Edit tour

Windows Analysis Report
EpCAySF1G6.exe

Overview

General Information

Sample name:	EpCAySF1G6.exe renamed because original name is a hash value
Original sample name:	6c2f397589156433b18b4c931a684a25.exe
Analysis ID:	1581088
MD5:	6c2f397589156433b18b4c931a684a25
SHA1:	85364fdc36e163b705becb13a551a5625e930d50
SHA256:	5f4c69564c3b8b8e151218444de219dc267207fa868b14622302f10c4726e5c0
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a DirectInput object (often for capturing keystrokes)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a global mouse hook

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

EpCAySF1G6.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\EpCAySF1G6.exe" MD5: 6C2F397589156433B18B4C931A684A25)

cleanup

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T23:10:03.704899+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	8.218.163.62	6666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EpCAySF1G6.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: EpCAySF1G6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File opened: [:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 8.218.163.62:6666

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 8.218.163.62:6666

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62
Source: unknown	TCP traffic detected without corresponding DNS query: 8.218.163.62

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_00000001800036B0 select,recv,_errno,_errno,_errno,

0_3_00000001800036B0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180006D99 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_3_0000000180006D99

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_0000000180006DB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		0_3_0000000180006DB0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_00000001800076C3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,		0_3_00000001800076C3

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180006D99 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_3_0000000180006D99

Source: EpCAySF1G6.exe, 00000000.00000003.2238000309.0000000003D98000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_10fcfc40-f

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_00000001800033B0	0_3_00000001800033B0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_000000018000DC00	0_3_000000018000DC00
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_0000000180007870	0_3_0000000180007870
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_0000000180002880	0_3_0000000180002880
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_000000018000A88C	0_3_000000018000A88C
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_000000018003BC94	0_3_000000018003BC94
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_0000000180030DA0	0_3_0000000180030DA0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_000000018000B360	0_3_000000018000B360
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_0000000180007370	0_3_0000000180007370

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Mutant created: \Sessions\1\BaseNamedObjects\2024.12.22

Source: EpCAySF1G6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EpCAySF1G6.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: EpCAySF1G6.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: EpCAySF1G6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_000000018000D6C8 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_3_000000018000D6C8

Source: EpCAySF1G6.exe

Static PE information: real checksum: 0x2bb4f should be: 0x20c8f

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key value created or modified: HKEY_CURRENT_USER\Console\1 d33f351a4aeea5e608853d1a56661059

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180008600

0_3_0000000180008600

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 365	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 4756	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Window / User API: threadDelayed 470	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180008600

0_3_0000000180008600

Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 6972	Thread sleep count: 365 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7096	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7096	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7084	Thread sleep count: 4756 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 7084	Thread sleep time: -47560s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe TID: 6160	Thread sleep count: 470 > 30	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180007220 WaitForSingleObject,SleepEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,SystemParametersInfoW,PostMessageW,SystemParametersInfoW,PostMessageW,BlockInput,SleepEx,BlockInput,

0_3_0000000180007220

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_00000001800090E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_3_00000001800090E0

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

0_3_000000018000D6C8

Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_00000001800090E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_3_00000001800090E0
Source: C:\Users\user\Desktop\EpCAySF1G6.exe	Code function: 0_3_000000018000AB74 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_3_000000018000AB74

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180007370 BlockInput,GetDeviceCaps,GetDeviceCaps,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,mouse_event,

0_3_0000000180007370

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_0000000180007591 mouse_event,

0_3_0000000180007591

Source: EpCAySF1G6.exe, 00000000.00000003.2068644632.0000000003DDC000.00000004.00000020.00020000.00000000.sdmp, EpCAySF1G6.exe, 00000000.00000003.2238000309.0000000003DDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: EpCAySF1G6.exe, 00000000.00000003.2759712941.0000000003DDC000.00000004.00000020.00020000.00000000.sdmp, EpCAySF1G6.exe, 00000000.00000003.2434810732.0000000003DDC000.00000004.00000020.00020000.00000000.sdmp, EpCAySF1G6.exe, 00000000.00000003.2921591496.0000000003DDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager;;W
Source: EpCAySF1G6.exe, 00000000.00000003.1776763826.0000000003D52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_000000018000D154 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_3_000000018000D154

Source: C:\Users\user\Desktop\EpCAySF1G6.exe

Code function: 0_3_000000018000A438 HeapCreate,GetVersion,HeapSetInformation,

0_3_000000018000A438

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Process Injection	1 Modify Registry	2 Input Capture	1 System Time Discovery	Remote Services	2 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	22 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	4 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EpCAySF1G6.exe	68%	ReversingLabs	Win64.Backdoor.Farfli

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.218.163.62	unknown	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581088
Start date and time:	2024-12-26 23:09:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EpCAySF1G6.exe renamed because original name is a hash value
Original Sample Name:	6c2f397589156433b18b4c931a684a25.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 15 Number of non-executed functions: 82
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target EpCAySF1G6.exe, PID 6792 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
VT rate limit hit for: EpCAySF1G6.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	xd.ppc.elf	Get hash	malicious	Mirai	Browse	47.245.158.74
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	47.57.184.195
	T1#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Nitol	Browse	8.212.102.187
	splarm7.elf	Get hash	malicious	Unknown	Browse	47.253.191.95
	nabsh4.elf	Get hash	malicious	Unknown	Browse	47.240.78.242
	splppc.elf	Get hash	malicious	Unknown	Browse	47.52.40.232
	arm.elf	Get hash	malicious	Unknown	Browse	8.208.49.9
	splx86.elf	Get hash	malicious	Unknown	Browse	47.241.90.97
	armv4l.elf	Get hash	malicious	Unknown	Browse	8.222.176.99

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.106036027086711
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EpCAySF1G6.exe
File size:	133'632 bytes
MD5:	6c2f397589156433b18b4c931a684a25
SHA1:	85364fdc36e163b705becb13a551a5625e930d50
SHA256:	5f4c69564c3b8b8e151218444de219dc267207fa868b14622302f10c4726e5c0
SHA512:	206fee1c1b0fdd4aa263a70d21fe0f81df6025085e03234881032ad77317c2ad90ada34bc47d3c6ac917541b7edd5ce618a93c3c3a4ce0dfdc92ba864d9be4ce
SSDEEP:	3072:lO55k/y5dAj+BMTYlgEQnB+Y+pek7+3OrFZeUqe6oW:lO5n5d56TYZQnB+Dpekyyqm
TLSH:	96D37D4733A450F9D4A78279C9A24A06E7B374660735A7CF17A086BA2F137D1BD3A331
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........VF.g.F.g.F.g.)...+.g.)...M.g.)...k.g.O...M.g.F.f...g.)...K.g.)...G.g.RichF.g.........................PE..d.....ld.........."

