.LIBCMT ref: 00A075A6
_memmove.LIBCMT ref: 00A075C3
LeaveCriticalSection.KERNEL32(?), ref: 00A075D2
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A075E7
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A07606

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 2092a98d9895600f80631686ebed9a1e2442a6d04b51108180900c8cde1781ef
Instruction ID: 3b1be193348110b6ada84799e48012be20ccfe9c151f5abb2edb795d681a09ec
Opcode Fuzzy Hash: 2092a98d9895600f80631686ebed9a1e2442a6d04b51108180900c8cde1781ef
Instruction Fuzzy Hash: A5318F31D04209EBCB10EFA4DC85EAFB778FF85310F1481A9F904AB256D770AA55CBA1

Function 00A265C0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A265D8
GetDC.USER32(00000000), ref: 00A265E0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A265EB
ReleaseDC.USER32(00000000,00000000), ref: 00A265F7
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A26633
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A26644
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A29417,?,?,000000FF,00000000,?,000000FF,?), ref: 00A2667E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A2669E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fcffa953bdb7331e133c6cd8774b39ecede13d4a010f2628e20fb4c80893df79
Instruction ID: 6fa408bb502cb13188e69217fd5cab44b84f19e3afa1a4c5f6f3329edd9869f3
Opcode Fuzzy Hash: fcffa953bdb7331e133c6cd8774b39ecede13d4a010f2628e20fb4c80893df79
Instruction Fuzzy Hash: 81317C72101224AFEB158F549C8AFAA3BA9EF49751F040061FE089A291C7B59C52CBB4

Function 009FC52B Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009FC540
_memcmp.LIBCMT ref: 009FC562
_memcmp.LIBCMT ref: 009FC57A
_memcmp.LIBCMT ref: 009FC58D
_memcmp.LIBCMT ref: 009FC5A7
_memcmp.LIBCMT ref: 009FC5BA
_memcmp.LIBCMT ref: 009FC5D2
_memcmp.LIBCMT ref: 009FC5ED

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e07914cbc9b854ae76d1e373a51c84b749858683a6816ff28210fd399419a570
Instruction ID: d51d132855414fb561d02ee294bc7cf09e07e39b977165ddf991c4d6f5041dbf
Opcode Fuzzy Hash: e07914cbc9b854ae76d1e373a51c84b749858683a6816ff28210fd399419a570
Instruction Fuzzy Hash: 0A21C5E2A0C20D7B9A0065159E42FBB335CAE817C4F008426FE06E6243E755EE1593AA

Function 00A0EFD3 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

Part of subcall function 009B436A: _wcscpy.LIBCMT ref: 009B438D

_wcstok.LIBCMT ref: 00A0F144
_wcscpy.LIBCMT ref: 00A0F1D3
_memset.LIBCMT ref: 00A0F206

Strings

X, xrefs: 00A0F243

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: cc4ac232f8a4d76ee9adc041fc3b00d8a5570e9f981105e290776342643d5fa3
Instruction ID: 09f169281cf145b99b9ed8c2bb701456e90e7c81e479e352cafc5d4c1bbb49a0
Opcode Fuzzy Hash: cc4ac232f8a4d76ee9adc041fc3b00d8a5570e9f981105e290776342643d5fa3
Instruction Fuzzy Hash: A4C18B71604344DFC724EF24D995B9AB7E4BF85320F104A2DF8999B2A2DB30E845CB82

Function 00A16FB3 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A170B0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A170D1
WSAGetLastError.WSOCK32(00000000), ref: 00A170E4
htons.WSOCK32(?,?,?,00000000,?), ref: 00A1719A
inet_ntoa.WSOCK32(?), ref: 00A17157

Part of subcall function 009FB2CD: _strlen.LIBCMT ref: 009FB2D7
Part of subcall function 009FB2CD: _memmove.LIBCMT ref: 009FB2F9

_strlen.LIBCMT ref: 00A171F4
_memmove.LIBCMT ref: 00A1725D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 5d84bee238cf7726c68fabe74d34ae4b0ef0b3694fa3a91a564ad74033ac6c13
Instruction ID: 481e02cc54576b804239e197e0712a40d502365d00f1fc682317d27f3eb00c87
Opcode Fuzzy Hash: 5d84bee238cf7726c68fabe74d34ae4b0ef0b3694fa3a91a564ad74033ac6c13
Instruction Fuzzy Hash: 7381BF71608300ABC310EB64DC91FAFB7B8AFC5724F10451CF9569B292DB70AD81CB91

Function 009A1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6de320b1baf5686a00fc94c3318adca997b4ac435884fac48f4d5228885308d
Instruction ID: bcc6a04ca1ebf0142a13fe7a8ec1086ba803c298b2dff4b3a253a9af41300bcf
Opcode Fuzzy Hash: c6de320b1baf5686a00fc94c3318adca997b4ac435884fac48f4d5228885308d
Instruction Fuzzy Hash: 85714C31900119EFDB04DF98CC89EBEBB79FF86314F14815AF915AB251C738AA51CBA0

Function 00A2B73E Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014A5D28), ref: 00A2B7D8
IsWindowEnabled.USER32(014A5D28), ref: 00A2B7E4
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A2B8C8
SendMessageW.USER32(014A5D28,000000B0,?,?), ref: 00A2B8FF
IsDlgButtonChecked.USER32(?,?), ref: 00A2B93C
GetWindowLongW.USER32(014A5D28,000000EC), ref: 00A2B95E
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A2B976

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c3f411454a3951d1312f0b723130f63b7a38c3cd288140df328c2e9ab608cae4
Instruction ID: 40d7015a93cade3ec99465be672c30a90df576cecbd8670654610087001385b6
Opcode Fuzzy Hash: c3f411454a3951d1312f0b723130f63b7a38c3cd288140df328c2e9ab608cae4
Instruction Fuzzy Hash: 2B71B074611224AFEB24DF68E9D5FAA7BB9EF49300F144079F949933A1C731AC51CB60

Function 00A1F8CF Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A1F8F9
_memset.LIBCMT ref: 00A1F9C2
ShellExecuteExW.SHELL32(?), ref: 00A1FA07

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

Part of subcall function 009B436A: _wcscpy.LIBCMT ref: 009B438D

GetProcessId.KERNEL32(00000000), ref: 00A1FA7E
CloseHandle.KERNEL32(00000000), ref: 00A1FAAD

Strings

@, xrefs: 00A1F9D6

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 48f809f7e77b6df1e750c19b1f5f24b867534cbf3a78553989ecc8928f5b0b21
Instruction ID: cfc5072f9e2088baf158d0fe66d9fe9f0cd13d03272e54e8f22dedde522885b8
Opcode Fuzzy Hash: 48f809f7e77b6df1e750c19b1f5f24b867534cbf3a78553989ecc8928f5b0b21
Instruction Fuzzy Hash: A861B075A00619DFCB14EFA4C591AAEB7F5FF89310F148169E859AB391CB30AD81CF90

Function 00A015B8 Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A015F7
GetKeyboardState.USER32(?), ref: 00A0160C
SetKeyboardState.USER32(?), ref: 00A0166D
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A0169B
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A016BA
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A01700
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A01723

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7f577bb50373085be5420eda998b2c137a559a70899d7a535c19168336920712
Instruction ID: 52d135396a31a407938025446d72c1dc4ae588e4acca68f5adf3624d750fb9a8
Opcode Fuzzy Hash: 7f577bb50373085be5420eda998b2c137a559a70899d7a535c19168336920712
Instruction Fuzzy Hash: 3551D1A0A047D93EFB3683649C55BF6BFA95B06304F0C8589F1D54A8C2D2E9AC94DB50

Function 00A013D1 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A01410
GetKeyboardState.USER32(?), ref: 00A01425
SetKeyboardState.USER32(?), ref: 00A01486
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A014B2
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A014CF
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A01513
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A01534

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6b408520e7b20bcc9b5294b9395f0e39753a5471711919a5d857bc514c4bf26e
Instruction ID: 1aab1e0d83d4c772d8f4b6f1e482fed73aab05a437915b6451c500b291304896
Opcode Fuzzy Hash: 6b408520e7b20bcc9b5294b9395f0e39753a5471711919a5d857bc514c4bf26e
Instruction Fuzzy Hash: D25117A09447D93DFB3383349C55BFABFA9AB46300F0C8589F1D64A8D2D2A5EC94D750

Function 00A05A25 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A05A32
_wcsncpy.LIBCMT ref: 00A05A67
_wcsncpy.LIBCMT ref: 00A05A99
_wcsncpy.LIBCMT ref: 00A05ACC
_wcsncpy.LIBCMT ref: 00A05B0E
_wcsncpy.LIBCMT ref: 00A05B48
_wcsncpy.LIBCMT ref: 00A05B77

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ad32b1d0d460af484622595b9df86f657ab203a22539ddce0b404645134b5121
Instruction ID: abead446965741070f81d47756e31a090d0e8ec35911f141a3e30cc1f67236fa
Opcode Fuzzy Hash: ad32b1d0d460af484622595b9df86f657ab203a22539ddce0b404645134b5121
Instruction Fuzzy Hash: 34419EA5D2021876CB11EBF4988BFCFB3B89F45310F50846AF518E3261E674E315C7AA

Function 00A039D1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04A30: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A039F7,?), ref: 00A04A4D

Part of subcall function 00A04A30: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A039F7,?), ref: 00A04A66

lstrcmpiW.KERNEL32(?,?), ref: 00A03A17
_wcscmp.LIBCMT ref: 00A03A33
MoveFileW.KERNEL32(?,?), ref: 00A03A4B
_wcscat.LIBCMT ref: 00A03A93
SHFileOperationW.SHELL32(?), ref: 00A03AFF

Strings

\*.*, xrefs: 00A03A8D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 0e4350035199f97290aaead208c68fbd0a306f244852df7ab41c4b430c571c6e
Instruction ID: acf3c489c597fdcc60fd1ef4b8bbad0ac3671b875444efa0723ffd9c9a0c1143
Opcode Fuzzy Hash: 0e4350035199f97290aaead208c68fbd0a306f244852df7ab41c4b430c571c6e
Instruction Fuzzy Hash: CE4183B2508348AECB51EF64E441ADB77ECAF89380F40492EB5CAC3191EB34D649C756

Function 00A2767E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A27697
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A2773E
IsMenu.USER32(?), ref: 00A27756
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A2779E
DrawMenuBar.USER32 ref: 00A277B1

Strings

0, xrefs: 00A2768B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1c88b01eb55d65fdce07e69dca563bd430922d58b7d62df737279994d036430d
Instruction ID: 0c9c14d46fe519ed44afc36da687ffdb73b898d28868d5f7e5e001a44e0d61ae
Opcode Fuzzy Hash: 1c88b01eb55d65fdce07e69dca563bd430922d58b7d62df737279994d036430d
Instruction Fuzzy Hash: B6412975A04219AFDB10DFA8E884E9ABBF9FB04354F048069FD5597360D770AE51CFA0

Function 00A213CA Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A213F9
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A21423
FreeLibrary.KERNEL32(00000000), ref: 00A214DA

Part of subcall function 00A213CA: RegCloseKey.ADVAPI32(?), ref: 00A21440
Part of subcall function 00A213CA: FreeLibrary.KERNEL32(?), ref: 00A21492
Part of subcall function 00A213CA: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A214B5

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A2147D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 49f1eb2015a65cce1f7186b752566c0f5ceabd3f100eddcf96804b9cff4ed18e
Instruction ID: 2c522dcaa2e0a1002ffe01fa20b16961c90bb3c9f0828ebd3c8fef3f49515dff
Opcode Fuzzy Hash: 49f1eb2015a65cce1f7186b752566c0f5ceabd3f100eddcf96804b9cff4ed18e
Instruction Fuzzy Hash: B5311BB1900119BFDB14DBD4EC85EFEB7BCEB18340F000179F515A2140E6749E469AA0

Function 00A266BA Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A266D9
GetWindowLongW.USER32(014A5D28,000000F0), ref: 00A2670C
GetWindowLongW.USER32(014A5D28,000000F0), ref: 00A26741
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A26773
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A2679D
GetWindowLongW.USER32(00000000,000000F0), ref: 00A267AE
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A267C8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 61272a3b14b9e85a557184846a94ceb4bf8e5ead633bed8b0714b6c8dc224621
Instruction ID: a13a74ffecd987faebaac27a66856f7030f2dc4e5305eed5fa3541b802a24710
Opcode Fuzzy Hash: 61272a3b14b9e85a557184846a94ceb4bf8e5ead633bed8b0714b6c8dc224621
Instruction Fuzzy Hash: 7B312434605160AFDB21CF9CEC95F553BE5FB8A714F1801A4FA018B2B2CBB2AC55DB91

Function 009FE06A Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE0AD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE0D3
SysAllocString.OLEAUT32(00000000), ref: 009FE0D6
SysAllocString.OLEAUT32(?), ref: 009FE0F4
SysFreeString.OLEAUT32(?), ref: 009FE0FD
StringFromGUID2.OLE32(?,?,00000028), ref: 009FE122
SysAllocString.OLEAUT32(?), ref: 009FE130

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 782497ea58d650d9b3d261c58188c1ab065b36a87c63d436ecd382c747637920
Instruction ID: 96ab6afacea34cb8f75a258017d5706d8df95a28092b7db334924fbbc3c9036f
Opcode Fuzzy Hash: 782497ea58d650d9b3d261c58188c1ab065b36a87c63d436ecd382c747637920
Instruction Fuzzy Hash: C021D63260520DAF9B10DFB8CC88DBB77ECEB08360B048529FB14DB2A0DA70DD428760

Function 00A16623 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1823D: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A18268

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A16676
WSAGetLastError.WSOCK32(00000000), ref: 00A16685
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A166BE
connect.WSOCK32(00000000,?,00000010), ref: 00A166C7
WSAGetLastError.WSOCK32 ref: 00A166D1
closesocket.WSOCK32(00000000), ref: 00A166FA
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A16713

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c4d2148ab95d61e9f658518e3a25d308978c44e7354f679bf57bc49291c434ca
Instruction ID: 213e303482a82aaa17737420917691db1510ad775c2cba510e44f06d8deb91e3
Opcode Fuzzy Hash: c4d2148ab95d61e9f658518e3a25d308978c44e7354f679bf57bc49291c434ca
Instruction Fuzzy Hash: 4331AD71600208AFDB10AF64DC85FFE77ADEB85764F008029FD15E7291DB74AC858BA1

Function 009FE143 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE188
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009FE1AE
SysAllocString.OLEAUT32(00000000), ref: 009FE1B1
SysAllocString.OLEAUT32 ref: 009FE1D2
SysFreeString.OLEAUT32 ref: 009FE1DB
StringFromGUID2.OLE32(?,?,00000028), ref: 009FE1F5
SysAllocString.OLEAUT32(?), ref: 009FE203