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x140009a74
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x646C86AC [Tue May 23 09:26:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	fb51ede541a9ad63bf23d302e319d2a0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F03ECB4C7E8h
dec eax
add esp, 28h
jmp 00007F03ECB489CBh
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], edi
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 60h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
dec eax
lea ecx, dword ptr [ebp-40h]
dec eax
lea edx, dword ptr [0000EAE5h]
inc ecx
mov eax, 00000040h
call 00007F03ECB47B9Fh
dec eax
lea edx, dword ptr [ebp+10h]
dec eax
mov ecx, edi
dec eax
mov dword ptr [ebp-18h], ebx
dec eax
mov dword ptr [ebp-10h], edi
call 00007F03ECB50855h
dec esp
mov ebx, eax
dec eax
mov dword ptr [ebp+10h], eax
dec eax
mov dword ptr [ebp-08h], eax
dec eax
test edi, edi
je 00007F03ECB48B6Dh
test byte ptr [edi], 00000008h
mov ecx, 01994000h
je 00007F03ECB48B57h
mov dword ptr [ebp-20h], ecx
jmp 00007F03ECB48B5Eh
mov eax, dword ptr [ebp-20h]
dec ebp
test ebx, ebx
cmove eax, ecx
mov dword ptr [ebp-20h], eax
inc esp
mov eax, dword ptr [ebp-28h]
mov edx, dword ptr [ebp-3Ch]
mov ecx, dword ptr [ebp-40h]
dec esp
lea ecx, dword ptr [ebp-20h]
call dword ptr [0000E7AFh]
dec esp
lea ebx, dword ptr [esp+60h]
dec ecx
mov ebx, dword ptr [ebx+18h]
dec ecx
mov edi, dword ptr [ebx+20h]
dec ecx
mov esp, ebx
pop ebp
ret
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00016781h]
call dword ptr [0000E7B3h]
dec eax
mov eax, dword ptr [0001686Ch]

Rich Headers

Programming Language:

[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1d028	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x27000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0x1578	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28000	0x2f8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16606	0x16800	9cde0d8ddbf108908aa730f375bc1766	False	0.5621636284722222	zlib compressed data	6.429037086317127	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x5d3a	0x5e00	b44503f0aa67867070e1b6433af825a5	False	0.3683926196808511	data	4.8111582224132965	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x6770	0x2200	4dddad5b9c888efde6aff4d8b6f42a73	False	0.22047334558823528	data	2.6960600551063005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0x1578	0x1600	6b2fcd8de66b48f900df2c9c6b6db832	False	0.4728338068181818	data	5.019696142888745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x27000	0x1b4	0x200	5f882a758b6b0045acd02c3e0551be90	False	0.486328125	data	5.112623549532036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28000	0x5be	0x600	3b9d434e2274fd734402fea8d43c6f67	False	0.3587239583333333	data	3.4572271853315204	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x27058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL	Import
KERNEL32.dll	HeapCreate, EnterCriticalSection, DeleteCriticalSection, WaitForSingleObject, SetEvent, Sleep, CreateEventA, GetLastError, CloseHandle, GetCurrentThreadId, SwitchToThread, SetLastError, WideCharToMultiByte, lstrlenW, ResetEvent, CreateEventW, CancelIo, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, GetThreadContext, SetThreadContext, LeaveCriticalSection, GetExitCodeProcess, CreateProcessA, GetSystemDirectoryA, VirtualAllocEx, WriteProcessMemory, ResumeThread, FreeLibrary, SetUnhandledExceptionFilter, GetCurrentProcess, LoadLibraryW, GetConsoleWindow, CreateFileW, GetProcAddress, GetLocalTime, IsDebuggerPresent, GetCurrentProcessId, CreateThread, LCMapStringW, WriteConsoleW, SetStdHandle, GetStringTypeW, MultiByteToWideChar, HeapDestroy, InitializeCriticalSectionAndSpinCount, HeapFree, HeapAlloc, VirtualAlloc, OpenProcess, VirtualFree, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, FlushFileBuffers, GetConsoleCP, SetFilePointer, GetSystemTimeAsFileTime, GetTickCount, QueryPerformanceCounter, GetStartupInfoW, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlUnwindEx, FlsAlloc, FlsFree, FlsSetValue, FlsGetValue, HeapReAlloc, HeapSize, GetProcessHeap, ExitThread, DecodePointer, EncodePointer, GetCommandLineW, RaiseException, RtlPcToFileHeader, TerminateProcess, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, HeapSetInformation, GetVersion, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW
USER32.dll	DispatchMessageW, PostThreadMessageA, PeekMessageW, TranslateMessage, MsgWaitForMultipleObjects, ShowWindow, GetInputState, wsprintfW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteValueW, RegQueryValueExW, RegCreateKeyW, RegSetValueExW
WS2_32.dll	WSAWaitForMultipleEvents, WSAIoctl, connect, WSAStartup, select, WSAResetEvent, setsockopt, recv, socket, closesocket, gethostbyname, send, WSASetLastError, WSACreateEvent, shutdown, WSAEventSelect, WSAEnumNetworkEvents, WSAGetLastError, WSACloseEvent, htons, WSACleanup
WINMM.dll	timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T23:10:03.704899+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.4	49730	8.218.163.62	6666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 23:10:03.554869890 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:03.674709082 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:03.674814939 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:03.704899073 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:03.824542999 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.220470905 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.221002102 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:05.340900898 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.340943098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.340977907 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767657995 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767709017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767746925 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767780066 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767817020 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.767878056 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:05.817718983 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:05.999377966 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.999413013 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.999449015 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.999485970 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:05.999492884 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:05.999540091 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.007657051 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.007786036 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.007843971 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.016119957 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.016191959 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.016239882 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.024085045 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.024183989 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.024241924 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.191252947 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.231594086 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.231632948 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.231692076 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.235681057 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.235748053 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.235856056 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.244119883 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.244158030 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.244180918 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.252456903 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.252579927 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.252615929 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.260972977 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.261022091 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.261068106 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.269254923 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.269313097 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.269387960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.277715921 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.277776957 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.277888060 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.286047935 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.286159992 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.286174059 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.294390917 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.294459105 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.464299917 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.464344025 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.464423895 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.468583107 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.468620062 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.468678951 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.476787090 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.476984024 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.477051020 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.485727072 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.485871077 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.485925913 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.493571043 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.493733883 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.493787050 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.501631975 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.501773119 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.501830101 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.510061026 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.510248899 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.510303020 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.518455029 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.518601894 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.518672943 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.526803017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.526987076 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.527050018 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.535142899 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.535264969 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.535331011 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.655772924 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.696099997 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.696187019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.696234941 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.699371099 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.699429989 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.699503899 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.706235886 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.706326008 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.706352949 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.712821960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.712884903 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.712970972 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.719513893 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.719620943 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.719726086 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.726244926 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.726303101 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.726320982 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.732814074 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.732877970 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.732963085 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.739511013 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.739578009 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.739641905 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.746215105 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.746284962 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.746340990 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.752907991 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.752985001 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.753056049 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.759586096 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.759665966 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.759777069 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.766324043 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.766383886 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.766450882 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.773025990 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.773134947 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.930913925 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.930931091 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.930988073 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.932193995 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.932207108 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.932251930 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.937982082 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.938102961 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.938150883 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.944780111 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.944917917 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.944978952 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.951534986 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.951667070 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.951714993 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.957154036 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.957247972 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.957298040 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.965872049 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.965886116 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.965938091 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.970011950 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.970077038 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.970123053 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.976327896 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.976424932 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.976469994 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.982667923 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.982805967 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.982851028 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.989061117 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.989192963 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.989238024 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:06.995542049 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.995567083 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:06.995605946 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.001816988 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.001920938 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.001967907 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.008241892 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.008281946 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.008332014 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.014580011 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.014738083 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.014780045 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.020992041 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.021070004 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.021116018 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.027331114 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.027471066 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.027518034 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.033761024 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.033876896 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.033924103 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.161902905 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.162131071 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.162188053 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.164035082 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.164134026 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.164206028 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.168451071 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.168517113 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.168566942 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.172796011 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.172934055 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.172985077 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.177161932 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.177299976 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.177345037 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.181514978 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.181687117 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.181730986 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.185909033 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.186007023 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.186048985 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.190336943 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.190402985 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.190445900 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.195724010 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.195854902 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.195902109 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.199162960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.199295044 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.199333906 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.203568935 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.203643084 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.203686953 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.207912922 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.208014965 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.208055973 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.212327003 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.212428093 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.212471962 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.216636896 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.216801882 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.216847897 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.221046925 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.221220016 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.221265078 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.225502014 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.225616932 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.225661993 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.229814053 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.229952097 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.230000019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.234222889 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.234369040 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.234410048 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.238559961 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.238651037 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.238693953 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.242981911 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.243118048 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.243163109 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.247186899 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.247329950 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.247370958 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.251586914 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.251641035 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.251698017 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.392462015 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.392508984 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.392561913 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.394042015 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.394193888 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.394238949 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.397352934 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.397483110 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.397532940 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.400698900 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.400818110 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.400861979 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.404191017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.404361963 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.404412031 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.407351017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.407452106 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.407499075 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.410696030 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.410793066 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.410856962 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.414022923 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.414134979 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.414323092 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.417336941 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.417447090 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.417500019 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.420680046 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.420825958 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.420881033 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.424001932 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.424143076 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.424195051 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.427337885 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.427603960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.427651882 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.430643082 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.430797100 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.430856943 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.434006929 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.434108973 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.434154987 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.437311888 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.437434912 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.437484026 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.440670013 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.440778017 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.440824986 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.444011927 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.444142103 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.444194078 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.447334051 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.447457075 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.447508097 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.450742960 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.450784922 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.450829029 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.453999996 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.454129934 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.454185963 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.457324028 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.457461119 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.457516909 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.460633993 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.460798979 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.460850954 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.463962078 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.464133978 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.464190960 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.467302084 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.467421055 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.467466116 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.470683098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.470769882 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.470817089 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.473958015 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.474179983 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.474234104 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.477287054 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.477425098 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.477489948 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.480683088 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.480751991 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.480849028 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.483959913 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.484070063 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.484122038 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.487303019 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.536479950 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.624430895 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.624510050 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.624567986 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.625737906 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.625750065 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.625794888 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.628216982 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.628305912 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.628360987 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.630779028 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.630897999 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.630944967 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.633337975 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.633459091 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.633507013 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.635885954 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.636010885 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.636059046 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.638473988 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.638623953 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.638670921 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.641020060 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.641138077 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.641194105 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.643662930 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.643738985 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.643780947 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.646141052 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.646275997 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.646323919 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.648736000 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.648830891 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.648878098 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:07.651276112 CET	6666	49730	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:07.692706108 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:08.678446054 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:08.798449993 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:08.798525095 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:10.661720037 CET	49730	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:13.695470095 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:13.815454960 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:13.815476894 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:13.815493107 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:13.815517902 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:14.484566927 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:14.484852076 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:14.604490995 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:25.911722898 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:26.031147003 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:26.464457035 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:26.505229950 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:26.803904057 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:26.923652887 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.263329029 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.263353109 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.263361931 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.263452053 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:35.263797998 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:35.383337975 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.383353949 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:35.383367062 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051640034 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051676035 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051687956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051719904 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.051817894 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051830053 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051840067 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.051865101 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.051877975 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.059947968 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.114667892 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.283433914 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.283534050 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.283588886 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.287611961 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.287631035 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.287679911 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.295994043 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.296135902 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.296175957 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.304356098 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.304461956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.304510117 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.312681913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.312802076 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.312840939 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.321078062 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.364669085 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.515311003 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.515424967 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.515470028 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.519509077 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.519604921 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.519645929 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.527889967 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.527966022 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.528007984 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.536312103 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.536406994 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.536444902 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.544635057 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.544749022 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.544785976 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.552983046 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.553090096 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.553138018 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.561451912 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.561574936 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.561618090 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.569936037 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.569961071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.570005894 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.578134060 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.630263090 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.747061968 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.747107029 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.747154951 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.750520945 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.751972914 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.752016068 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.752075911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.759708881 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.759728909 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.759771109 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.767246008 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.767292976 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.767353058 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.774872065 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.774923086 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.774986029 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.782582998 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.782607079 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.782630920 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.790127039 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.790175915 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.790205956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.797739983 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.797796011 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.797854900 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.805488110 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.805536985 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.805541039 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.813036919 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.813081980 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.813088894 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.864615917 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.978455067 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.978529930 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.978590012 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.982219934 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.982369900 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.982414961 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:36.989814997 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.992556095 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.992574930 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:36.992607117 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.000358105 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.000432968 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.000451088 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.007803917 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.007857084 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.007962942 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.015431881 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.015486956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.015489101 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.023175001 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.023185015 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.023237944 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.030704975 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.030756950 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.030827045 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.038367033 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.038417101 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.038431883 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.045929909 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.045994997 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.046058893 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.053563118 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.053615093 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.053621054 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.061152935 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.061207056 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.061269999 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.068784952 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.068845034 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.068916082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.076416016 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.076463938 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.210294962 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.210438967 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.210483074 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.213500023 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.213641882 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.213680029 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.220277071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.220288038 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.220333099 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.226728916 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.226773977 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.226814985 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.233377934 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.233388901 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.233426094 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.239886999 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.240015030 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.240051031 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.246511936 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.246618986 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.246659040 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.253249884 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.253338099 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.253379107 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.259843111 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.259884119 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.259918928 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.266390085 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.266467094 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.266501904 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.272927046 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.273005962 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.273046017 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.279495001 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.279601097 