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e42bd37b331d81d69de31c824b7f8830699046093279738f9dc12d4025e78792
Instruction ID: 52fa2604cdaddaf14386bbd033bd6e61fc5bfba0b511212d3af1df1701495b2a
Opcode Fuzzy Hash: e42bd37b331d81d69de31c824b7f8830699046093279738f9dc12d4025e78792
Instruction Fuzzy Hash: C4215635604108AF9B10DFE9DC89DBA77ECEB49760B008129FB25CB2B0E674DD418BA4

Function 009FFBFC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009FFC0F
__wcsnicmp.LIBCMT ref: 009FFC30
__wcsnicmp.LIBCMT ref: 009FFC4A

Strings

#requireadmin, xrefs: 009FFC2A
#OnAutoItStartRegister, xrefs: 009FFC44
#notrayicon, xrefs: 009FFC07

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 0dca7461ce1b35d69c99701ef48557ae26c55921771889494caaa606a87d4ece
Instruction ID: 49921bd16fb79af57de1ef932aef8fdf57e8b70c121af123d8b8f2a5fc462801
Opcode Fuzzy Hash: 0dca7461ce1b35d69c99701ef48557ae26c55921771889494caaa606a87d4ece
Instruction Fuzzy Hash: 4021373250452DBAD620B7259D22FBB73DCEF91310F50883AFEC587182E7A5AD818395

Function 00A279BA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009A214F
Part of subcall function 009A2111: GetStockObject.GDI32(00000011), ref: 009A2163
Part of subcall function 009A2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009A216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A27A1F
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A27A2C
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A27A37
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A27A46
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A27A52

Strings

Msctls_Progress32, xrefs: 00A279F0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af6b5894dbbc82d2977ae47f1c320bf947005a52592774fd6eb02ff68d47bca6
Instruction ID: 8aa5fc9a871067500448edb779a5a02dfdec70d1c3686b6a702210eb673b37a4
Opcode Fuzzy Hash: af6b5894dbbc82d2977ae47f1c320bf947005a52592774fd6eb02ff68d47bca6
Instruction Fuzzy Hash: BB1193B2110219BFEF119F64DC85EEB7F6DEF087A8F014115BB04A2050C7719C21DBA0

Function 0CD405B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,31132E72,?,0CD406F5,?,?), ref: 0CD40675

Strings

api-ms-, xrefs: 0CD4060B
ext-ms-, xrefs: 0CD4061F

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 34e76124870e33c35dc95d73679e003020990623934e65a34b2ac749323a5dfa
Instruction ID: c8613d4b0c84045b9854830a0938f9dc48d0e3d74e503f2cc5a9ef10f6df439d
Opcode Fuzzy Hash: 34e76124870e33c35dc95d73679e003020990623934e65a34b2ac749323a5dfa
Instruction Fuzzy Hash: 4C21B731B01115ABDB21AB65EC54B9A776CEB81770F250211EF5BA73A1DB30FD04CAE4

Function 009C40E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,009C41B2,?), ref: 009C4103
GetProcAddress.KERNEL32(00000000), ref: 009C410A
EncodePointer.KERNEL32(00000000), ref: 009C4116
DecodePointer.KERNEL32(00000001,009C41B2,?), ref: 009C4133

Strings

RoInitialize, xrefs: 009C40F2
combase.dll, xrefs: 009C40FE

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 65665a7c78a8406b3f360537c5891ecd6a7dbfd0766aaeb5c9b6eae22070530d
Instruction ID: add552e7750fb0632373e453efbacfbab1a978ce430ec20cc66ac7bb3a211bdd
Opcode Fuzzy Hash: 65665a7c78a8406b3f360537c5891ecd6a7dbfd0766aaeb5c9b6eae22070530d
Instruction Fuzzy Hash: 6AE01AB0A94701AFEF509FF0EC5DF543A68B72AB06F405A28F551D90A0DBF940968F00

Function 009C41BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009C40D8), ref: 009C41D8
GetProcAddress.KERNEL32(00000000), ref: 009C41DF
EncodePointer.KERNEL32(00000000), ref: 009C41EA
DecodePointer.KERNEL32(009C40D8), ref: 009C4205

Strings

RoUninitialize, xrefs: 009C41C7
combase.dll, xrefs: 009C41D3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: fa1aa3b804d443eca01ff9298b6ce99115ea872e9b159dfb73d72e342bb14332
Instruction ID: 90fe4bc564ecb36ad9815cc297d60bff23490268ac99d3f2ed08ec72fff418b5
Opcode Fuzzy Hash: fa1aa3b804d443eca01ff9298b6ce99115ea872e9b159dfb73d72e342bb14332
Instruction Fuzzy Hash: A8E0B678A55300ABEB50DBE0BD1DF453AB8B72AB42F100A19F141D50A0CBF44586CB10

Function 009A218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 009A21B8
GetWindowRect.USER32(?,?), ref: 009A21F9
ScreenToClient.USER32(?,?), ref: 009A2221
GetClientRect.USER32(?,?), ref: 009A2350
GetWindowRect.USER32(?,?), ref: 009A2369

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1c00c55e7c561dbbdb40b5403d8ccd898f9e6c8c8ca8ca4054940d55eb8b9e99
Instruction ID: a9981b0bd2e7a7672e7e21292e15fa0c97859fbd4fe08312e1c6b2be5068a9fa
Opcode Fuzzy Hash: 1c00c55e7c561dbbdb40b5403d8ccd898f9e6c8c8ca8ca4054940d55eb8b9e99
Instruction Fuzzy Hash: CBB19C39900249DBCF14CFA8C9807EDB7B5FF09710F14852AED59EB254EB34AA50CBA4

Function 00A068E0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A06A33
_memmove.LIBCMT ref: 00A0696E

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

_memmove.LIBCMT ref: 00A069E1
_memmove.LIBCMT ref: 00A06AC8
_memmove.LIBCMT ref: 00A06AE1
_memmove.LIBCMT ref: 00A06AFD

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 269dcaf974729d605ebc68264c869d965c4932a2095ac1c25e852637bf5a6a5c
Instruction ID: 057f5908101e729e2538dd58fe20a4fba5f979d6641b7ed0ebc2f67b3d6132ee
Opcode Fuzzy Hash: 269dcaf974729d605ebc68264c869d965c4932a2095ac1c25e852637bf5a6a5c
Instruction Fuzzy Hash: EF61BC30A0025EABCF11EF60D882FFE37A4AF86308F458559F8556B2D2DB34A955CB91

Function 00A2060C Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 00A21242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A201D5,?,?), ref: 00A21259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A206E5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A20725
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A20748
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A20771
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A207B4
RegCloseKey.ADVAPI32(00000000), ref: 00A207C1

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d77b9ab1c3a1b04634a05c69afd2cdc672bb78fd33e0e0bcb7467851d0c450c4
Instruction ID: 0096f26f95ea0a8fa8ee7e4ed4069fb8d5874ec0bb456ccfc33900fa902e5027
Opcode Fuzzy Hash: d77b9ab1c3a1b04634a05c69afd2cdc672bb78fd33e0e0bcb7467851d0c450c4
Instruction Fuzzy Hash: AF518831208304AFC714EB68D995EAFBBE9FF85310F04492DF595872A2DB31E905CB92

Function 00A25B9E Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A25C00
GetMenuItemCount.USER32(00000000), ref: 00A25C37
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A25C5F
GetMenuItemID.USER32(?,?), ref: 00A25CCE
GetSubMenu.USER32(?,?), ref: 00A25CDC
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A25D2D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: ffebc881c6fd2fb525ff1e54238125a4c338b2602a459024ce32a88d3e6cce22
Instruction ID: 96f5139b9e20cf8b9fcb0022f635d0d28c6a261bc0d69c2dc8737978bc8ff5d3
Opcode Fuzzy Hash: ffebc881c6fd2fb525ff1e54238125a4c338b2602a459024ce32a88d3e6cce22
Instruction Fuzzy Hash: 56516275E00625AFCF11EFA8D945AAEB7B5FF88310F144069F901BB391DB70AE418B91

Function 009FF46B Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009FF485
VariantClear.OLEAUT32(00000013), ref: 009FF4F7
VariantClear.OLEAUT32(00000000), ref: 009FF552
_memmove.LIBCMT ref: 009FF57C
VariantClear.OLEAUT32(?), ref: 009FF5C9
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009FF5F7

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 8f1c07ae59a679908cb77aa71cfb0ec8735b61d05c5be49d190ddc2595e76f6a
Instruction ID: 45d5696211d2a3a1e67fe218f24af5eb1186ed1c80bc80399ab74c0d156dce95
Opcode Fuzzy Hash: 8f1c07ae59a679908cb77aa71cfb0ec8735b61d05c5be49d190ddc2595e76f6a
Instruction Fuzzy Hash: 0D512CB5A002099FDB14CF58C894EAAB7B8FF4C314B15856AFA59DB305D730E951CFA0

Function 00A0281D Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A0286B
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A028B6
IsMenu.USER32(00000000), ref: 00A028D6
CreatePopupMenu.USER32 ref: 00A0290A
GetMenuItemCount.USER32(000000FF), ref: 00A02968
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A02999

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: decf9db780aff291aad4edcc53bc10256e0b75c6145e3e406b79abf5d9296b43
Instruction ID: dae5dbfa71362f0b9d6b191dc0cc7b04c9ff2c0bd0a2bb02d5b1267cd8c33c2f
Opcode Fuzzy Hash: decf9db780aff291aad4edcc53bc10256e0b75c6145e3e406b79abf5d9296b43
Instruction Fuzzy Hash: 6451CC30A0030EEBDF25CFA8E98CBAEBBF4AF44394F148559E8559B2D0D3709904CB61

Function 009A1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 009A1B76
GetWindowRect.USER32(?,?), ref: 009A1BDA
ScreenToClient.USER32(?,?), ref: 009A1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009A1C08
EndPaint.USER32(?,?), ref: 009A1C52

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: a7bdb99b885bdfb3733e3c6cb1576f0bb358a65d0e49c654317105e6f81795dd
Instruction ID: 7f2c667eaf43b32a6955dc9dfac02535a6abe8b96b5db0ee88afa7539b76d42e
Opcode Fuzzy Hash: a7bdb99b885bdfb3733e3c6cb1576f0bb358a65d0e49c654317105e6f81795dd
Instruction Fuzzy Hash: 9C41CC70104300AFD711DF64DC95FBA7BF8FB9A320F140669F9A58B2A2C7719846DBA1

Function 00A2BA8B Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A667B0,00000000,014A5D28,?,?,00A667B0,?,00A2B995,?,?), ref: 00A2BAFF
EnableWindow.USER32(00000000,00000000), ref: 00A2BB23
ShowWindow.USER32(00A667B0,00000000,014A5D28,?,?,00A667B0,?,00A2B995,?,?), ref: 00A2BB83
ShowWindow.USER32(00000000,00000004,?,00A2B995,?,?), ref: 00A2BB95
EnableWindow.USER32(00000000,00000001), ref: 00A2BBB9
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A2BBDC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6df2b958384d8930e7b1ec0da8fd4c8beaedc0c8bbbaa88e28e784b2ff3a22d1
Instruction ID: 1c361c218e4031b842dd29a729acbd4757510f70ce702de7ffee063b133d18ca
Opcode Fuzzy Hash: 6df2b958384d8930e7b1ec0da8fd4c8beaedc0c8bbbaa88e28e784b2ff3a22d1
Instruction Fuzzy Hash: 6C415034610154EFDB25CF68D899FA47BE1FB09314F1881B9FE488F2A6C771A846CB61

Function 00A1754D Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A152F1,?,?,00000000,00000001), ref: 00A1755B

Part of subcall function 00A13E50: GetWindowRect.USER32(?,?), ref: 00A13E63

GetDesktopWindow.USER32 ref: 00A17585
GetWindowRect.USER32(00000000), ref: 00A1758C
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A175BE

Part of subcall function 00A0566C: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A056E4

GetCursorPos.USER32(?), ref: 00A175EA
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A17648

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ffb30678e57f7d88ae8038da100c4270adae68feeec4b15dbfcdb9c631a71372
Instruction ID: 0776fd03be563eecce09fe78a66d4458cf286a434c0d178b122716db7c67926c
Opcode Fuzzy Hash: ffb30678e57f7d88ae8038da100c4270adae68feeec4b15dbfcdb9c631a71372
Instruction Fuzzy Hash: 7B31D072508305ABD720DF64CC49E9FBBEAFF88314F000919F48997191DB31EA49CB92

Function 009F9214 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F8AAA: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009F8AC1
Part of subcall function 009F8AAA: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009F8ACB
Part of subcall function 009F8AAA: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009F8ADA
Part of subcall function 009F8AAA: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009F8AE1
Part of subcall function 009F8AAA: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009F8AF7

GetLengthSid.ADVAPI32(?,00000000,009F8E30), ref: 009F9265
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009F9271
HeapAlloc.KERNEL32(00000000), ref: 009F9278
CopySid.ADVAPI32(00000000,00000000,?), ref: 009F9291
GetProcessHeap.KERNEL32(00000000,00000000,009F8E30), ref: 009F92A5
HeapFree.KERNEL32(00000000), ref: 009F92AC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 35cf86688aaa600233906e0e8f36772fad8be2533a08769a78f69141f7d7606e
Instruction ID: d11775dcc51a4606960bef4863e46d8b83dcedb594512aeff65341e14b3341a1
Opcode Fuzzy Hash: 35cf86688aaa600233906e0e8f36772fad8be2533a08769a78f69141f7d7606e
Instruction Fuzzy Hash: 97118632600208FBDB149FA8CC19FFA7BACEB45315F108119F99597210CB32A945EB60

Function 009F8FB2 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009F8FE3
OpenProcessToken.ADVAPI32(00000000), ref: 009F8FEA
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009F8FF9
CloseHandle.KERNEL32(00000004), ref: 009F9004
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009F9033
DestroyEnvironmentBlock.USERENV(00000000), ref: 009F9047

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 46ee74f59af52415b66f8bf2bd9162fc0d2d7b028409872912edc7c9363fbf67
Instruction ID: e7b1b74cefea7fca506b9137ecb058e5c414bd25f4fb92a8013866af4a98a296
Opcode Fuzzy Hash: 46ee74f59af52415b66f8bf2bd9162fc0d2d7b028409872912edc7c9363fbf67
Instruction Fuzzy Hash: F211477250124DAFDB11CFD8ED49FEA7BA9EB09304F084055FA04A2160C6769E65EB60

Function 009FC10C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009FC131
GetDeviceCaps.GDI32(00000000,00000058), ref: 009FC142
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009FC149
ReleaseDC.USER32(00000000,00000000), ref: 009FC151
MulDiv.KERNEL32(000009EC,?,00000000), ref: 009FC168
MulDiv.KERNEL32(000009EC,?,?), ref: 009FC17A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 78f33529b3c56c0482c6b15a052e5cae9719abd32bdff3d8424de56915066a79
Instruction ID: 919ab587e11182734b76385b78fc86676771d7c3f3747a9d724773284d5479c1
Opcode Fuzzy Hash: 78f33529b3c56c0482c6b15a052e5cae9719abd32bdff3d8424de56915066a79
Instruction Fuzzy Hash: 81012175A40218BBEB109BE69D49E5EBFACEB58751F004065FA04A7281D6709911CFA0