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.279640913 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.286148071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.286261082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.286304951 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.292642117 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.292793989 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.292841911 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.299320936 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.299447060 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.299498081 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.305898905 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.306031942 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.306073904 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.312552929 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.312563896 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.312606096 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.318975925 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.319159985 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.319201946 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.325452089 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.325579882 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.325628042 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.332916021 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.333007097 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.333048105 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.338849068 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.338860989 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.338900089 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.345248938 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.395931959 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.441791058 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.441855907 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.441895008 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.443170071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.443181038 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.443223953 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.447546005 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.447696924 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.447746992 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.452040911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.452155113 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.452193022 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.456414938 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.456522942 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.456585884 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.460745096 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.460916996 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.460968018 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.465107918 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.465428114 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.465475082 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.469302893 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.469409943 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.469460964 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.473437071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.473566055 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.473609924 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.477607012 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.477694035 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.477736950 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.481704950 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.481806040 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.481846094 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.485852957 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.486006975 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.486059904 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.490032911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.490222931 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.490268946 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.494152069 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.494277954 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.494323015 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.498256922 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.498363972 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.498414040 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.502434015 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.502542973 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.502598047 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.506545067 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.506669044 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.506719112 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.510662079 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.510781050 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.510834932 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.514878035 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.514962912 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.515005112 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.519021034 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.519165993 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.519203901 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.523123026 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.523297071 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.523334980 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.527415991 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.527555943 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.527600050 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.530524969 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.530628920 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.530667067 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.533766985 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.533915997 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.533946991 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.537111998 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.537157059 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.537199974 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.540297031 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.540409088 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.540451050 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.543592930 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.543699980 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.543740034 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.546884060 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.547178030 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.547224998 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.550124884 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.550143003 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.550185919 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.673515081 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.673636913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.673711061 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.674675941 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.675162077 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.675211906 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.675283909 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.679999113 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.680011988 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.680059910 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.682087898 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.682140112 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.682245970 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.684453964 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.684497118 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.684627056 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.687131882 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.687182903 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.687274933 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.687982082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.687994003 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.688030958 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.690053940 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.690120935 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.690179110 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.692519903 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.692572117 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.692600012 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.694977999 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.695029020 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.695102930 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.697406054 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.697449923 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.697513103 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.699863911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.699911118 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.699973106 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.702361107 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.702402115 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.702426910 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.704809904 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.704850912 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.704922915 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.707340956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.707398891 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.707401037 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.709764957 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.709822893 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.709860086 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.712256908 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.712301016 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.712342024 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.714716911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.714765072 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.714797974 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.717183113 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.717232943 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.717339039 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.719703913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.719744921 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.719786882 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.722167969 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.722229004 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.722313881 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.724636078 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.724683046 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.724684954 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.727101088 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.727144957 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.727303028 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.729742050 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.729794025 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.729816914 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.732036114 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.732089043 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.732148886 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.734498024 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.734550953 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.734606981 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.736967087 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.737023115 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.737101078 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.739475012 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.739516973 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.739597082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.741946936 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.741985083 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.741991997 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.744380951 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.744436026 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.744499922 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.746884108 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.746923923 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.747193098 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.749372959 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.749414921 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.749495029 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.751840115 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.751876116 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.751940966 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.754285097 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.754329920 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.754388094 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.756752968 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.756795883 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.756880999 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.759217024 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.759277105 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.759306908 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.761674881 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.761758089 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.761792898 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.764182091 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.764224052 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.764358044 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.766637087 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.766686916 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.766730070 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.769107103 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.769217014 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.905525923 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.905651093 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.905704021 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.906382084 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.906498909 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.906538963 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.908278942 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.908390999 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.908431053 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.910196066 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.910312891 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.910350084 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.912105083 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.912204981 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.912241936 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.914020061 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.914138079 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.914175034 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.915900946 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.916013002 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.916050911 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.917783022 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.917922974 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.917979956 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.919703960 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.919773102 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.919812918 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.921636105 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.921760082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.921802044 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.923518896 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.923626900 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.923665047 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.925451040 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.925542116 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.925576925 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.927406073 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.927535057 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.927580118 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.929260015 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.929372072 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.929414988 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.931150913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.931247950 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.931286097 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.933070898 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.933182955 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.933221102 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.934974909 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.935086966 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.935138941 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.936885118 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.936985016 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.937026024 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.938791037 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.938941956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.938980103 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.940706015 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.940817118 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.940865993 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.942604065 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.942722082 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.942760944 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.944518089 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.944613934 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.944658041 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.946427107 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.946558952 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.946607113 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.948355913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.948482990 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.948518991 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.950299978 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.950375080 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.950412035 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.952172995 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.952266932 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.952307940 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.954068899 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.954164028 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.954206944 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.956032991 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.956185102 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.956228971 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.957956076 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.958030939 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.958067894 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.959770918 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.959894896 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.959933996 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.961714983 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.961813927 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.961857080 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.963617086 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.963725090 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.963761091 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.965548992 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.965663910 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.965698957 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.967415094 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.967546940 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.967582941 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.969333887 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.969458103 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.969501972 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.971227884 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.971335888 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.971378088 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.973157883 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.973270893 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.973308086 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.975182056 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.975269079 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.975311041 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.977022886 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.977127075 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.977178097 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.978907108 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.978988886 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.979070902 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.981153965 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.981292963 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.981338978 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.982690096 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.982820034 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.982865095 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.984599113 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.984733105 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.984772921 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.986517906 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.986644030 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.986689091 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.988445044 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.988558054 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.988607883 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.990351915 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.990469933 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.990514994 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.992224932 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.992343903 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.992386103 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.994137049 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.994239092 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.994294882 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.996046066 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.996141911 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.996196985 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.997982025 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.998127937 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.998182058 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:37.999878883 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:37.999983072 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.000020981 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.001805067 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.001936913 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.001976013 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.003748894 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.003792048 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.003834963 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.005573988 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.005695105 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.005733967 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.007447958 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.052170992 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.106714010 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.106829882 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.106895924 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.107573986 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.107688904 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.107728958 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.109303951 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.115828037 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.116885900 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.235343933 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.236352921 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:38.236464977 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.259577990 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:38.379163027 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:39.789164066 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:39.833448887 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.099371910 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.183223963 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.218987942 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303046942 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303056955 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303127050 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.303141117 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303149939 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303159952 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303191900 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303206921 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.303240061 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.303297043 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.303349018 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.307025909 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.307041883 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.307071924 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.307091951 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.307094097 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.307141066 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.422750950 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.422769070 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.422842026 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.422883987 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.422893047 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.422939062 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.422969103 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.423017979 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.423047066 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.423104048 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.423105955 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.423156023 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.423203945 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.423228979 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.423259974 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.423276901 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.426563978 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.426615953 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.426640987 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.426692009 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.426850080 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.426906109 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.470911026 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.471015930 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.542793989 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.542845964 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543006897 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543056965 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543150902 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543224096 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543263912 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543286085 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543350935 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543402910 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543540955 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543550968 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543608904 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543612003 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543652058 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543701887 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543735981 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543749094 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:40.543905973 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543915033 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543924093 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.543967962 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546533108 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546541929 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546725988 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546735048 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546817064 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546825886 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546854973 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546897888 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546984911 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.546999931 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.547044039 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.547075987 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.590595961 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.590610981 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662631989 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662687063 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662734032 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662772894 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662898064 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.662906885 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663009882 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663105965 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663115978 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663151026 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663275957 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663284063 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663420916 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663429022 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663521051 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663530111 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663537979 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663559914 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663685083 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663697004 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663711071 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663718939 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663800001 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663809061 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663872957 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663924932 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.663933039 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.664052963 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.664062023 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:40.664068937 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:41.202531099 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:41.322316885 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:42.196178913 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:42.271089077 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:42.315964937 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:42.390723944 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:42.823939085 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:42.864645958 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:42.916112900 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:43.035877943 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:43.196425915 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:43.316246986 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.212703943 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:44.332444906 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.332496881 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.332500935 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.332504988 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.332622051 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:44.332631111 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:45.205075979 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:45.325124025 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:45.325139999 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:45.972270966 CET	6666	49738	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:45.972398043 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:45.972568035 CET	49738	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:47.570955038 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:47.690732002 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:59.224153042 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:59.343803883 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:59.778162956 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:10:59.825803995 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:10:59.945444107 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:14.768781900 CET	6666	49731	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:14.768851042 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:14.768944025 CET	49731	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:16.724497080 CET	49770	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:16.844276905 CET	6666	49770	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:16.849633932 CET	49770	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:19.499937057 CET	6666	49770	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:19.500051022 CET	49770	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:19.500180006 CET	49770	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:32.992883921 CET	49807	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:33.112572908 CET	6666	49807	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:33.112651110 CET	49807	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:35.735347986 CET	6666	49807	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:35.735470057 CET	49807	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:35.735579014 CET	49807	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:49.240142107 CET	49841	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:49.359649897 CET	6666	49841	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:49.359731913 CET	49841	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:51.990386009 CET	6666	49841	8.218.163.62	192.168.2.4
Dec 26, 2024 23:11:51.990443945 CET	49841	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:11:51.990520000 CET	49841	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:05.427975893 CET	49877	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:05.547660112 CET	6666	49877	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:05.547882080 CET	49877	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:08.178220987 CET	6666	49877	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:08.178301096 CET	49877	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:08.178390980 CET	49877	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:21.709021091 CET	49912	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:21.828618050 CET	6666	49912	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:21.828824997 CET	49912	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:24.486093998 CET	6666	49912	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:24.486185074 CET	49912	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:24.486258984 CET	49912	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:38.162132025 CET	49947	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:38.513231039 CET	6666	49947	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:38.513338089 CET	49947	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:41.168345928 CET	6666	49947	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:41.172054052 CET	49947	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:41.172204971 CET	49947	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:54.834016085 CET	49982	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:54.954426050 CET	6666	49982	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:54.957822084 CET	49982	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:57.607212067 CET	6666	49982	8.218.163.62	192.168.2.4
Dec 26, 2024 23:12:57.607276917 CET	49982	6666	192.168.2.4	8.218.163.62
Dec 26, 2024 23:12:57.607433081 CET	49982	6666	192.168.2.4	8.218.163.62

Target ID:	0
Start time:	17:10:00
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\EpCAySF1G6.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EpCAySF1G6.exe"
Imagebase:	0x7ff6b2fd0000
File size:	133'632 bytes
MD5 hash:	6C2F397589156433B18B4C931A684A25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 00000001800033B0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 168networkstringtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00000001800033E1
timeGetTime.WINMM ref: 00000001800033F0
socket.WS2_32 ref: 0000000180003425
lstrlenW.KERNEL32 ref: 0000000180003452
WideCharToMultiByte.KERNEL32 ref: 0000000180003476
lstrlenW.KERNEL32 ref: 0000000180003490
WideCharToMultiByte.KERNEL32 ref: 00000001800034B3
gethostbyname.WS2_32 ref: 00000001800034C0
htons.WS2_32 ref: 00000001800034E8
connect.WS2_32 ref: 0000000180003512

Strings

0u, xrefs: 0000000180003595

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$EventResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 950253168-3203441087
Opcode ID: c39f5e32f51c546854f64cedb869f783fd802a92260de7296560489a3630704c
Instruction ID: ec4882751799e2c0c383b7b6b55624c8c334291d3863e3b1b8806a0e6b2c8991
Opcode Fuzzy Hash: c39f5e32f51c546854f64cedb869f783fd802a92260de7296560489a3630704c
Instruction Fuzzy Hash: 44814C72204B8887D765CF62F44039BB7A5F789B98F108119EB8A47B64CF3DD259CB04

Function 0000000180007220 Relevance: 19.6, APIs: 13, Instructions: 79keyboardwindowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180007232
SleepEx.KERNEL32 ref: 000000018000723D
GetSystemMetrics.USER32 ref: 000000018000725A
GetSystemMetrics.USER32 ref: 000000018000726A
GetSystemMetrics.USER32 ref: 0000000180007286
GetSystemMetrics.USER32 ref: 0000000180007294
SystemParametersInfoW.USER32 ref: 00000001800072C1
PostMessageW.USER32 ref: 00000001800072DD
SystemParametersInfoW.USER32 ref: 0000000180007305
PostMessageW.USER32 ref: 000000018000731F
BlockInput.USER32 ref: 000000018000732E
SleepEx.KERNEL32 ref: 0000000180007339
BlockInput.USER32 ref: 0000000180007353

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: System$Metrics$BlockInfoInputMessageParametersPostSleep$ObjectSingleWait
String ID:
API String ID: 4043121949-0
Opcode ID: 70942c266b939754ba25cbebb68d61ca88b0c9bf790e3a8ab3041b6dd57d2d26
Instruction ID: a6c19b3109f231f34a915171b8926a16e9bc877ec8146e86ed03d2c19bb4cb8b
Opcode Fuzzy Hash: 70942c266b939754ba25cbebb68d61ca88b0c9bf790e3a8ab3041b6dd57d2d26
Instruction Fuzzy Hash: 0F317E31A0064C83F7E69F34E8557A93762E759F95F148125FA1A026E5CF3DCA9CC701

Function 00000001800036B0 Relevance: 7.6, APIs: 5, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 0000000180003745
recv.WS2_32 ref: 000000018000376B
_errno.LIBCMT ref: 0000000180003777
_errno.LIBCMT ref: 0000000180003781
_errno.LIBCMT ref: 000000018000378E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$recvselect
String ID:
API String ID: 4102763267-0
Opcode ID: 6e55d37ec909d9103437418c8740c1872d861fa96eb6d5ac6926f3a0f125cbe9
Instruction ID: 4ab95c07da45e580c7a1e664e6b10ca096951e97624ad3441197a06d63b559b9
Opcode Fuzzy Hash: 6e55d37ec909d9103437418c8740c1872d861fa96eb6d5ac6926f3a0f125cbe9
Instruction Fuzzy Hash: 9D3150B1218A8881EBB3DB66E4457EE73A5F78DBC8F448125EA5D47B95DF38C2088701

Function 000000018000A438 Relevance: 4.5, APIs: 3, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000018000A44E
GetVersion.KERNEL32 ref: 000000018000A460
HeapSetInformation.KERNEL32 ref: 000000018000A47E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 94408129a73656f56999525ecae4c55ea10565afadc0b2f7b1ea26e19330658e
Instruction ID: 2047585caeb0d96450b74d4388bcfadda5036b37263dce35bce5ca53fe793822
Opcode Fuzzy Hash: 94408129a73656f56999525ecae4c55ea10565afadc0b2f7b1ea26e19330658e
Instruction Fuzzy Hash: 12E06D34211B9882FBC79B10B81979A2351F79D380F808415F94A03B54DF3CC35D8B00

Function 0000000180003880 Relevance: 9.2, APIs: 6, Instructions: 154memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000001800038A3
VirtualAlloc.KERNEL32 ref: 0000000180003930
VirtualFree.KERNEL32 ref: 0000000180003972
VirtualAlloc.KERNEL32 ref: 00000001800039FF
VirtualFree.KERNEL32 ref: 0000000180003A41
GetCurrentThreadId.KERNEL32 ref: 0000000180003B03

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocCurrentFreeThread
String ID:
API String ID: 1155560630-0
Opcode ID: 8b6e9cac55fcb94c4589c94077f4ba159caac3e0e6979146c6a5574917763282
Instruction ID: df7756c0319fa8f7c34d354fcb88f8a0a6f1099b4b6e46882ba731de937d8674
Opcode Fuzzy Hash: 8b6e9cac55fcb94c4589c94077f4ba159caac3e0e6979146c6a5574917763282
Instruction Fuzzy Hash: AB716B32314A849BE79ACB26E24179AB3A4F749BC4F50C115EB9A83754DF34E5B9CB00