Function 00A2C2CD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009A1729
Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1738
Part of subcall function 009A16CF: BeginPath.GDI32(?), ref: 009A174F
Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00A2C2F7
LineTo.GDI32(00000000,00000003,?), ref: 00A2C30B
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A2C319
LineTo.GDI32(00000000,00000000,?), ref: 00A2C329
EndPath.GDI32(00000000), ref: 00A2C339
StrokePath.GDI32(00000000), ref: 00A2C349

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: c493250897c8335cc9cc148c5bfa0b1ac2cf6b25ceb4d27c219bb9ce24ac58b1
Instruction ID: 259cd3d25da438b9329be3fef7cdfd320ed878b3b591aabce9b181600d2cb8a3
Opcode Fuzzy Hash: c493250897c8335cc9cc148c5bfa0b1ac2cf6b25ceb4d27c219bb9ce24ac58b1
Instruction Fuzzy Hash: 8511057200010CBFEF12DF94DC88FAA7FADEB08364F048021FA189A161C7729D56DBA0

Function 009C06E6 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C0717
MapVirtualKeyW.USER32(00000010,00000000), ref: 009C071F
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C072A
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C0735
MapVirtualKeyW.USER32(00000011,00000000), ref: 009C073D
MapVirtualKeyW.USER32(00000012,00000000), ref: 009C0745

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e237b961ddb20f5ba3fdeb4f76b2e86e94d1750614076b46f8d002436ccf2ac8
Instruction ID: 8db95e2b4800b268c6b8a51acb2c26cca2d2881c9efb084372516ec1172ec1b3
Opcode Fuzzy Hash: e237b961ddb20f5ba3fdeb4f76b2e86e94d1750614076b46f8d002436ccf2ac8
Instruction Fuzzy Hash: 750148B09017597DE3008F5A8C85A52FEA8FF59354F00411BA15847941C7F5A864CBE5

Function 00A05811 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A05821
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A05837
GetWindowThreadProcessId.USER32(?,?), ref: 00A05846
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A05855
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A0585F
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A05866

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: e6e51094e38ab28d347c77519b20719d1ffa558d1ee2f60327ab2a165789355b
Instruction ID: 5b7d08a53543238d5ae1836b53c26a8a2af01cef76f172093882818944ca4fd9
Opcode Fuzzy Hash: e6e51094e38ab28d347c77519b20719d1ffa558d1ee2f60327ab2a165789355b
Instruction Fuzzy Hash: BFF03A32641558BBE7219BE2AC0EEEF7F7CEFCAB11F00015AFA04D1050DBE01A1296B5

Function 00A07658 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A0766B
EnterCriticalSection.KERNEL32(?,?,009AC2B6,?,?), ref: 00A0767C
TerminateThread.KERNEL32(00000000,000001F6,?,009AC2B6,?,?), ref: 00A07689
WaitForSingleObject.KERNEL32(00000000,000003E8,?,009AC2B6,?,?), ref: 00A07696

Part of subcall function 00A0705D: CloseHandle.KERNEL32(00000000,?,00A076A3,?,009AC2B6,?,?), ref: 00A07067

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A076A9
LeaveCriticalSection.KERNEL32(?,?,009AC2B6,?,?), ref: 00A076B0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f9b9a40208dea957ac6426238662401c06c18c9ccd9bfcf1c5295a36dde14bc8
Instruction ID: a8f16bdd38ff9c9924b6df9278565fc6d8e340d3a0e4c7893adef4d1f5df09ba
Opcode Fuzzy Hash: f9b9a40208dea957ac6426238662401c06c18c9ccd9bfcf1c5295a36dde14bc8
Instruction Fuzzy Hash: 0DF05E32545615ABD7526BE4EC9CDEF7739FF45701F140522F603950A0CBB66802CB60

Function 009F932D Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 009F9338
UnloadUserProfile.USERENV(?,?), ref: 009F9344
CloseHandle.KERNEL32(?), ref: 009F934D
CloseHandle.KERNEL32(?), ref: 009F9355
GetProcessHeap.KERNEL32(00000000,?), ref: 009F935E
HeapFree.KERNEL32(00000000), ref: 009F9365

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 30b5381e1c16001b61d97dec8b96a960739a8164156de5cce5aa0523bc08be5a
Instruction ID: b33212298c7affedf0d583bedb949dc6c2ed301e6707d25c992ce8a5db2748e4
Opcode Fuzzy Hash: 30b5381e1c16001b61d97dec8b96a960739a8164156de5cce5aa0523bc08be5a
Instruction Fuzzy Hash: 5EE0E536004505BBDB419FE2EC1CD5ABF39FF49B22B104220F215C5470CB32A462DB50

Function 00A18A9F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A18AC5
CharUpperBuffW.USER32(?,?), ref: 00A18BD4
VariantClear.OLEAUT32(?), ref: 00A18D4C

Part of subcall function 00A0798A: VariantInit.OLEAUT32(00000000), ref: 00A079CA
Part of subcall function 00A0798A: VariantCopy.OLEAUT32(00000000,?), ref: 00A079D3
Part of subcall function 00A0798A: VariantClear.OLEAUT32(00000000), ref: 00A079DF

Strings

AUTOIT.ERROR, xrefs: 00A18BDA
Incorrect Parameter format, xrefs: 00A18AFD, 00A18CBF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 22be48edc3a7f108383a55fd314775c2c3d517fa02ddce1b5f3224dc49672dbc
Instruction ID: acee6f995538fafb43c5894363bc73304a8ecb30cc9aeb4f59d291620655d703
Opcode Fuzzy Hash: 22be48edc3a7f108383a55fd314775c2c3d517fa02ddce1b5f3224dc49672dbc
Instruction Fuzzy Hash: 549149706083059FC700DF24C591A9ABBE4EFC9754F14892DF89A8B3A1DB35E945CB92

Function 00A030AA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B436A: _wcscpy.LIBCMT ref: 009B438D

_memset.LIBCMT ref: 00A0319B
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A031CA
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A0327D
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A032AB

Strings

0, xrefs: 00A03187

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 405a206e5b785497a28a40e76d00342865229707fc31541c1b008f5678b457b8
Instruction ID: d0c90f4baa53eec982a2594b44845f2b521bfe5284927b4d43db968809a5fecb
Opcode Fuzzy Hash: 405a206e5b785497a28a40e76d00342865229707fc31541c1b008f5678b457b8
Instruction Fuzzy Hash: 6651B2326083059BDF15DF68E845BAB77E8EFAD350F04462DF895931D1DB70CA448792

Function 0CB62AF4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,0CDA94C2,00000104), ref: 0CD5EFDB

Strings

..., xrefs: 0CD5F029
Microsoft Visual C++ Runtime Library, xrefs: 0CD5F070
Runtime Error!Program: , xrefs: 0CD5EFA7
<program name unknown>, xrefs: 0CD5EFEA

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: FileModuleName
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 514040917-4022980321
Opcode ID: 4076f9adf05065640d4b5c406782cd2ef8dbc8e8b17306cd63b759f36300c9a3
Instruction ID: bf35654a17c504dd404d2e8c5ea165863881af75c4b340569ab9bf51a7986586
Opcode Fuzzy Hash: 4076f9adf05065640d4b5c406782cd2ef8dbc8e8b17306cd63b759f36300c9a3
Instruction Fuzzy Hash: C9217C36B4030537EF3062AAAC05FEB379CDB85744F090929FD0C9A660F659C61EC195

Function 00A02D66 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A02DD3
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A02DEF
DeleteMenu.USER32(?,00000007,00000000), ref: 00A02E35
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A66890,00000000), ref: 00A02E7E

Strings

0, xrefs: 00A02DC8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: cb97d8c6bcd78a23af35983023760064c9b26ee3d59f815c777b0f45fc539d4c
Instruction ID: 1547387e92a0bbf39c0c63eea4df4287dceaf90c80d8e5947464b7d4d6146eb0
Opcode Fuzzy Hash: cb97d8c6bcd78a23af35983023760064c9b26ee3d59f815c777b0f45fc539d4c
Instruction Fuzzy Hash: 56419F312443459FDB24DF24E898B6ABBE8AF88320F14462DF965972D1D770E905CB62

Function 009F982B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009F98AF
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009F98C2
SendMessageW.USER32(?,00000189,?,00000000), ref: 009F98F2

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Strings

ComboBox, xrefs: 009F9839
ListBox, xrefs: 009F986E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e3a77cd4e6083e206a3f901940afb187cec9c80c0848ac068e19228038858304
Instruction ID: d4f4de1e873282caa7cd1086364ab5c6648be4ae1cdfcdd5997ae017ffe3ec2b
Opcode Fuzzy Hash: e3a77cd4e6083e206a3f901940afb187cec9c80c0848ac068e19228038858304
Instruction Fuzzy Hash: 3621F671A0010CBFDB14ABA0DC56EFFB76CEF81360F504219F521A71E1DB7949899760

Function 00A267D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009A214F
Part of subcall function 009A2111: GetStockObject.GDI32(00000011), ref: 009A2163
Part of subcall function 009A2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009A216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A2684E
LoadLibraryW.KERNEL32(?), ref: 00A26855
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A2686A
DestroyWindow.USER32(?), ref: 00A26872

Strings

SysAnimate32, xrefs: 00A26829

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 00bb879f944ecc682b211ab93f5f11738ef17165ae65dc3595678aeb597e9aac
Instruction ID: b95bdb27e0a08728dd171427f104ecbafc8812354a00f32957d1a997bc4c6eca
Opcode Fuzzy Hash: 00bb879f944ecc682b211ab93f5f11738ef17165ae65dc3595678aeb597e9aac
Instruction Fuzzy Hash: 4C219D71601219AFEF108FA8EC91EBB77ADEF59328F104638FA5092190D771CC519760

Function 00A071C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A071E4
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A07217
GetStdHandle.KERNEL32(0000000C), ref: 00A07229
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A07263

Strings

nul, xrefs: 00A0725E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d7f793a9ffdec7f5f379abaf7b58aa63ef30afa8ef17bb14bd45240e7db2ce7c
Instruction ID: efd8550276e325054f32a3b0c735b3f14ebc77fbf83be93bc9ab79eaeb0b8424
Opcode Fuzzy Hash: d7f793a9ffdec7f5f379abaf7b58aa63ef30afa8ef17bb14bd45240e7db2ce7c
Instruction Fuzzy Hash: F0216271A0420EABDB209F69EC45E9E77B4BF59720F204B19FDA0D72E0D770A851CB50

Function 00A07292 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A072B1
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A072E3
GetStdHandle.KERNEL32(000000F6), ref: 00A072F4
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A0732E

Strings

nul, xrefs: 00A07329

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 063beb9a353f0381359ae4691691546d3376d6bf95ff19511de4dff0a9b78508
Instruction ID: fe7149c8c056a642d5800dc846c99c0e5eb92537b45e71413cbfef37ea1a219c
Opcode Fuzzy Hash: 063beb9a353f0381359ae4691691546d3376d6bf95ff19511de4dff0a9b78508
Instruction Fuzzy Hash: 5F213271A082099BDB209FA9AC45E9E77A8AF59730F200B19FDA1D72D0D770A8518B51

Function 00A0B0F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A0B104
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A0B158
__swprintf.LIBCMT ref: 00A0B171
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A30980), ref: 00A0B1AF

Strings

%lu, xrefs: 00A0B16B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a12a7a58706aa33e4ba3d955211b62d9887e8d184027bdeab1bebf7819d4b22e
Instruction ID: 596f23da4c5f5862c27b40ea9ff45f71d2009b0f63623ec60aef8033550fcf84
Opcode Fuzzy Hash: a12a7a58706aa33e4ba3d955211b62d9887e8d184027bdeab1bebf7819d4b22e
Instruction Fuzzy Hash: E1216074A00108AFCB10DFA4DD95EEEB7B8FF89314B108069F905E7292DB71EA41CB61

Function 009FA9E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1821: _memmove.LIBCMT ref: 009B185B

Part of subcall function 009FA835: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009FA852
Part of subcall function 009FA835: GetWindowThreadProcessId.USER32(?,00000000), ref: 009FA865
Part of subcall function 009FA835: GetCurrentThreadId.KERNEL32 ref: 009FA86C
Part of subcall function 009FA835: AttachThreadInput.USER32(00000000), ref: 009FA873

GetFocus.USER32 ref: 009FAA0D

Part of subcall function 009FA87E: GetParent.USER32(?), ref: 009FA88C

GetClassNameW.USER32(?,?,00000100), ref: 009FAA56
EnumChildWindows.USER32(?,009FAACE), ref: 009FAA7E
__swprintf.LIBCMT ref: 009FAA98

Strings

%s%d, xrefs: 009FAA92

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: a6a117dc548e7adebac8d969f07103d1707935e32dbab1a41bb871cad9e7834d
Instruction ID: 30dfd04a4382c997e0c72008c05bbebc10820aeb3edb833c88dfabfffa025606
Opcode Fuzzy Hash: a6a117dc548e7adebac8d969f07103d1707935e32dbab1a41bb871cad9e7834d
Instruction Fuzzy Hash: 511172B1600309BBDF11BFA08D96FFA376DAB88710F004069BE1CAA142DA749946CB71

Function 00A02153 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A02184

Strings

EXISTS, xrefs: 00A021AC
REMOVE, xrefs: 00A0218A
APPEND, xrefs: 00A021BD
KEYS, xrefs: 00A0219B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 0d2a4d721223d7b59a00eeef9075e94690c9ef5067321b640b4d0ce1247db42f
Instruction ID: bcd05c64cbe0d0642fec4cbec2a87f14090c6e4cf7a720eacb955ddee09275a5
Opcode Fuzzy Hash: 0d2a4d721223d7b59a00eeef9075e94690c9ef5067321b640b4d0ce1247db42f
Instruction Fuzzy Hash: 89113C3094010DDBCF04EFA4D851AFEB7B5FFA5304B508568ED6597292EB329D1ACB50

Function 0CD15BC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,31132E72,?,?,00000000,0CD6D1CB,000000FF,?,0CD15B30,?,?,0CD15ADF,?), ref: 0CD15BF6
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0CD15C08
FreeLibrary.KERNEL32(00000000,?,?,00000000,0CD6D1CB,000000FF,?,0CD15B30,?,?,0CD15ADF,?), ref: 0CD15C2A

Strings

CorExitProcess, xrefs: 0CD15C00
mscoree.dll, xrefs: 0CD15BEF

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 86f61f88ec961452fc1dd86467210148dff98bd7e6a84d51f26e68b9e152af42
Instruction ID: 6459137185a62d2998460bba4f132bba0e21a71f01fbde6720ca51485918cb84
Opcode Fuzzy Hash: 86f61f88ec961452fc1dd86467210148dff98bd7e6a84d51f26e68b9e152af42
Instruction Fuzzy Hash: 2C01A231B14629BFDB118F95ED05BAEB7FDFB84B10F010A26F911A2290DB7C9804CE44

Function 00A1F006 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A1F0B8
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A1F0E8
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A1F21B
CloseHandle.KERNEL32(?), ref: 00A1F29C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: fbdced148e6f7a3e34e654717ba3fda94965217fb91b8cbc14d6d0b5d6152891
Instruction ID: 6f4685b6293c5af87f1d6f5425a15c3b2f022c70af41ba9c37deee328873ecfd
Opcode Fuzzy Hash: fbdced148e6f7a3e34e654717ba3fda94965217fb91b8cbc14d6d0b5d6152891
Instruction Fuzzy Hash: 1A8180716007009FD720EF68D886F6AB7E5AFC9720F14891DF999DB2D2D7B0AC418B91

Function 00A2045F Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 00A21242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A201D5,?,?), ref: 00A21259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A20525
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A20564
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A205AB
RegCloseKey.ADVAPI32(?,?), ref: 00A205D7
RegCloseKey.ADVAPI32(00000000), ref: 00A205E4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 9814bf409aa70dfce42672f9def1ef1591793146e01730b4b5bfa918aa942ccd
Instruction ID: ce099dcca000fe4dae8edb16db7dd2539da4ba4ad5ea46069145fd81435249a9
Opcode Fuzzy Hash: 9814bf409aa70dfce42672f9def1ef1591793146e01730b4b5bfa918aa942ccd
Instruction Fuzzy Hash: EB514871208204AFD714EF68D991FABB7E8FF84314F40892DF596872A2DB70E905CB52

Function 00A0EA21 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A0EACF
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A0EAF8
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A0EB37

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A0EB5C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A0EB64

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 2e92abccb6520643cb2e18d40020dd76da6e628b1e4dd81c2530a193444c03b2
Instruction ID: 7d6953969a715a25b881470926178105b4986e374a76815d3d81601b43c31032
Opcode Fuzzy Hash: 2e92abccb6520643cb2e18d40020dd76da6e628b1e4dd81c2530a193444c03b2
Instruction Fuzzy Hash: D8513E35A00109DFCB01EF64C981EAEBBF5EF89310B148499E949AB3A1CB31ED51DF91

Function 00A2A443 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d406eb953c3c5de648181a3f823aef0bc67e472ea7dd7ffb42df0a494541062
Instruction ID: 4878b8891e9448fd7ef99bcdb85303ad8fe2a4ead39fec0bdffc2455fdec14bd
Opcode Fuzzy Hash: 9d406eb953c3c5de648181a3f823aef0bc67e472ea7dd7ffb42df0a494541062
Instruction Fuzzy Hash: 5741C435900224AFC724EF6CEC48FAABBB5EB19310F144175F819E72D1D7B0AE41DA92

Function 009A2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009A2727
ScreenToClient.USER32(00A667B0,?), ref: 009A2744
GetAsyncKeyState.USER32(00000001), ref: 009A2769
GetAsyncKeyState.USER32(00000002), ref: 009A2777

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 697b2974aac486a63f43b017be0314f89ac39d84a811590ef525d95e5f4fd616
Instruction ID: 53d39823da17a2e75b6f2c11c002c9e926a32d22b1e716b6b619fd6b4b473c24
Opcode Fuzzy Hash: 697b2974aac486a63f43b017be0314f89ac39d84a811590ef525d95e5f4fd616
Instruction Fuzzy Hash: CA415E7550411AFFDF159FA8CC44EE9BB78FB06320F10836AF92992290C734AA90DBD1

Function 009F93BA Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 009F93CB
PostMessageW.USER32(?,00000201,00000001), ref: 009F9475
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009F947D
PostMessageW.USER32(?,00000202,00000000), ref: 009F948B
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009F9493

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: fba5cb7f7939a412164b198164e895c3646ee1091587e39a18ddfd154a8d3cd4
Instruction ID: b38a835c99e66f6b828ece2348cd29164b397598ef11ca1249d571463bb9d77a
Opcode Fuzzy Hash: fba5cb7f7939a412164b198164e895c3646ee1091587e39a18ddfd154a8d3cd4
Instruction Fuzzy Hash: DB31BF7150022DEBDB14CFA8DD49BAE3BB9EB45315F104219FA25EA1D0C3B09915DB91

Function 009FBB68 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 009FBB80
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009FBB9D
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009FBBD5
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009FBBFB
_wcsstr.LIBCMT ref: 009FBC05

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 41b1f813af26ab39c532ad83a28bbf13f8d4636e119ef4263a40584fdc1f40e8
Instruction ID: ecc7ed572df091c432e0194d785a681b300ca925f07e1286e8756e6c0dba68da
Opcode Fuzzy Hash: 41b1f813af26ab39c532ad83a28bbf13f8d4636e119ef4263a40584fdc1f40e8
Instruction Fuzzy Hash: 1521F532604208ABEB259F69DC16F7B7BACDB85720F00812DF905CA191EFA1DC5193A1

Function 00A2B538 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

GetWindowLongW.USER32(?,000000F0), ref: 00A2B57F
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A2B5A4
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A2B5BC
GetSystemMetrics.USER32(00000004), ref: 00A2B5E5
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A11340,00000000), ref: 00A2B603

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cdc74c725e2fafed01c742a3645d46ec371bff55145284ee349bf979cc5a2a1a
Instruction ID: 54e36d1a757d625f4b67220e57971345bd20e1abd69fa1722d07032b18814610
Opcode Fuzzy Hash: cdc74c725e2fafed01c742a3645d46ec371bff55145284ee349bf979cc5a2a1a
Instruction Fuzzy Hash: A6217F71920226AFCB14DF7DAC04B6A7BA5FB05721F254738F922DB1E0E7308911CBA0

Function 009A16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009A1729
SelectObject.GDI32(?,00000000), ref: 009A1738
BeginPath.GDI32(?), ref: 009A174F
SelectObject.GDI32(?,00000000), ref: 009A1778

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ee5fa1d1d9b193aa0f55b20cf384ff048c93f5396d9290d55479fef23e34bfee
Instruction ID: 10a3ada4804a390ea5e5beb69b99e3548a83439c1eafbd86044a319771bf82b0
Opcode Fuzzy Hash: ee5fa1d1d9b193aa0f55b20cf384ff048c93f5396d9290d55479fef23e34bfee
Instruction Fuzzy Hash: CA213870900208EFDB11DFB8ED48BAD7BBDBB42365F148216F811971A0D7B19892CBD0

Function 009FC61A Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009FC62F
_memcmp.LIBCMT ref: 009FC64D
_memcmp.LIBCMT ref: 009FC660
_memcmp.LIBCMT ref: 009FC678
_memcmp.LIBCMT ref: 009FC690

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 948e337639507fb962fbe0b8b9ed86d18cd9ef09b52da869003b83895449a41e
Instruction ID: d83b7cd1b53bf2675c8c87a339834d5d82586d52a1abe1a11a2c20ba6ad5ec40
Opcode Fuzzy Hash: 948e337639507fb962fbe0b8b9ed86d18cd9ef09b52da869003b83895449a41e
Instruction Fuzzy Hash: 8901D8F2B0820E7BD60466519E42FBB735CAE913D4F009826FF05D7242F765DE1493A9

Function 00A04EBB Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A04EE2
__beginthreadex.LIBCMT ref: 00A04F00
MessageBoxW.USER32(?,?,?,?), ref: 00A04F15
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A04F2B
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A04F32

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6a5b22f8fd2536d50e7814b8b9e18f0f0363eacf80ad266cec7c3307fe2f37e2
Instruction ID: feb8bf8bc334b1d0e1a7474bb253d2d033dec6c08cc1c2a33cce944beb17f405
Opcode Fuzzy Hash: 6a5b22f8fd2536d50e7814b8b9e18f0f0363eacf80ad266cec7c3307fe2f37e2
Instruction Fuzzy Hash: CD11E1F6D04209BBC701DBE8AC18EDA7BBCEB89324F144259F914D3290D6B5890187A1

Function 009F8C03 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009F8C1F
GetLastError.KERNEL32(?,009F86E3,?,?,?), ref: 009F8C29
GetProcessHeap.KERNEL32(00000008,?,?,009F86E3,?,?,?), ref: 009F8C38
HeapAlloc.KERNEL32(00000000,?,009F86E3,?,?,?), ref: 009F8C3F
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009F8C56

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 17610b83fc6bb24c2583d4b21dbc30ee7f2e266e23dc16b155569c16782a0dc7
Instruction ID: 2a559df5ff4dd8eacbed27de9ea83c081a4b262c96a007af671f2c0bae8c05a7
Opcode Fuzzy Hash: 17610b83fc6bb24c2583d4b21dbc30ee7f2e266e23dc16b155569c16782a0dc7
Instruction Fuzzy Hash: 010162B0601208BFDB108FA6DC98D677FACEF857547100569F988C2210DB718D11CB70

Function 00A0566C Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A05688
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A05696
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A0569E
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A056A8
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A056E4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c8d0b4ad64317989ea7115ea60c1c820f5dd26dae8c5cdf20bd3a6d584da31c3
Instruction ID: 2ac68f16d8a1085b6add9ab567650ccb83333caae9e14951698b3e3f7dcf5243
Opcode Fuzzy Hash: c8d0b4ad64317989ea7115ea60c1c820f5dd26dae8c5cdf20bd3a6d584da31c3
Instruction Fuzzy Hash: C0011731D02A1DDBCF00EFF5EC68AEEBBB8BB08711F450556F945B2280CB3195509BA1

Function 009F7B0B Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009F7A45,80070057,?,?,?,009F7E56), ref: 009F7B28
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009F7A45,80070057,?,?), ref: 009F7B43
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009F7A45,80070057,?,?), ref: 009F7B51
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009F7A45,80070057,?), ref: 009F7B61
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009F7A45,80070057,?,?), ref: 009F7B6D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 612f2b9d856d7d45469269eed0474561c5a9b27543d365a60eda03c579813636
Instruction ID: 6a62fae09616253e326f5f1683b5b622e839d295e1728db34d1d922b61aea632
Opcode Fuzzy Hash: 612f2b9d856d7d45469269eed0474561c5a9b27543d365a60eda03c579813636
Instruction Fuzzy Hash: F1017C76605209BBDB118FA4ED48EAABBADEF45752F100068FA08D6210E731DD01CBA0

Function 009F8AAA Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009F8AC1
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009F8ACB
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009F8ADA
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009F8AE1
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009F8AF7

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 5c63f92403d294f27bb8ffd1f76d4bf8ac8beaec1535ff50eef99d4290afea9d
Instruction ID: 8842c05fd18740861d87e5a443dda944052b90701bfe7703119fc3207cfa4f99
Opcode Fuzzy Hash: 5c63f92403d294f27bb8ffd1f76d4bf8ac8beaec1535ff50eef99d4290afea9d
Instruction Fuzzy Hash: DAF04F71210208AFEB914FA59C9DE773BADEF4A759B100125FA45C6150CA61DC42DB60

Function 009F8B0B Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009F8B22
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B2C
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B3B
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B42
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B58

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 019619fb703bf06d6d7faab567e39e2770b89fe5a10581b67426afb95edf6848
Instruction ID: 8764274296ff7b310d284f9a2e16b4fdcabe7be4be6fb070fe8e452b42ccefe9
Opcode Fuzzy Hash: 019619fb703bf06d6d7faab567e39e2770b89fe5a10581b67426afb95edf6848
Instruction Fuzzy Hash: 0FF0AFB1204208AFEB514FA4EC98E773BACEF4AB59B000169FA44C6150DA60D802DB60

Function 009FCB5F Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 009FCB73
GetWindowTextW.USER32(00000000,?,00000100), ref: 009FCB8A
MessageBeep.USER32(00000000), ref: 009FCBA2
KillTimer.USER32(?,0000040A), ref: 009FCBBE
EndDialog.USER32(?,00000001), ref: 009FCBD8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c76bf3cb115fd5ef8401c1be913916faf077ee8420cb63e24f3498bfbd61c1ad
Instruction ID: 823bc72ad221e5f435ea3fa5556368b3ae0578e5f4cd903767dc42173d3c5947
Opcode Fuzzy Hash: c76bf3cb115fd5ef8401c1be913916faf077ee8420cb63e24f3498bfbd61c1ad
Instruction Fuzzy Hash: DE01AD7444070CABEB219BA0DE5FFA677B8FB00716F004659F682A10E0DBE4A955CF90

Function 009A178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009A179B
StrokeAndFillPath.GDI32(?,?,009DBAF9,00000000,?), ref: 009A17B7
SelectObject.GDI32(?,00000000), ref: 009A17CA
DeleteObject.GDI32 ref: 009A17DD
StrokePath.GDI32(?), ref: 009A17F8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7e2c9989fcdb421e059a2b561214efda92c3772fbf03efb8e17a6d574360b912
Instruction ID: a0664a8ea4fb82c415ab01eae9c1bbddc31ded399fec63fe5efc48577582b12b
Opcode Fuzzy Hash: 7e2c9989fcdb421e059a2b561214efda92c3772fbf03efb8e17a6d574360b912
Instruction Fuzzy Hash: 7BF0FF30004608EBDB15DFB5ED5CB593FB4A702326F148214F42A9A0F0C7754997DF50

Function 00A0C847 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A0C8E2
CoCreateInstance.OLE32(00A33D3C,00000000,00000001,00A33BAC,?), ref: 00A0C8FA

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

CoUninitialize.OLE32 ref: 00A0CB67

Strings

.lnk, xrefs: 00A0C876, 00A0C89E, 00A0C8A8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 32b3be84224db221001f42651c0216b0f56641c44adc6936111186a5c8246cf0
Instruction ID: a01eed0a1c5268b1a28d2153d1dccc977560262b188569716123211611971375
Opcode Fuzzy Hash: 32b3be84224db221001f42651c0216b0f56641c44adc6936111186a5c8246cf0
Instruction Fuzzy Hash: 33A13B71104205AFD700EF64DC91EABB7E8EFD5718F404A1CF155972A2EBB0EA49CB92

Function 009AE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 009C0F16: std::exception::exception.LIBCMT ref: 009C0F4C
Part of subcall function 009C0F16: __CxxThrowException@8.LIBCMT ref: 009C0F61

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009B1680: _memmove.LIBCMT ref: 009B16DB