Function 0000000180009AEC Relevance: 9.1, APIs: 6, Instructions: 63threadCOMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180009B17
_invalid_parameter_noinfo.LIBCMT ref: 0000000180009B22
_getptd.LIBCMT ref: 0000000180009B48
CreateThread.KERNEL32 ref: 0000000180009B9D
GetLastError.KERNEL32 ref: 0000000180009BA8
free.LIBCMT ref: 0000000180009BB3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CreateErrorLastThread_errno_getptd_invalid_parameter_noinfofree
String ID:
API String ID: 3283625137-0
Opcode ID: dd8a0689508e11d5c57570d14ec8144f228c8fb4f8394bd5431a01ddf698605e
Instruction ID: 840def7598a3f49dface6fdfb57da55888d9872d4ea26a0761dfc1c2d03df44e
Opcode Fuzzy Hash: dd8a0689508e11d5c57570d14ec8144f228c8fb4f8394bd5431a01ddf698605e
Instruction Fuzzy Hash: DE21953120578886EA96EBA5B5407DEB394F748BE0F44C625BF69077D6CF38C659C700

Function 0000000180007CD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001800098E0: _errno.LIBCMT ref: 00000001800098FF
Part of subcall function 00000001800098E0: _invalid_parameter_noinfo.LIBCMT ref: 000000018000990B

CreateThread.KERNEL32 ref: 0000000180007D26
WaitForSingleObject.KERNEL32 ref: 0000000180007D39
Sleep.KERNEL32 ref: 0000000180007D44

Strings

8.218.163.62, xrefs: 0000000180007CE7

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CreateObjectSingleSleepThreadWait_errno_invalid_parameter_noinfo
String ID: 8.218.163.62
API String ID: 3250838383-1363004327
Opcode ID: ee251b6672f538fce85ce1461ad2ae9822523f704c58887222570a03768aac97
Instruction ID: b1a993e78e5df7196a1f9103c4f3313f6e5f02e6875fe0577fbfca53cd9755b4
Opcode Fuzzy Hash: ee251b6672f538fce85ce1461ad2ae9822523f704c58887222570a03768aac97
Instruction Fuzzy Hash: 8E012135A0874882E752DF65B80039677A2F78D7D0F54C526FA5943BA4DF38C659C700

Function 0000000180003330 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 000000018000336D
CancelIo.KERNEL32 ref: 000000018000337A
closesocket.WS2_32 ref: 000000018000338A
SetEvent.KERNEL32 ref: 0000000180003394

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: fb0b7b03ff0f7f82b9b9a198a3f5bea35088d74b0945c8c54248ee40735093d4
Instruction ID: c89a85dcc85f2820bd1d44f1685216a88981129d8207b33963c3667712326490
Opcode Fuzzy Hash: fb0b7b03ff0f7f82b9b9a198a3f5bea35088d74b0945c8c54248ee40735093d4
Instruction Fuzzy Hash: 95F03C36204B8883D7568F25F55839AB331F789BA4F104326DBA907AE4CF39D16ACB01

Function 0000000180003B30 Relevance: 3.1, APIs: 2, Instructions: 66networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000180003B93
send.WS2_32 ref: 0000000180003BE0

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: eb3704afbb32cf80d8fc2292d74d73e20feec4cdc86b00731784d67511de0108
Instruction ID: 6b34267509c55f841139bed956c58f3dca68e6a39299f3758afa0e204980c870
Opcode Fuzzy Hash: eb3704afbb32cf80d8fc2292d74d73e20feec4cdc86b00731784d67511de0108
Instruction Fuzzy Hash: E3210A32704A8841E3A29B17B84679A7798F78CBD8F146121FF5993B91EFB4C5868300

Function 0000000180003800 Relevance: 3.0, APIs: 2, Instructions: 37timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 000000018000382B
timeGetTime.WINMM ref: 000000018000384F

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: 0778f1d0a279133f473acebe3396a217bab1a2d504ab5fe232e1993094d960a7
Instruction ID: 332856b26b82134b3ef7a07e2ed24c5cf692bcfec66c8bcfdeb8bde821065700
Opcode Fuzzy Hash: 0778f1d0a279133f473acebe3396a217bab1a2d504ab5fe232e1993094d960a7
Instruction Fuzzy Hash: 8701B13260474887E7A68B26E2883AD3361F348BC4F00D255F75A03AD0CF78C6A9C745

Function 00000001800071B0 Relevance: 3.0, APIs: 2, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00000001800071D6
SleepEx.KERNEL32 ref: 00000001800071E1

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ObjectSingleSleepWait
String ID:
API String ID: 309074506-0
Opcode ID: 973f945b5f5bd05faa339c84ed4b4d64e7dd1bb77631d768f487176a52932222
Instruction ID: d240cae8efa247cafc641eba02f268f3daaf734ce7d259a1098478c3c6c06a96
Opcode Fuzzy Hash: 973f945b5f5bd05faa339c84ed4b4d64e7dd1bb77631d768f487176a52932222
Instruction Fuzzy Hash: 8FF0B430A0028981F7A7DB35A4053E93751A75EBE4F088720F96A062E7CE2CC69D8B40

Function 0000000180001080 Relevance: 2.6, APIs: 2, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00000001800010F8
VirtualFree.KERNELBASE ref: 0000000180001133

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 0bc9f78ae1633a0983af31e5b68c7c71bed81a00c7b6da28ef8ad6e13dba2874
Instruction ID: 72b7d3aad03fba2e165de2875db50fa41f8e49807fafbd3a688aa19225b51365
Opcode Fuzzy Hash: 0bc9f78ae1633a0983af31e5b68c7c71bed81a00c7b6da28ef8ad6e13dba2874
Instruction Fuzzy Hash: 3041C632704A888BD78ECE2AE8507DAB791F788BC9F04C529BE4A87758DF34C655C740

Function 00000001800011F0 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000000180001261
VirtualFree.KERNELBASE ref: 0000000180001295

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e91e90dc211d4ac3dd2b8696ed2320e9465410aba3749ec224a793f89fd65685
Instruction ID: 39d2c09b0ad49af19ec391e2e33cc425ff618e5df754bb9e500cc7b052027a43
Opcode Fuzzy Hash: e91e90dc211d4ac3dd2b8696ed2320e9465410aba3749ec224a793f89fd65685
Instruction Fuzzy Hash: 11217132714A448BDB86CB2AE54038AB3A1F78CBC0F548521FA5993B58DF34D9E68B40

Function 0000000180009A1C Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000BFD4: GetLastError.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000BFDE
Part of subcall function 000000018000BFD4: FlsGetValue.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000BFEC
Part of subcall function 000000018000BFD4: FlsSetValue.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000C018
Part of subcall function 000000018000BFD4: GetCurrentThreadId.KERNEL32 ref: 000000018000C02C
Part of subcall function 000000018000BFD4: SetLastError.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000C044

ExitThread.KERNEL32 ref: 0000000180009A38

Part of subcall function 000000018000C1B0: FlsGetValue.KERNEL32(?,?,?,0000000180009A36), ref: 000000018000C1C9
Part of subcall function 000000018000C1B0: FlsSetValue.KERNEL32(?,?,?,0000000180009A36), ref: 000000018000C1DA
Part of subcall function 000000018000C1B0: _freefls.LIBCMT ref: 000000018000C1E3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Value$ErrorLastThread$CurrentExit_freefls
String ID:
API String ID: 1216290073-0
Opcode ID: 9ba43617d6060a859f6f529ed5b059fca6f098e0afadc2de5d5e5b81517bc422
Instruction ID: 7e2d9716788195060093211f914c8c74f8015c82e9622f0a3ead5c94187099e4
Opcode Fuzzy Hash: 9ba43617d6060a859f6f529ed5b059fca6f098e0afadc2de5d5e5b81517bc422
Instruction Fuzzy Hash: BFC04C7071230D52FEABB7B129567EA22551B5D780F049839790646383ED38CA5D4B81