__swprintf.LIBCMT ref: 009AE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 009AE431

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f067182350fdb014da9e63e4d31e50f498c179350d4bd9c6d9580a3bd3789ce3
Instruction ID: bc3b11320e79d73c5877708b16d5cb80c77d8cd4cc1cda2bf816f452f8babf37
Opcode Fuzzy Hash: f067182350fdb014da9e63e4d31e50f498c179350d4bd9c6d9580a3bd3789ce3
Instruction Fuzzy Hash: 8991BF715082019FC714EF24D996EAFB7A8EFC6714F41491DF492972A1EB30EE44CB92

Function 0CD10FC2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0CD10FE7
CatchIt.LIBVCRUNTIME ref: 0CD110CD

Strings

RCC, xrefs: 0CD11001
MOC, xrefs: 0CD10FF9

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: a8f633562645b5c27d7b93e1e8d40f2de0ab28ae1056aab66c348142293e0cb3
Instruction ID: 461e87f8dad4458cd2d329099e3748818c404ec9936bb75da90c9626b9978a49
Opcode Fuzzy Hash: a8f633562645b5c27d7b93e1e8d40f2de0ab28ae1056aab66c348142293e0cb3
Instruction Fuzzy Hash: FC415871E00249EFDF15DF98D980AEEBBB5FF48300F248199FA08A7260D3359A50EB51

Function 009C516D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009C51FD

Part of subcall function 009D0250: __87except.LIBCMT ref: 009D028B

Strings

pow, xrefs: 009C51D5, 009C51F2

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 25726a019b9eb50c877a3f55b2e50e93197e4cd2735406ad5925c6474fb8497a
Instruction ID: a7712efdfc8f0ffd20223a3572eaa84be25d1a2144019de9ac65c97fc7fa194e
Opcode Fuzzy Hash: 25726a019b9eb50c877a3f55b2e50e93197e4cd2735406ad5925c6474fb8497a
Instruction Fuzzy Hash: 8C517660D4DA0287CB11BB14CC45B6EABD89BC0750F25CD1EF0A5823AAEE38DCD59B47

Function 009C057F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 009C05C4
+, xrefs: 009C05BB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: b8f5af85ef75ca5ea723360e9f0333b227bb0f2381c2a58a5e19d6f4d38c21c8
Instruction ID: 61b6c36510c24ad75ed001f6192cc52f340f35ca8a9ed4489195d4bf471f9124
Opcode Fuzzy Hash: b8f5af85ef75ca5ea723360e9f0333b227bb0f2381c2a58a5e19d6f4d38c21c8
Instruction Fuzzy Hash: 9851207590431ADFDF21DF28C451AFA7BA8EF95320F14405AF981AB2A1CB34DC62CB61

Function 009BCF08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009BCFBE
_memmove.LIBCMT ref: 009BD05A
_memset.LIBCMT ref: 009BD07E

Strings

ERCP, xrefs: 009BCF29

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ac73e5ab767750feeaca0236bb6d1cf7032b774922678dcaec47c192013a05e4
Instruction ID: 1164f660c87b7514f82f3e1e02d7b235ffdd68f4afa557eb212024381e07dcac
Opcode Fuzzy Hash: ac73e5ab767750feeaca0236bb6d1cf7032b774922678dcaec47c192013a05e4
Instruction Fuzzy Hash: 0951C0B1A01309DBDB24DF65CA417EABBF8FF44310F24456EE94ADB240E774AA45CB81

Function 009FA190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01B27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F9C31,?,?,00000034,00000800,?,00000034), ref: 00A01B51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009FA1DA

Part of subcall function 00A01AF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009F9C60,?,?,00000800,?,00001073,00000000,?,?), ref: 00A01B1C

Part of subcall function 00A01A49: GetWindowThreadProcessId.USER32(?,?), ref: 00A01A74
Part of subcall function 00A01A49: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009F9BF5,00000034,?,?,00001004,00000000,00000000), ref: 00A01A84
Part of subcall function 00A01A49: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009F9BF5,00000034,?,?,00001004,00000000,00000000), ref: 00A01A9A

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009FA247
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009FA294

Strings

@, xrefs: 009FA2AC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6528caf2c6c16113c356fcf67501e2330f299100275ed4b74d6fba4fb810f481
Instruction ID: 792adb130569f7e23cbf56bca0ff2cd970e914838c82c68a657a0ad850287c42
Opcode Fuzzy Hash: 6528caf2c6c16113c356fcf67501e2330f299100275ed4b74d6fba4fb810f481
Instruction Fuzzy Hash: 33412C72A0121CAFDB10DFA4DD81EEEBBB8EF49300F104095FA55B7191DA71AE45CBA1

Function 00A277C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A2784E
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A27862
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A27886

Strings

SysMonthCal32, xrefs: 00A27819

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: feef80b7119cb38350ebbae1bca34d141993dfa6f54508d8000181971dd2046f
Instruction ID: 5ee3063e6ee9ceb33e8f0340303e960cd4534271771b5cc4f7310de98a728e0e
Opcode Fuzzy Hash: feef80b7119cb38350ebbae1bca34d141993dfa6f54508d8000181971dd2046f
Instruction Fuzzy Hash: 34218D32604229BBDF11CFA8DC46FEE3B79EF88714F110214FE556B190D6B1A891DBA0

Function 00A2709D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A27128
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A27138
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A2715D

Strings

Listbox, xrefs: 00A270F5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ad103b4cba85c004f2799984c4c112bb8c6150d7ea769de0d6506c42df22a1c5
Instruction ID: 726ae8967fed0e0a8a81e6885c753d86df9d30e3ad7eed0575f7489e92ba326e
Opcode Fuzzy Hash: ad103b4cba85c004f2799984c4c112bb8c6150d7ea769de0d6506c42df22a1c5
Instruction Fuzzy Hash: 23219232614128BFDF158F58EC45FBF37BAEF89764F018124FA049B1A0C671AD518BA0

Function 00A27AFB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A27B5F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A27B74
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A27B81

Strings

msctls_trackbar32, xrefs: 00A27B36

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dd3ad51c363f16b17977e9744554f3853dd428c54bd5d60c64ac8ab0a628eb0f
Instruction ID: 9d7ad81ff953e1f4211dc935cab55ab0a02b71a35d572d7901cbc9a58cf539bd
Opcode Fuzzy Hash: dd3ad51c363f16b17977e9744554f3853dd428c54bd5d60c64ac8ab0a628eb0f
Instruction Fuzzy Hash: 9E11E772244208BBDF109F64DC06FEB3BA9EF89754F114528FA5596090D271D851DB50

Function 0CD1066B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0CD10513,?,?,?,?,?,?,0CD107BD,00000003,FlsSetValue,0CD87770,0CD87778), ref: 0CD10678
GetLastError.KERNEL32(?,0CD10513,?,?,?,?,?,?,0CD107BD,00000003,FlsSetValue,0CD87770,0CD87778), ref: 0CD10682
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0CD106AA

Strings

api-ms-, xrefs: 0CD1068F

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 062b24ec52212bbb248f51b0d449af2c39a102aac9aca207ba8e75601e7b9145
Instruction ID: 3990df25dca1307ac7ad92e1bc03af012eb62b9c7dc4525520ee563905825f39
Opcode Fuzzy Hash: 062b24ec52212bbb248f51b0d449af2c39a102aac9aca207ba8e75601e7b9145
Instruction Fuzzy Hash: D9E04870344309B7EF213E61FC05B593B68AB40B50F104521FE0CE86A1DB71A895DD58

Function 00A1C4A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009E01AA,?), ref: 00A1C4AF
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A1C4C1

Strings

GetSystemWow64DirectoryW, xrefs: 00A1C4BB
kernel32.dll, xrefs: 00A1C4AA

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: f9645d0259507885521ad7b96353027107166c132d7ab60fc5adb03986b662eb
Instruction ID: 534b5c349c934db9028d9201ef174ab1da558f1d4c0acc7e2f9ed9dc5dd45f04
Opcode Fuzzy Hash: f9645d0259507885521ad7b96353027107166c132d7ab60fc5adb03986b662eb
Instruction Fuzzy Hash: 93E0C238680702DFE7308B65CC2CFA276D4BF247A6B408829F88BC2220D770C880C710

Function 009B4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009B4AF7,?), ref: 009B4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009B4BCA

Strings

Wow64RevertWow64FsRedirection, xrefs: 009B4BC4
kernel32.dll, xrefs: 009B4BB3

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0455d27ecb4fd9b5574702bab8bbb7b4c6c5236cc0bb3cd2a06121f2dacb3142
Instruction ID: 9fd95461be7c86fd6d9d1bd3d9781218e044a17d3cd6d07d25829ad004800e2a
Opcode Fuzzy Hash: 0455d27ecb4fd9b5574702bab8bbb7b4c6c5236cc0bb3cd2a06121f2dacb3142
Instruction Fuzzy Hash: 50D0C7314003229FE3208F70DC18B4A72E8BF01361F008CAAE8C2C2552EA70C880CA00

Function 009B4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009B4B44,?,009B49D4,?,?,009B27AF,?,00000001), ref: 009B4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009B4B97

Strings

kernel32.dll, xrefs: 009B4B80
Wow64DisableWow64FsRedirection, xrefs: 009B4B91

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 8b5c53843e300659bed4ab98a4590f1f1120392e9fcee0a9097476dc594b1714
Instruction ID: 0b065a1bcc37ea2b6434e4a33c3665f35b79c89eb4883ead1b8d833ea0d7bfe5
Opcode Fuzzy Hash: 8b5c53843e300659bed4ab98a4590f1f1120392e9fcee0a9097476dc594b1714
Instruction Fuzzy Hash: 6CD017705107229FDB209F71DD28B4AB6E8BF05761F51CC2AE886E2250EA70E880CA50

Function 00A2120F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A2145E), ref: 00A2121D
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A2122F

Strings

RegDeleteKeyExW, xrefs: 00A21229
advapi32.dll, xrefs: 00A21218

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9a46bfef603f0a99569a79bb01444b0c37253ed0d5cb15f1c4de3523c75e06e0
Instruction ID: d7b60c0eacf86a7c8c4b416e0a703711f842f74c8586489b798961491087c201
Opcode Fuzzy Hash: 9a46bfef603f0a99569a79bb01444b0c37253ed0d5cb15f1c4de3523c75e06e0
Instruction Fuzzy Hash: E7D01770A50722EFD7209FB9DC08A467AE4BF35392F118F3AA886D6150E670D880CB51

Function 00A19592 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A191A6,?,00A30980), ref: 00A195A0
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A195B2

Strings

kernel32.dll, xrefs: 00A1959B
GetModuleHandleExW, xrefs: 00A195AC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 85decaa8ccab674d40e5b5aa997958cb97f8288f2f5f0eb78946564018856922
Instruction ID: d82f5798175430470e9051ae315dc3c3fdc630dd4c5a4fea6634e6a912474c35
Opcode Fuzzy Hash: 85decaa8ccab674d40e5b5aa997958cb97f8288f2f5f0eb78946564018856922
Instruction Fuzzy Hash: 50D01770510712DFD7319F71DD28A8776E6BF05362F118C2AE886E6190E6B4C8C4CA50

Function 009B55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,009B5E3D), ref: 009B55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009B5610

Strings

kernel32.dll, xrefs: 009B55F9
GetNativeSystemInfo, xrefs: 009B560A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b0cea174c2bb4de2de003a0521957569d0b74ab7987419c593cf4484ce8e93d0
Instruction ID: 8a309ee618ea4f48ee066f921d6018f0a10e5f57b2cabe120de78fe04083fe5b
Opcode Fuzzy Hash: b0cea174c2bb4de2de003a0521957569d0b74ab7987419c593cf4484ce8e93d0
Instruction Fuzzy Hash: 3ED01774920B12DFE7209F71CD28B5A76E8AF05365F129C2AE486D2191E670C880CA90

Function 0CD567F5 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(31132E72,00000000,00000000,?), ref: 0CD56858
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0CD56AAA
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0CD56AF0
GetLastError.KERNEL32 ref: 0CD56B93

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: e23af8a04d26e7cda00325a929e476d42601793c93c84b47c6452c1a50919be5
Instruction ID: 423cf9faedbdc9fc369fa4a47ba91edd54bd473405db097e18907fc5e709c365
Opcode Fuzzy Hash: e23af8a04d26e7cda00325a929e476d42601793c93c84b47c6452c1a50919be5
Instruction Fuzzy Hash: 30D179B5E01248AFCF14CFA8D8809EDBBB9FF09310F64456AE956EB351D630E946CB50

Function 009F7B7E Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1782fb139b18021fced8cc9269a516f372ae1e03523d508eb4ca12da65fa34eb
Instruction ID: c758845135681f1bee9c86d989c91a759366686a181139774999a33e16f471f6
Opcode Fuzzy Hash: 1782fb139b18021fced8cc9269a516f372ae1e03523d508eb4ca12da65fa34eb
Instruction Fuzzy Hash: DAC11975A0421AEFCB14CF94C884ABEFBB9FF48714B118599E945EB261D730ED41CB90

Function 00A1E4DB Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A1E56F
CharLowerBuffW.USER32(?,?), ref: 00A1E5B2

Part of subcall function 00A1DC56: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A1DC76

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A1E7B2
_memmove.LIBCMT ref: 00A1E7C5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 68bdcb1e4f99624c558e134e932932e6af7be79c4f4bacf1d512a123c94d5dfa
Instruction ID: 176179b96fe92942258add293395117bd932c32d70a345e14b5a2f890445af7e
Opcode Fuzzy Hash: 68bdcb1e4f99624c558e134e932932e6af7be79c4f4bacf1d512a123c94d5dfa
Instruction Fuzzy Hash: A7C15A71A08301DFC714DF28C490AAABBE4FF89718F14896DF8999B351D771E985CB82

Function 00A18545 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A18575
CoUninitialize.OLE32 ref: 00A18580

Part of subcall function 00A2DC66: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00A187D6,?,00000000), ref: 00A2DCCE

VariantInit.OLEAUT32(?), ref: 00A1858B
VariantClear.OLEAUT32(?), ref: 00A1885C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 39f60811561969baa459265655c333ca599ea1f3080ec8ed52da322b06faf33f
Instruction ID: 730ca1208b314ba87d38e5e44d76a7a5132a3e6373f562947ee9d8d6b5467ea9
Opcode Fuzzy Hash: 39f60811561969baa459265655c333ca599ea1f3080ec8ed52da322b06faf33f
Instruction Fuzzy Hash: 87A15875604B019FC710EF24C881B6AB7E4BF89354F148948F9999B3A2CB74FD41CB92

Function 009F727E Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009F728F
SysAllocString.OLEAUT32(00000000), ref: 009F7338
VariantCopy.OLEAUT32 ref: 009F7367
VariantClear.OLEAUT32(?), ref: 009F738E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: cec54e0e9ecd885989b942500d045a38a49fc4bdd7a31c7fd10558c8ae8ea644
Instruction ID: 4dbdbe011b740d2b47b11506cb65099f0daa773013fe28ede2c8866732c59590
Opcode Fuzzy Hash: cec54e0e9ecd885989b942500d045a38a49fc4bdd7a31c7fd10558c8ae8ea644
Instruction Fuzzy Hash: 6651BB306087099ADB20AFE5D891B3DF7EAEF95321F20981FF656C72A1DB7498808711

Function 00A1F2BE Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A1F2EE
Process32FirstW.KERNEL32(00000000,?), ref: 00A1F2FC

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Process32NextW.KERNEL32(00000000,?), ref: 00A1F3BC
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A1F3CB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 763379f4811bfbbdfd084f3b177b6ab0d88f5ce15252c12a0dbd13c01e0609b4
Instruction ID: 84fb0e941f2c2e0b88159c9695efcbc3779024321ee19a0af799220f8ef32ea8
Opcode Fuzzy Hash: 763379f4811bfbbdfd084f3b177b6ab0d88f5ce15252c12a0dbd13c01e0609b4
Instruction Fuzzy Hash: 11518871504310AFD310EF20DC86FABBBE8EFD5710F40492DF595862A2EB70A908CB92

Function 00A29BE1 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(014AF1D8,?), ref: 00A29C50
ScreenToClient.USER32(00000002,00000002), ref: 00A29C83
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A29CF0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ceb92ee6b90714dfc779860c3f81cdde377979afe91299c7e280c3d84974bf1a
Instruction ID: 036df0ce8c02fe28860582009183bdcb7a5f893ccd06f5b6250883e4a66679f7
Opcode Fuzzy Hash: ceb92ee6b90714dfc779860c3f81cdde377979afe91299c7e280c3d84974bf1a
Instruction Fuzzy Hash: DE515130A00119EFDF24DF68D980AAE7BF6FF45720F108169F8559B2A0D770AD81DB90

Function 009C485A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009C48F0
__flush.LIBCMT ref: 009C4910
__write.LIBCMT ref: 009C4943
__flsbuf.LIBCMT ref: 009C4971

Part of subcall function 009C8C88: __getptd_noexit.LIBCMT ref: 009C8C88

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 845eca8ac58dfa5b51ade3b8ffb03ae57e817f82a76525518a445af97f858d26
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: A441F671F007169BDF28CE69C8A0FAF77B9AF85760B24853DE845C7640DA30DD408B42

Function 009FA41B Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009FA46D
__itow.LIBCMT ref: 009FA49E

Part of subcall function 009FA6EE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009FA759

SendMessageW.USER32(?,0000110A,00000001,?), ref: 009FA507
__itow.LIBCMT ref: 009FA55E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: e2310c42bb0b395d79b1a6789baee1cff61e8aeaaf3c195a9d1bfba48203b215
Instruction ID: 32b453dcf6b18429a40c6c1648ee61195635e253867b4f06583472411b44ac0b
Opcode Fuzzy Hash: e2310c42bb0b395d79b1a6789baee1cff61e8aeaaf3c195a9d1bfba48203b215
Instruction Fuzzy Hash: 7341A7B0A0030CABDF11DF54D969BFE7BB9EF84760F404019FA09A3291DB749A44CB62

Function 00A16E5A Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A16E81
WSAGetLastError.WSOCK32(00000000), ref: 00A16E91

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A16EF5
WSAGetLastError.WSOCK32(00000000), ref: 00A16F01

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 37e76f02f6201cf1dbb9c89f52a0e8eabef013c47d240ef6bef2b919ea504839
Instruction ID: 88643f60b17bbff41f058509d25474c0c5ab5d769a01805a0a0fd77d4ffaeb98
Opcode Fuzzy Hash: 37e76f02f6201cf1dbb9c89f52a0e8eabef013c47d240ef6bef2b919ea504839
Instruction Fuzzy Hash: EA419F75740200AFEB20AF64DC86F7A77E4DB85B14F048518FA699B3D2DBB0AD418BD1

Function 00A168CA Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A30980), ref: 00A16957
_strlen.LIBCMT ref: 00A16989

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: fb695e1494f725f641921e8f1fd1dec6e8eb3519a4f18fcfc93faa57150ba3b3
Instruction ID: 06e7f9bada46743a72e5ce47017b6ee88c2415129f2fbc90cd4720f1a9a429cb
Opcode Fuzzy Hash: fb695e1494f725f641921e8f1fd1dec6e8eb3519a4f18fcfc93faa57150ba3b3
Instruction Fuzzy Hash: 6641A435A00118AFCB14FBA4DD91FFEB7B9AF84350F148159F91697292DB30AD80CB90

Function 00A0BCA4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A0BD4E
GetLastError.KERNEL32(?,00000000), ref: 00A0BD74
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A0BD99
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A0BDC5

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5a738a1a241461184e807a0c657faf26b878652f63d425a4c7048022ed2df4a5
Instruction ID: b0e8bc253e642856e67e9b3a6417fdf9c700b97dd395664ffd991d32ec389d0e
Opcode Fuzzy Hash: 5a738a1a241461184e807a0c657faf26b878652f63d425a4c7048022ed2df4a5
Instruction Fuzzy Hash: 14412935600A14DFCB11EF55C585A5DBBE1EF8A320B19C488E94A9B3A2CB70FD01CBA1

Function 00A28C3E Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A28CCB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f2644f2bc740d2a839d92e1a70743bf11f15df4891d93c9e3ea938144cb5c52a
Instruction ID: f544f21db5f4a1e7f3be38ca18714f2f3f3582d861b08417c10126483002b4bd
Opcode Fuzzy Hash: f2644f2bc740d2a839d92e1a70743bf11f15df4891d93c9e3ea938144cb5c52a
Instruction Fuzzy Hash: BF31D034603138AFEF249F5CEC85FA93764EB55320F244532F901E62E1CF7CA9549AA1

Function 00A2AF24 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A2AF4D
GetWindowRect.USER32(?,?), ref: 00A2AFC3
PtInRect.USER32(?,?,00A2C437), ref: 00A2AFD3
MessageBeep.USER32(00000000), ref: 00A2B044

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9d86ab05887c1b1669979872a28c819d7329b186e744100a4cee602ce68781d9
Instruction ID: ee01708332aed20234d3fb007a5b8ca62f7bf8b4c4f4fa12ab4c046f3cba2236
Opcode Fuzzy Hash: 9d86ab05887c1b1669979872a28c819d7329b186e744100a4cee602ce68781d9
Instruction Fuzzy Hash: D3418D70614225DFCB12CF9CE884EAABBF5FB49310F1481B9E8259B251C771E942DBA1

Function 00A01141 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A01192
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A011AE
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A01214
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A01266

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f9264232edf7d393ef228132eea96f7c71abda1c535124d5aa3cb9f94e2e44e3
Instruction ID: 1545e5d5ff5b4c01219f890e46db90c755e8b61b6102cb3ec2b324ed83cb7a27
Opcode Fuzzy Hash: f9264232edf7d393ef228132eea96f7c71abda1c535124d5aa3cb9f94e2e44e3
Instruction Fuzzy Hash: D4315A30A8020CAEFF35CB65AC05BFA7B79AB59310F08432EF581D21D1C3748D6297A1

Function 00A0127C Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A012D1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A012ED
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A0134C
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A0139E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3c50b88cd1fa52ad63cc555e51d3db565e129d587ea5921f2c526e23ffb66f69
Instruction ID: 412e6f7b5b3bfe313ba22a946b950a7f8c07670ef3913c10511e7a22f8aad985
Opcode Fuzzy Hash: 3c50b88cd1fa52ad63cc555e51d3db565e129d587ea5921f2c526e23ffb66f69
Instruction Fuzzy Hash: 89315030D4060C9EFF74CB69AC14BFE7B79AF45310F48421AF4905A5D1C37449558753

Function 009D6325 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009D635B
__isleadbyte_l.LIBCMT ref: 009D6389
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009D63B7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009D63ED

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 67ea0c58c4b8639301497a55962be02eb080a8bffe6e36d435506cc29d9c9822
Instruction ID: f2832475b61c308007af30bc3fdc07362e8f18348c6c04c05c56d8602b1f334e
Opcode Fuzzy Hash: 67ea0c58c4b8639301497a55962be02eb080a8bffe6e36d435506cc29d9c9822
Instruction Fuzzy Hash: FC319031640256AFDF218F65CC44BBABBB9FF41310F15852AF864872A1E731E851DB90

Function 00A252F3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A25307

Part of subcall function 00A039A1: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A039BB
Part of subcall function 00A039A1: GetCurrentThreadId.KERNEL32 ref: 00A039C2
Part of subcall function 00A039A1: AttachThreadInput.USER32(00000000,?,00A0542D), ref: 00A039C9

GetCaretPos.USER32(?), ref: 00A25318
ClientToScreen.USER32(00000000,?), ref: 00A25353
GetForegroundWindow.USER32 ref: 00A25359

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 1d2157da80f0a6e2fa41f18b8f56229443513ece9f3c126e2ca18cb33cbb7725
Instruction ID: 48485f0eec0a8686e044f4c8a1e4bca6df564a03c63180edba517a707f1705ec
Opcode Fuzzy Hash: 1d2157da80f0a6e2fa41f18b8f56229443513ece9f3c126e2ca18cb33cbb7725
Instruction Fuzzy Hash: 7E312E72D00108AFDB10EFB5DD85AEFB7F9EF95304F10446AE415E7241DAB1AE418BA1

Function 00A2C8BB Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

GetCursorPos.USER32(?), ref: 00A2C8F5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009DBC1C,?,?,?,?,?), ref: 00A2C90A
GetCursorPos.USER32(?), ref: 00A2C957
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009DBC1C,?,?,?), ref: 00A2C991

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 988d54fe62caf9dbab1cf94a17079944fdc350cdacfa56acc2565487b726feff
Instruction ID: c7202e702674d43d4e6ad93388607a3cf83b060cc8e08885876f57842ecf4d35
Opcode Fuzzy Hash: 988d54fe62caf9dbab1cf94a17079944fdc350cdacfa56acc2565487b726feff
Instruction Fuzzy Hash: EB31B135600128AFCB15CF98DC58EEE7BB9EB4E320F044169F9458B261C7319D91DFA0

Function 009C0AEB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 009C0B0D

Part of subcall function 009B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A07CBE,?,?,00000000), ref: 009B4041
Part of subcall function 009B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A07CBE,?,?,00000000,?,?), ref: 009B4065

_fprintf.LIBCMT ref: 009C0B44
OutputDebugStringW.KERNEL32(?), ref: 009F672F

Part of subcall function 009C4BFA: _flsall.LIBCMT ref: 009C4C13

__setmode.LIBCMT ref: 009C0B79

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 07afb37e64bedba41509dc39214c585ba0d28a8033fc2841e0d9e2b8fa326512
Instruction ID: a526d5587c5632705c1ef266413af1e8105c1d5b37c3d17df5a9e0b23d4e5fa2
Opcode Fuzzy Hash: 07afb37e64bedba41509dc39214c585ba0d28a8033fc2841e0d9e2b8fa326512
Instruction Fuzzy Hash: 1B11D231E04208BADB14B7A8AC53FFE7B689FC5320F14455DF204971C2DE745C469BA6

Function 009F9057 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009F8B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009F8B22
Part of subcall function 009F8B0B: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B2C
Part of subcall function 009F8B0B: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B3B
Part of subcall function 009F8B0B: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B42
Part of subcall function 009F8B0B: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009F8B58

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009F90A4
_memcmp.LIBCMT ref: 009F90C7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009F90FD
HeapFree.KERNEL32(00000000), ref: 009F9104

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c71d0e2c8c82b09d24373c2d9b4d9618bc28f71d050b97cc58bc1c5b14f29866
Instruction ID: 7ee8879dabeee6a8da6ab20da79ca36e82b211efae9f316dd6ffd2c8ddee9bbb
Opcode Fuzzy Hash: c71d0e2c8c82b09d24373c2d9b4d9618bc28f71d050b97cc58bc1c5b14f29866
Instruction Fuzzy Hash: B4219D72E5010DAFDB10DFA9C985BFEB7B8EF45315F084099E945A7241EB31AA05CB50

Function 00A26116 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00A26185
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A2619F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A261AD
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A261BB

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: a136aec572e231d9109aa090d6be42f746aa0bf2fc16cf0ed2725699b66846cc
Instruction ID: 51fcb85e215690a7475f34d268fb0d2cae5098255a5894f8a165c53b77c3d781
Opcode Fuzzy Hash: a136aec572e231d9109aa090d6be42f746aa0bf2fc16cf0ed2725699b66846cc
Instruction Fuzzy Hash: A711D335341524AFDB04AB18DC55FBE77A9EF86320F048218F916C72D2CB60BD11CB91

Function 009FE23D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009FF63B: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009FE252,?,?,?,009FF045,00000000,000000EF,00000119,?,?), ref: 009FF64A
Part of subcall function 009FF63B: lstrcpyW.KERNEL32(00000000,?), ref: 009FF670
Part of subcall function 009FF63B: lstrcmpiW.KERNEL32(00000000,?,009FE252,?,?,?,009FF045,00000000,000000EF,00000119,?,?), ref: 009FF6A1

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009FF045,00000000,000000EF,00000119,?,?,00000000), ref: 009FE26B
lstrcpyW.KERNEL32(00000000,?), ref: 009FE291
lstrcmpiW.KERNEL32(00000002,cdecl,?,009FF045,00000000,000000EF,00000119,?,?,00000000), ref: 009FE2C5

Strings

cdecl, xrefs: 009FE2BC

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: ee66ac9ccee7640a2d16c16c1fe7416e85bcc05aeb15db9920f05701576a7228
Instruction ID: 487e93f43f72e7d73893a45d98627a3011b5027eeb5ef4519f869ec585891e2e
Opcode Fuzzy Hash: ee66ac9ccee7640a2d16c16c1fe7416e85bcc05aeb15db9920f05701576a7228
Instruction Fuzzy Hash: 03115E76200309AFDB259F64DC45EBA77ADFF85350B40412AF906CB2A0EB719852C795

Function 009D5242 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009D5261

Part of subcall function 009C586C: __FF_MSGBANNER.LIBCMT ref: 009C5883
Part of subcall function 009C586C: __NMSG_WRITE.LIBCMT ref: 009C588A
Part of subcall function 009C586C: RtlAllocateHeap.NTDLL(01490000,00000000,00000001,?,00000004,?,?,009C0F33,?), ref: 009C58AF

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: ea9ddf4c6b63c916e75a1408ff2e32061d18ae0e3e68ae066131dd555fcc919a
Instruction ID: fbb6b6c07a32d231c160777e0764647228496438077d580487c6772dc7839691
Opcode Fuzzy Hash: ea9ddf4c6b63c916e75a1408ff2e32061d18ae0e3e68ae066131dd555fcc919a
Instruction Fuzzy Hash: 34110A32D86A116BCB203F70AC44B5F3B9C9F65360F11C42BFA699A250DE3489458795