Function 000000018000A490 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE(?,?,?,?,0000000180009E1A), ref: 000000018000A49B

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: c76baf734cacc463f3edf7ce4c9f6505949cbacf67135dc3e5461fc18087faf8
Instruction ID: f40b699132607b01ac98de3414add4ed6839e3c976b6b0eec7b6fd1eca4493b3
Opcode Fuzzy Hash: c76baf734cacc463f3edf7ce4c9f6505949cbacf67135dc3e5461fc18087faf8
Instruction Fuzzy Hash: FEC04C75911B5885EA465701FC593551231735D786FD14501A15506220DF28536D4B04

Non-executed Functions

Function 000000018000DC00 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 465COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018000DC56
_errno.LIBCMT ref: 000000018000DC5D
_invalid_parameter_noinfo.LIBCMT ref: 000000018000DC68

Strings

U, xrefs: 000000018000E1E4

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 78163aeb16f3b2ad721e63b0b1cc5a7f9fec38332dbcf66c90668829aeb81261
Instruction ID: d7937c02fd39bc783c8ca0f4a119cf2a7a79a18cfdc3a9c8ffef8114b50bd813
Opcode Fuzzy Hash: 78163aeb16f3b2ad721e63b0b1cc5a7f9fec38332dbcf66c90668829aeb81261
Instruction Fuzzy Hash: D812E23220468D86EBA2CF25E4443EA77A1F78D7C4F508126FA4A477A5DF79C64DCB10

Function 000000018000D6C8 Relevance: 40.4, APIs: 16, Strings: 7, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D70D
GetProcAddress.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D729
EncodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D73B
GetProcAddress.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D752
EncodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D75B
GetProcAddress.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D772
EncodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D77B
GetProcAddress.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D792
EncodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D79B
GetProcAddress.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D7BA
EncodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D7C3
DecodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D7F6
DecodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D806
DecodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D85C
DecodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D87D
DecodePointer.KERNEL32(?,?,?,?,00000001800010E2), ref: 000000018000D897

Strings

GetProcessWindowStation, xrefs: 000000018000D7B0
USER32.DLL, xrefs: 000000018000D706
ceil, xrefs: 000000018000D6CD
GetUserObjectInformationW, xrefs: 000000018000D781
GetActiveWindow, xrefs: 000000018000D741
MessageBoxW, xrefs: 000000018000D71F
GetLastActivePopup, xrefs: 000000018000D761

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL$ceil
API String ID: 2643518689-1731902841
Opcode ID: eef35e60d56da27d5e0b8f6531723091c283c3a98b3616d90fc0a75479ed4d59
Instruction ID: d3535494732f59449f14b0ffd64b58ac3c11d9095fcdc68b8c456ff81783e8f1
Opcode Fuzzy Hash: eef35e60d56da27d5e0b8f6531723091c283c3a98b3616d90fc0a75479ed4d59
Instruction Fuzzy Hash: 9551D435202B4D81FED7DB51BD143EA63A5AB8EBC4F19C526AC1E427A0EF38C6598310

Function 000000018000B360 Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 705COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000B178: _getptd.LIBCMT ref: 000000018000B18A

_errno.LIBCMT ref: 000000018000B3CE
_invalid_parameter_noinfo.LIBCMT ref: 000000018000B3D9
_fileno.LIBCMT ref: 000000018000B411
_errno.LIBCMT ref: 000000018000B482
_invalid_parameter_noinfo.LIBCMT ref: 000000018000B48D
write_multi_char.LIBCMT ref: 000000018000BA5A
write_multi_char.LIBCMT ref: 000000018000BA8C
write_multi_char.LIBCMT ref: 000000018000BB38
free.LIBCMT ref: 000000018000BB51
write_char.LIBCMT ref: 000000018000BC90
write_char.LIBCMT ref: 000000018000BCB1

Strings

, xrefs: 000000018000BA2A
@, xrefs: 000000018000B3FD

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: write_multi_char$_errno_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 1084558760-1077428164
Opcode ID: f97f1089f32f823f76d012dd0c8ab0c25e338b7442b712b783bf9d2dc336e878
Instruction ID: 2452bdb042314e0fe3febcab99f57ae4159cb2aa2937afe0bebb37c6ce2e0c15
Opcode Fuzzy Hash: f97f1089f32f823f76d012dd0c8ab0c25e338b7442b712b783bf9d2dc336e878
Instruction Fuzzy Hash: CC52C17260868886FBE6CB1594443EE7BA1B7897C4F14C016FA46C66E9DF79CB48CF01

Function 0000000180007370 Relevance: 18.2, APIs: 12, Instructions: 156keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008840: GetCurrentThreadId.KERNEL32 ref: 0000000180008867
Part of subcall function 0000000180008840: GetThreadDesktop.USER32 ref: 000000018000886F
Part of subcall function 0000000180008840: GetUserObjectInformationW.USER32 ref: 00000001800088AD
Part of subcall function 0000000180008840: OpenInputDesktop.USER32 ref: 00000001800088BD
Part of subcall function 0000000180008840: GetUserObjectInformationW.USER32 ref: 00000001800088F5
Part of subcall function 0000000180008840: lstrcmpiW.KERNEL32 ref: 0000000180008908
Part of subcall function 0000000180008840: SetThreadDesktop.USER32 ref: 0000000180008915
Part of subcall function 0000000180008840: CloseDesktop.USER32 ref: 0000000180008921
Part of subcall function 0000000180008840: CloseDesktop.USER32 ref: 000000018000892A

BlockInput.USER32(?,?), ref: 00000001800073E2
GetDeviceCaps.GDI32 ref: 000000018000740A
GetDeviceCaps.GDI32 ref: 0000000180007447
MapVirtualKeyW.USER32 ref: 00000001800074B3
keybd_event.USER32 ref: 00000001800074CD
MapVirtualKeyW.USER32 ref: 00000001800074DA
keybd_event.USER32 ref: 00000001800074F4
MapVirtualKeyW.USER32 ref: 0000000180007518
keybd_event.USER32 ref: 0000000180007531
MapVirtualKeyW.USER32 ref: 000000018000753E
keybd_event.USER32 ref: 0000000180007558
mouse_event.USER32 ref: 000000018000765E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Desktop$Virtualkeybd_event$Thread$CapsCloseDeviceInformationInputObjectUser$BlockCurrentOpenlstrcmpimouse_event
String ID:
API String ID: 2279423893-0
Opcode ID: 69497c29c268d0f439f463573f78983a09bc20c3fced7f49a25841584d429e76
Instruction ID: 8537ef26d2cea1f88f4013564da5ad79e0ad6c78322d96bc04cbb05961646402
Opcode Fuzzy Hash: 69497c29c268d0f439f463573f78983a09bc20c3fced7f49a25841584d429e76
Instruction Fuzzy Hash: 2C51C631B04A8882E3DAC739A8447EA77A1FB6D7C4F54C211FA4A436A5DF3DDA59C700

Function 0000000180007870 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 169timeCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00000001800078B0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000180007977
CreateEventW.KERNEL32 ref: 00000001800079B8
CreateEventW.KERNEL32 ref: 00000001800079E6
CreateEventW.KERNEL32 ref: 0000000180007A14
timeGetTime.WINMM ref: 0000000180007B2A
CreateEventW.KERNEL32 ref: 0000000180007B3F
CreateEventW.KERNEL32 ref: 0000000180007B53

Strings

<, xrefs: 00000001800078FE
<, xrefs: 00000001800078F7

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CreateEvent$CountCriticalInitializeSectionSpinTimetime
String ID: <$<
API String ID: 4111701721-213342407
Opcode ID: 05f9d6eeaa2301f8c5e41fb04d78acce11e74ccbb37d7a5d7c4285ec94b96cf4
Instruction ID: e02a7c7d02dad20fce2fd409f54c99c8a92b6f6ebfb2fc417219275c2c9e63df
Opcode Fuzzy Hash: 05f9d6eeaa2301f8c5e41fb04d78acce11e74ccbb37d7a5d7c4285ec94b96cf4
Instruction Fuzzy Hash: 4C816932201B9486E785DF30E8547DD37A9F748F88F18813AEE594B799CF788255CB50

Function 000000018000A88C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 159fileCOMMON

Download Yara Rule

APIs

_set_error_mode.LIBCMT ref: 000000018000A8D1
_set_error_mode.LIBCMT ref: 000000018000A8E2
GetModuleFileNameW.KERNEL32 ref: 000000018000A944

Part of subcall function 000000018000ACC0: GetCurrentProcess.KERNEL32(?,?,?,?,000000018000AD62), ref: 000000018000ACD8

GetStdHandle.KERNEL32 ref: 000000018000AA59
WriteFile.KERNEL32 ref: 000000018000AAB6

Strings

..., xrefs: 000000018000A996
ceil, xrefs: 000000018000A89C
Microsoft Visual C++ Runtime Library, xrefs: 000000018000A9FD
<program name unknown>, xrefs: 000000018000A953
Runtime Error!Program: , xrefs: 000000018000A911

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $ceil
API String ID: 2183313154-2708072404
Opcode ID: e803c1d3af5ecec9753290f83e9ab5e79e588cb5316708bd98aa3b48a103dd17
Instruction ID: af3c5ad1f1de3f023366cba7ce7246f7b398c9545f6d521bd91af1248e81a5c2
Opcode Fuzzy Hash: e803c1d3af5ecec9753290f83e9ab5e79e588cb5316708bd98aa3b48a103dd17
Instruction Fuzzy Hash: 9F51BE3131868882FAA6DB25A911BDA3391A78F7D0F54C116FE5903BC6DF38C709C701

Function 000000018000AB74 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018000ABE1
RtlLookupFunctionEntry.KERNEL32 ref: 000000018000ABF9
RtlVirtualUnwind.KERNEL32 ref: 000000018000AC33
IsDebuggerPresent.KERNEL32 ref: 000000018000AC69
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018000AC73
UnhandledExceptionFilter.KERNEL32 ref: 000000018000AC7E

Strings

ceil, xrefs: 000000018000AB80

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: ceil
API String ID: 1239891234-3069211559
Opcode ID: 547dbf1b02abe9440baa9f8f4ff2ca07c8d875fe4d7c9c04976ebe548166385e
Instruction ID: ad9169e07515aed976b9ba48c315529bc9b2c52a188ebb741d918b587164d0d0
Opcode Fuzzy Hash: 547dbf1b02abe9440baa9f8f4ff2ca07c8d875fe4d7c9c04976ebe548166385e
Instruction Fuzzy Hash: A7319032214B8886EBA1CF25E8407DF73A4F789794F514116FA9D43B95DF38C649CB00

Function 0000000180008600 Relevance: 12.1, APIs: 8, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

ReleaseDC.USER32 ref: 0000000180008634
GetDC.USER32 ref: 000000018000863C
GetCursorPos.USER32 ref: 000000018000866F
BitBlt.GDI32 ref: 000000018000872C
GetTickCount.KERNEL32 ref: 000000018000874C
Sleep.KERNEL32 ref: 0000000180008765
GetTickCount.KERNEL32 ref: 000000018000876B
GetTickCount.KERNEL32 ref: 000000018000877F

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CountTick$CursorReleaseSleep
String ID:
API String ID: 1603040516-0
Opcode ID: 6a0133b0f874e709b43431347706ad5dec5376e7ac02394a3babd20454a655ee
Instruction ID: 65bcf487f87c86bc5952fa777737346912f80f57b0d51337cefdee1cc81c5337
Opcode Fuzzy Hash: 6a0133b0f874e709b43431347706ad5dec5376e7ac02394a3babd20454a655ee
Instruction Fuzzy Hash: EF416D326047889BD79ACF39E24079EB7B1F748790F008115EB8983A44DF38E5B9CB01

Function 00000001800090E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018000A0A7
RtlLookupFunctionEntry.KERNEL32 ref: 000000018000A0C6
RtlVirtualUnwind.KERNEL32 ref: 000000018000A112
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000018000ACA7), ref: 000000018000A184
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000018000ACA7), ref: 000000018000A19C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000018000ACA7), ref: 000000018000A1A9
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000018000ACA7), ref: 000000018000A1C2
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,000000018000ACA7), ref: 000000018000A1D0

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 3fe5d9be6abb456b153f2fd78e6a0890fc2cf96e21cb3a436cb3c3cbb8aa6692
Instruction ID: 92d4229850ceaceddd7c782502ba5022ea39dcecbc37d68dfe865f03005425cd
Opcode Fuzzy Hash: 3fe5d9be6abb456b153f2fd78e6a0890fc2cf96e21cb3a436cb3c3cbb8aa6692
Instruction Fuzzy Hash: 78311335508B4C86EB92AB15F8803DA73A1F78D3D0F618026FA9E477A5DF7DC2588700

Function 00000001800076C3 Relevance: 12.0, APIs: 8, Instructions: 49clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00000001800076E2
EmptyClipboard.USER32(?,?,?,?,?), ref: 00000001800076F1
GlobalAlloc.KERNEL32(?,?,?,?,?), ref: 0000000180007702
GlobalLock.KERNEL32 ref: 0000000180007713
GlobalUnlock.KERNEL32 ref: 000000018000772A
SetClipboardData.USER32 ref: 0000000180007738
GlobalFree.KERNEL32 ref: 0000000180007741
CloseClipboard.USER32(?,?,?,?,?), ref: 0000000180007747

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: c324e4f9ed4764e5596ff27f5279ee80f8690d45007cef04fa72d5e1ed59cc9a
Instruction ID: b194addbfe9b26d0ab635f73133e22ed73d0d91d4edad7232035568f5b796e29
Opcode Fuzzy Hash: c324e4f9ed4764e5596ff27f5279ee80f8690d45007cef04fa72d5e1ed59cc9a
Instruction Fuzzy Hash: E301FF75704B4D82EA8A9B52B8583EA6351EB4DFC1F099036AD4B07755DF2CC65D8340

Function 0000000180006DB0 Relevance: 12.0, APIs: 8, Instructions: 44clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00000001800076E2
EmptyClipboard.USER32(?,?,?,?,?), ref: 00000001800076F1
GlobalAlloc.KERNEL32(?,?,?,?,?), ref: 0000000180007702
GlobalLock.KERNEL32 ref: 0000000180007713
GlobalUnlock.KERNEL32 ref: 000000018000772A
SetClipboardData.USER32 ref: 0000000180007738
GlobalFree.KERNEL32 ref: 0000000180007741
CloseClipboard.USER32(?,?,?,?,?), ref: 0000000180007747

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 375e20a99bf2319a86a66ff350dcc740ae14344422