Function 00A041D2 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00A041F2
_memset.LIBCMT ref: 00A04213
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00A04265
CloseHandle.KERNEL32(00000000), ref: 00A0426E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 763a9770d11ebcb3915caf601cdd09f1d782f4fb3439c49417ee2d61b37a3c9b
Instruction ID: 516cdcea1346669c000fd3d647637824a31e6da60717e0a8a74a94ee2b40190b
Opcode Fuzzy Hash: 763a9770d11ebcb3915caf601cdd09f1d782f4fb3439c49417ee2d61b37a3c9b
Instruction Fuzzy Hash: 04117B7590122C7AD73097A5AC4DFEBBB7CEF49760F10429AF908D71D0D6744E818BA4

Function 00A16819 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A07CBE,?,?,00000000), ref: 009B4041
Part of subcall function 009B402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A07CBE,?,?,00000000,?,?), ref: 009B4065

gethostbyname.WSOCK32(?,?,?), ref: 00A16849
WSAGetLastError.WSOCK32(00000000), ref: 00A16854
_memmove.LIBCMT ref: 00A16881
inet_ntoa.WSOCK32(?), ref: 00A1688C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 9477b93baa346909ccff62924a966309e04dee3077198b09cafe0594e51035c7
Instruction ID: 811f35506a278fc3bba1561e79e88d53a742af5beac664a6ddb3a6fd20937fbd
Opcode Fuzzy Hash: 9477b93baa346909ccff62924a966309e04dee3077198b09cafe0594e51035c7
Instruction Fuzzy Hash: D5112175900109AFCB04FBE4DE56DEEB7B8EF94310B544065F502A72A2DF31AE44DB91

Function 009F94DC Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009F94FC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F950E
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F9524
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009F953F

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1fed1da6e95f9834d78a46d20911a7e92cf75270fbd86325ee34868eb002b24a
Instruction ID: 0f65d8bd62bfd5bca0b5a9231017c7885b085cf8bf45e04d837cbc8f708b4a16
Opcode Fuzzy Hash: 1fed1da6e95f9834d78a46d20911a7e92cf75270fbd86325ee34868eb002b24a
Instruction Fuzzy Hash: 0C110679901218FFEB11DB99CC85FADBBB8FB48710F204095FA04BB294D671AE11DB94

Function 009A166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 009A29E2: GetWindowLongW.USER32(?,000000EB), ref: 009A29F3

DefDlgProcW.USER32(?,00000020,?), ref: 009A16B4
GetClientRect.USER32(?,?), ref: 009DB86C
GetCursorPos.USER32(?), ref: 009DB876
ScreenToClient.USER32(?,?), ref: 009DB881

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: b42dea2da3368b747708dc44db0012ea1cec487f089ad2a5faaa5d8deb145eaa
Instruction ID: 6bee192cff31e94fed10535f4653526974a12426d3671e0c6ef44460989b3aae
Opcode Fuzzy Hash: b42dea2da3368b747708dc44db0012ea1cec487f089ad2a5faaa5d8deb145eaa
Instruction Fuzzy Hash: 1A112575A0011AEBCB00EF98D896DBE77B8FB46301F544455F941E7150C730BA52CBE1

Function 0CD5F4CA Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,?,00000001,00000000,?,?,00000000), ref: 0CD5F4E0
GetLastError.KERNEL32(?,?,?,?), ref: 0CD5F4ED
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 0CD5F513
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 0CD5F539

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 39f01fa44dc8d46873f56762c5d9c85a803e059e5cdf6bef4af4530917890ae1
Instruction ID: f01baca2e661a941d41bdce308002b67ded5d76c4ecac64de7ba1106483797e9
Opcode Fuzzy Hash: 39f01fa44dc8d46873f56762c5d9c85a803e059e5cdf6bef4af4530917890ae1
Instruction Fuzzy Hash: 16112771A01129BBDF109F99DC489DF7F7DEF04760F104244F929AA2A4D731DA50DBA0

Function 009A2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009A214F
GetStockObject.GDI32(00000011), ref: 009A2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 009A216D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a44a63d05ee6f83aa3444ec96d1be4bf3f3c446264814180770e05c19c02f604
Instruction ID: 5cccd497b1eec6334469db3dfa462f87bbd7d34647526f9d2f9c7c000c2dd8a3
Opcode Fuzzy Hash: a44a63d05ee6f83aa3444ec96d1be4bf3f3c446264814180770e05c19c02f604
Instruction Fuzzy Hash: A0118772105609BFEB028FA89C51EEABB6DEF693A4F040212FA0452120C7319C61AFE0

Function 00A017AD Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A00358,?,00A013AB,?,00008000), ref: 00A017CA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A00358,?,00A013AB,?,00008000), ref: 00A017EF
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A00358,?,00A013AB,?,00008000), ref: 00A017F9
Sleep.KERNEL32(?,?,?,?,?,?,?,00A00358,?,00A013AB,?,00008000), ref: 00A0182C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 4e34d8b025b496149046073c57300eda5500732248b2d71daa9eb11253a9e5cc
Instruction ID: cec8defbaa2e1f8132bb319363e88fff772da660ca1dac9a34cbdcb8e69634d1
Opcode Fuzzy Hash: 4e34d8b025b496149046073c57300eda5500732248b2d71daa9eb11253a9e5cc
Instruction Fuzzy Hash: 77112A31D0162CDBCF00DFE5E999AEEBFB8FF18711F418159E941B2180CB3456558B91

Function 009D7117 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 009D713B

Part of subcall function 009D7822: __fltout2.LIBCMT ref: 009D784B

__cftog_l.LIBCMT ref: 009D7161
__cftoe_l.LIBCMT ref: 009D7193

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fce2d755b389b121ec2b2b7d81e845c6a63f5cafbb276621fb0ac0555e9a45c6
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: E401403248814ABBCF125EC4CC45CEE7F26BB18395B588516FA1859231E336C9B1FB81

Function 00A2B6B2 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A2B6D1
ScreenToClient.USER32(?,?), ref: 00A2B6E9
ScreenToClient.USER32(?,?), ref: 00A2B70D
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A2B728

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 8c3ea05c008d6850194527217d7bc265c480f85be833cee15e7562e069d330a7
Instruction ID: fdc86ecb8b289fb62ae69752db0bae1514881e6fe09aa317ba2e0fb7a2969777
Opcode Fuzzy Hash: 8c3ea05c008d6850194527217d7bc265c480f85be833cee15e7562e069d330a7
Instruction Fuzzy Hash: 711143B9D00209EFDB41CF98D8859EEBBF9FB48310F104166E914E3614D775AA658F50

Function 00A2BA22 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2BA31
_memset.LIBCMT ref: 00A2BA40
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A67F20,00A67F64), ref: 00A2BA6F
CloseHandle.KERNEL32 ref: 00A2BA81

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 3b78055dbdd898b93f2741a5c3caa5c41aec554fd491f01b3e7eaaffad76ce67
Instruction ID: 8be782541d7bd576c8c6f8981b7dec686f44f41ca8631b1789bf36df448d2eca
Opcode Fuzzy Hash: 3b78055dbdd898b93f2741a5c3caa5c41aec554fd491f01b3e7eaaffad76ce67
Instruction Fuzzy Hash: FCF082B25643147BF210A7E5AC15FBF3A6CEB08758F000068FA08D91A1D7F55C01C7B9

Function 00A07002 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A0700E

Part of subcall function 00A07AEC: _memset.LIBCMT ref: 00A07B21

_memmove.LIBCMT ref: 00A07031
_memset.LIBCMT ref: 00A0703E
LeaveCriticalSection.KERNEL32(?), ref: 00A0704E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 4720eb3f5f31cda7895c91dad012601a86754618a613dec6394f751b4fff981a
Instruction ID: f89ac6be185516e9e5a6f1b03c027bff762ff3855adeaa35b56c188b9df6e0e9
Opcode Fuzzy Hash: 4720eb3f5f31cda7895c91dad012601a86754618a613dec6394f751b4fff981a
Instruction Fuzzy Hash: B0F05476600104ABCF416F95EC85F4ABB29EF85360F08C055FE089F267C771A911DBB5

Function 00A2C13F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009A16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009A1729
Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1738
Part of subcall function 009A16CF: BeginPath.GDI32(?), ref: 009A174F
Part of subcall function 009A16CF: SelectObject.GDI32(?,00000000), ref: 009A1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00A2C163
LineTo.GDI32(00000000,?,?), ref: 00A2C170
EndPath.GDI32(00000000), ref: 00A2C180
StrokePath.GDI32(00000000), ref: 00A2C18E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: b761c613e663b37ba1ca322e47e1bb1fb9538e9a373ce107c5d6597f03e50613
Instruction ID: 6eeddc8a4b61e2097385ea9f14fc4f22fc5a76b74094eaa909e51547e3813345
Opcode Fuzzy Hash: b761c613e663b37ba1ca322e47e1bb1fb9538e9a373ce107c5d6597f03e50613
Instruction Fuzzy Hash: F8F08231045269BBDB13AFA4AC0EFCE3F69AF06320F044200FA11650E2C7B55562DFE5

Function 0CB62ABD Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0CD61382
GetLastError.KERNEL32 ref: 0CD6138E
___initconout.LIBCMT ref: 0CD6139E

Part of subcall function 0CD61303: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0CD613A3), ref: 0CD61316

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0CD613B3

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast___initconout
String ID:
API String ID: 3431868840-0
Opcode ID: 7259a22b66deb5fc70d9e43d1e8e2d2ffc0e218b9d9207045b678173b0925569
Instruction ID: cd8bb58469e2018e37b521c723b524d7b73942d581d1aa84df9cde3086256c66
Opcode Fuzzy Hash: 7259a22b66deb5fc70d9e43d1e8e2d2ffc0e218b9d9207045b678173b0925569
Instruction Fuzzy Hash: 78F0A936600525BBCF515F9AEC0499E3F75FB44661F054110FA1996A24DA328D60DF90

Function 009FA835 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009FA852
GetWindowThreadProcessId.USER32(?,00000000), ref: 009FA865
GetCurrentThreadId.KERNEL32 ref: 009FA86C
AttachThreadInput.USER32(00000000), ref: 009FA873

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: eae234791ec0a53177bf38262debbc2f98a4c6f0609f62518947ea7b117b275f
Instruction ID: 9aaed072afe7d7f9b45b91964f5df72b892f3ff2f8010878ddfa50deab0124c7
Opcode Fuzzy Hash: eae234791ec0a53177bf38262debbc2f98a4c6f0609f62518947ea7b117b275f
Instruction Fuzzy Hash: E5E0397110122CBBEB209BA29C0DEE77F1CEF117A1F008020F60985050C7B18952CBA0

Function 009A25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 009A260D
SetTextColor.GDI32(?,000000FF), ref: 009A2617
SetBkMode.GDI32(?,00000001), ref: 009A262C
GetStockObject.GDI32(00000005), ref: 009A2634
GetWindowDC.USER32(?,00000000), ref: 009DC0F4
GetPixel.GDI32(00000000,00000000,00000000), ref: 009DC101
GetPixel.GDI32(00000000,?,00000000), ref: 009DC11A
GetPixel.GDI32(00000000,00000000,?), ref: 009DC133
GetPixel.GDI32(00000000,?,?), ref: 009DC153
ReleaseDC.USER32(?,00000000), ref: 009DC15E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: b71ec8d05a654dedc765c6c16f481058fb654a469adc2a31f0c842fe416d2e6d
Instruction ID: 2e4af3b2d9fd39f72e4910cbe5da6aecc7c2fcea85378b6675bb206b2c3e84da
Opcode Fuzzy Hash: b71ec8d05a654dedc765c6c16f481058fb654a469adc2a31f0c842fe416d2e6d
Instruction Fuzzy Hash: E5E06D31544244AFDF229FA8BC09BE83B28EB15332F04C367FA79480E187714981DB12

Function 009F9113 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 009F911C
OpenThreadToken.ADVAPI32(00000000,?,?,?,009F8CE7), ref: 009F9123
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009F8CE7), ref: 009F9130
OpenProcessToken.ADVAPI32(00000000,?,?,?,009F8CE7), ref: 009F9137

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: cb597676145420743eb338f7498e88103d33fadea360b762f510f03715b21e8e
Instruction ID: 5274808e2230fb436054109b754194842abf807cb42649a4e90acf7db8bc0f30
Opcode Fuzzy Hash: cb597676145420743eb338f7498e88103d33fadea360b762f510f03715b21e8e
Instruction Fuzzy Hash: 7BE086327012119BD7609FF5AE0CF573B6CDF56791F104868B345C9050E6348546CB50

Function 009E05A9 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009E05A9
GetDC.USER32(00000000), ref: 009E05B3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009E05D3
ReleaseDC.USER32(?), ref: 009E05F4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7d474496eb3cd50ca834fdd26e2235985906fb973b2009406aa19292aa8b6129
Instruction ID: 721c5a38aaf4627a42ef772bc76d7d1395928a50d7e5389b08f67f590f4dec05
Opcode Fuzzy Hash: 7d474496eb3cd50ca834fdd26e2235985906fb973b2009406aa19292aa8b6129
Instruction Fuzzy Hash: C3E01AB1800204EFCB029FA1DC1AB5DBBF5EBCC310F108415F85AA7250DBB895529F50

Function 009E05BD Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 009E05BD
GetDC.USER32(00000000), ref: 009E05C7
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009E05D3
ReleaseDC.USER32(?), ref: 009E05F4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7567417adeb728cf48160e7097f899c403f7377fe7dec6ba4c15a318f930b006
Instruction ID: 709c09845117f4d895de45942854f59e3c9cdc660950c973acd100dffdee807b
Opcode Fuzzy Hash: 7567417adeb728cf48160e7097f899c403f7377fe7dec6ba4c15a318f930b006
Instruction Fuzzy Hash: CEE012B1800204AFCB019FB0EC1AA9DBBF5AB8C310F108418F95AA7250DBB895528F90

Function 00A0B45C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 009B436A: _wcscpy.LIBCMT ref: 009B438D

Part of subcall function 009A4D37: __itow.LIBCMT ref: 009A4D62
Part of subcall function 009A4D37: __swprintf.LIBCMT ref: 009A4DAC

__wcsnicmp.LIBCMT ref: 00A0B4DD
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A0B5A6

Strings

LPT, xrefs: 00A0B4D7

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: ee7d92da5045b0f9a8d1c7d15385adf40562708ce60a75ee9b9958f79a04b15c
Instruction ID: 9158b9b12394522e7ad11f14c4951002303566ba5dae9c94e4cb675f5d11b130
Opcode Fuzzy Hash: ee7d92da5045b0f9a8d1c7d15385adf40562708ce60a75ee9b9958f79a04b15c
Instruction Fuzzy Hash: FC61A175A10219EFCB14DF94D991EAEB7B4EF49310F0544A9F906AB2D1DB70AE40CBA0

Function 009AE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 009AE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 009AE037

Strings

@, xrefs: 009AE02B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 22cb1ab9f3797f6f39e3c1873763ced6e3956f514b278de04ac2f8f24f5c69c1
Instruction ID: 3a9b497cd443fc647f8e3a8b20769cc33f9abd19cd3843c585e9a223b92f4c5d
Opcode Fuzzy Hash: 22cb1ab9f3797f6f39e3c1873763ced6e3956f514b278de04ac2f8f24f5c69c1
Instruction Fuzzy Hash: 215158725087449BE320AF60EC86BAFBBE8FBC5314F41484DF2D8411A1DFB19529CB56

Function 00A12A3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A12A4E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A12A84

Strings

|, xrefs: 00A12A55

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f7f36b03b7ac55cb77d56980ef0eea5814907e851d43d6e3b3170b53ff66a0cb
Instruction ID: 6dfc5d7078b7cf33a1da445a74ebe5c259633692d181414c97e30c8c41370740
Opcode Fuzzy Hash: f7f36b03b7ac55cb77d56980ef0eea5814907e851d43d6e3b3170b53ff66a0cb
Instruction Fuzzy Hash: FB314871C04219ABCF15EFA0CC85BEEBFB8FF08310F100059F805A6162EB319956CB60

Function 00A26E50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A26F04
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A26F40

Strings

static, xrefs: 00A26EA0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8d85051e25d9011c31887a02bfcbf7dc7b9682337deef1c08b8d5f796186bebd
Instruction ID: 7eff2db928f048465b111fa393644e445a1daaea8c849b8244508ab7e7771b5f
Opcode Fuzzy Hash: 8d85051e25d9011c31887a02bfcbf7dc7b9682337deef1c08b8d5f796186bebd
Instruction Fuzzy Hash: 0C317E71100614AADB109F68EC81FFB77A9FF88724F108629F9A587190DB71AC81DB60

Function 00A02EB5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A02F24
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A02F5F

Strings

0, xrefs: 00A02F1D

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6f72852d648f9cbb13a3944e85e9322d90facae907616b24ea4062add09a2ea2
Instruction ID: 7c40da7f107592a61dc4e2f75ef69f8f42ca2380b28da63f1869fd8872b5a7b4
Opcode Fuzzy Hash: 6f72852d648f9cbb13a3944e85e9322d90facae907616b24ea4062add09a2ea2
Instruction Fuzzy Hash: 9F31D532A0030F9BEB259F58E889BAEFBB8EF45390F14001DED85D61E0D7709A54DB51

Function 00A26AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A26B4E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A26B59

Strings

Combobox, xrefs: 00A26B1B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f9fe2ec638ac1cac99818ca8eb3479df1512642310b5fd6b07ea87d62021e2a7
Instruction ID: 740baeb50f09f85e720c2010adfcd95bfd9a2f65410dc4604978af682e6d089b
Opcode Fuzzy Hash: f9fe2ec638ac1cac99818ca8eb3479df1512642310b5fd6b07ea87d62021e2a7
Instruction Fuzzy Hash: DD118F71341219BFEF119F58EC91EFB3B6AEB983A4F204139F918D7290D6719C518760

Function 00A26FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 009A2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 009A214F
Part of subcall function 009A2111: GetStockObject.GDI32(00000011), ref: 009A2163
Part of subcall function 009A2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 009A216D

GetWindowRect.USER32(00000000,?), ref: 00A2705E
GetSysColor.USER32(00000012), ref: 00A27078

Strings

static, xrefs: 00A2703B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3d82261b1ed6a7611e227df1aede86742ecdf38e45c3be6d6e217ed26c3247a7
Instruction ID: 2d20248b63aebc38a11c76078ca2d9dee9e681587ac5eb54619b25374cd0be09
Opcode Fuzzy Hash: 3d82261b1ed6a7611e227df1aede86742ecdf38e45c3be6d6e217ed26c3247a7
Instruction Fuzzy Hash: 1C21037261421AAFDB04DFA8DC46EEA7BA8FB48314F004629FA55A2240E635E855DB60

Function 0CB6141F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

GetXStateFeaturesMask, xrefs: 0CD40E34
InitializeCriticalSectionEx, xrefs: 0CD40E84

Memory Dump Source

Source File: 0000000A.00000002.4115165866.000000000CB61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0CB60000, based on PE: true

Associated: 0000000A.00000002.4115151609.000000000CB60000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CB68000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CCC6000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115165866.000000000CD6D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD6F000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115332973.000000000CD78000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115371137.000000000CDA2000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAA000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAD000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.4115387048.000000000CDAF000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_cb60000_Refugees.jbxd

Similarity

API ID:
String ID: GetXStateFeaturesMask$InitializeCriticalSectionEx
API String ID: 0-4196971266
Opcode ID: eb03ef20aa722f2a70190691c1b26024bf667530063e1095da16d9ad9a65e43d
Instruction ID: 9b1f4e7d312eb09741b2a1f4413a4f6a15968c6897ba0f386177af12a57681d9
Opcode Fuzzy Hash: eb03ef20aa722f2a70190691c1b26024bf667530063e1095da16d9ad9a65e43d
Instruction Fuzzy Hash: 4701843168022877DB113B95DD06EAE7E65EB80B71F014021FF5E25234D6B29928DAD0

Function 00A26D0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A26D8F
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A26D9E

Strings

edit, xrefs: 00A26D73

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 9da478c5952fb23d89db5888a7817ae67d6997585cfe3a155a1f6d013ea2af84
Instruction ID: eb97ab86f82e5f8708afc82aa1301859b38abbad96ff683a66746dec5d6da84c
Opcode Fuzzy Hash: 9da478c5952fb23d89db5888a7817ae67d6997585cfe3a155a1f6d013ea2af84
Instruction Fuzzy Hash: C0116A71602618ABEB109F78EC95AFB3B6AEB05368F204724F964971E0C771DC919B60

Function 00A02FC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A03036
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A03055

Strings

0, xrefs: 00A0302C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ebee887d42257728762014640306d7a61cf68a3d3b6af9853a8faa487884b726
Instruction ID: 1b4cbe900a329fa002be41cb3380fde9b397b6725e32b2235ece2dd8b1dd5f3c
Opcode Fuzzy Hash: ebee887d42257728762014640306d7a61cf68a3d3b6af9853a8faa487884b726
Instruction Fuzzy Hash: 2811BF3290221CABDF24EF9DEC44FADB7BCAB05758F140125E954A72E0D770AE05C7A1

Function 00A12686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A126DC
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A12705

Strings

<local>, xrefs: 00A126CD

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: aac6f136abcd9e8d2fd4de28da59efef5a516a5584e93d2cb85ff42d924bec32
Instruction ID: e244f014c5b61671a78e51adedb7fc95edce471142414d294d2d3efc4042d17a
Opcode Fuzzy Hash: aac6f136abcd9e8d2fd4de28da59efef5a516a5584e93d2cb85ff42d924bec32
Instruction Fuzzy Hash: CB119E70501229BADB248F518C89FFBFBA8FB16791F10812AF95546480E270A9E5DBF0

Function 00A1823D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A184A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00A18265,?,00000000,?,?), ref: 00A184BF

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A18268
htons.WSOCK32(00000000,?,00000000), ref: 00A182A5

Strings

255.255.255.255, xrefs: 00A18280

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 36b2796dbb4e58f90c7a2098652c5722b11fecafed908f610bb2101ebca7f701
Instruction ID: 70d0282785fb9bcad199945361892a261bd45acc8cd88f7d2c1ae54aeb293336
Opcode Fuzzy Hash: 36b2796dbb4e58f90c7a2098652c5722b11fecafed908f610bb2101ebca7f701
Instruction Fuzzy Hash: 6811E130600619ABDB10EFA4CD46FFEB364FF40320F108516FA25972C1DB71A851CB91

Function 009F97A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009F980E

Strings

ComboBox, xrefs: 009F97AD
ListBox, xrefs: 009F97D8

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 303cd9a3fede85bb6411680237ebe8e2106985afb087726c350c04f304ac6c94
Instruction ID: c1c9245b5e00390ea82fca6546e09d94acb65b10b4196f1ae579559678d5c1c3
Opcode Fuzzy Hash: 303cd9a3fede85bb6411680237ebe8e2106985afb087726c350c04f304ac6c94
Instruction Fuzzy Hash: DE01B571A4121CAB8B14EFA4CC61AFE7769FF92360B500619F971672D1DF355808C750

Function 00A091B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A091D4
__fread_nolock.LIBCMT ref: 00A091E9

Strings

EA06, xrefs: 00A0921B

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: d04355bb3b44cf8a1a6a6469dd1fe26fdb47c3e2a9d058d0a4dcaddacdbeb719
Instruction ID: 4de177e5b20dd05767f3e9a309021ca9ebdf7a7b9c5b67f9f611a6ec91605ee9
Opcode Fuzzy Hash: d04355bb3b44cf8a1a6a6469dd1fe26fdb47c3e2a9d058d0a4dcaddacdbeb719
Instruction Fuzzy Hash: 7D01F971D0421CBEDB28CBA8DC5AFAE7BF89B05311F00419EF552D6181E474A6088B60

Function 009F9698 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,00000180,00000000,?), ref: 009F9706

Strings

ComboBox, xrefs: 009F96A5
ListBox, xrefs: 009F96D0

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 944f8a5885b3481acc5d07b12828e5ec97f1555004957f9ce940b770942b56c0
Instruction ID: 791ac088a38c43dba3284272f409d61014d6c764d744d1df1e1e0e892846fce7
Opcode Fuzzy Hash: 944f8a5885b3481acc5d07b12828e5ec97f1555004957f9ce940b770942b56c0
Instruction Fuzzy Hash: 4A01D4B1A4110CABCB14EBA0C962FFF77ACAF51350F500115B951A3281DE655E08C7B1

Function 009F971D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 009B1A36: _memmove.LIBCMT ref: 009B1A77

Part of subcall function 009FB57D: GetClassNameW.USER32(?,?,000000FF), ref: 009FB5A0

SendMessageW.USER32(?,00000182,?,00000000), ref: 009F9789

Strings

ComboBox, xrefs: 009F972A
ListBox, xrefs: 009F9755

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 51c78bda01e5d4c66766e0188585e1604e4dfad8aeea2db40f0d0dc8ab4ef138
Instruction ID: 9566e5f54e6145f27951d8b6b487b375d8e09a85d824392c153d5af662b89e8d
Opcode Fuzzy Hash: 51c78bda01e5d4c66766e0188585e1604e4dfad8aeea2db40f0d0dc8ab4ef138
Instruction Fuzzy Hash: C501DFB1A5120CAB8B10EFA4CA62FFFB7AC9B50350BA00115B955A3281DA255E088371

Function 00A05350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A0536E
_wcscmp.LIBCMT ref: 00A05380

Strings

#32770, xrefs: 00A0537A

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 4cd6d6f38bb86aaa596a03a89e3891a81669954276e4f103c3c05d0413c8e5ff
Instruction ID: 06cfe4df4a269f2b1d2315d826cfc041ef36b53d05377bfffa1ae67e34d1b709
Opcode Fuzzy Hash: 4cd6d6f38bb86aaa596a03a89e3891a81669954276e4f103c3c05d0413c8e5ff
Instruction Fuzzy Hash: D9E09B7290422867D710D695AC06F9BF7ACEB55761F000056FD04D7141E5A06A558BD1

Function 009F8675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009F8683

Part of subcall function 009C34BA: _doexit.LIBCMT ref: 009C34C4

Strings

AutoIt, xrefs: 009F8677
Error allocating memory., xrefs: 009F867C

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 73b6f8c9c262eee4e952f3e6075608d276682b182bf7a9161218ca380c5d8c4d
Instruction ID: c62b369d88cef07a04f4769a4f447b10f7aff31938d688e43c87d691c3f727fc
Opcode Fuzzy Hash: 73b6f8c9c262eee4e952f3e6075608d276682b182bf7a9161218ca380c5d8c4d
Instruction Fuzzy Hash: 0CD02B3138431837D2143294AC0BFCA3A484B85B22F104419BB04A50C34EE5858042D5

Function 009DB421 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 009DB474: _memset.LIBCMT ref: 009DB481

Part of subcall function 009C0A9F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009DB450,?,?,?,009A100A), ref: 009C0AA4

IsDebuggerPresent.KERNEL32(?,?,?,009A100A), ref: 009DB454
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009A100A), ref: 009DB463

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009DB45E

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 746f2ecd1e70ad393520de44a23c4a677ab51afba56d58b7210d812b6244fdd9
Instruction ID: 3c5dfd047ccb2949109c8ef488f6b3aad6ed6bd2a89846b58f979efd3e6dce38
Opcode Fuzzy Hash: 746f2ecd1e70ad393520de44a23c4a677ab51afba56d58b7210d812b6244fdd9
Instruction Fuzzy Hash: E8E06D75600711CFD720DF75E809B467AE4AF84744F01891EE496C6761D7B5D504CB91

Function 009E0181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 009DFFC1

Part of subcall function 00A1C4A1: LoadLibraryA.KERNEL32(kernel32.dll,?,009E01AA,?), ref: 00A1C4AF
Part of subcall function 00A1C4A1: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A1C4C1

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009E01B9

Strings

WIN_XPe, xrefs: 009DFFD4

Memory Dump Source

Source File: 0000000A.00000002.4109943074.00000000009A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 009A0000, based on PE: true

Associated: 0000000A.00000002.4109906435.00000000009A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A30000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110005455.0000000000A55000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110054329.0000000000A5F000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000A.00000002.4110076452.0000000000A68000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_9a0000_Refugees.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 824624cb17caac31fe629471cbdac5e78244c83d66d951edd012af81cb3ba13e
Instruction ID: 2153c26fc8691a475c0160a6a37bdd80ecdf0e7671efe5603f013500fc7dac56
Opcode Fuzzy Hash: 824624cb17caac31fe629471cbdac5e78244c83d66d951edd012af81cb3ba13e
Instruction Fuzzy Hash: 74F03970848019DFCB15DBD4CDA9AECBBB8AB09300F244496E142A2290C7744F81CF20

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lem.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\JKJEHJKJEBGH\CBAKJE

C:\ProgramData\JKJEHJKJEBGH\DHIEHI

C:\ProgramData\JKJEHJKJEBGH\ECFCBK

C:\ProgramData\JKJEHJKJEBGH\FIIEHJ

C:\ProgramData\JKJEHJKJEBGH\HCAEBF

C:\ProgramData\JKJEHJKJEBGH\JKJEHJ

C:\ProgramData\JKJEHJKJEBGH\KEGCBF

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sqlt[1].dll

C:\Users\user\AppData\Local\Temp\820565\Refugees.pif

C:\Users\user\AppData\Local\Temp\820565\n

C:\Users\user\AppData\Local\Temp\Bbs

C:\Users\user\AppData\Local\Temp\Bind

Windows Analysis Report
lem.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre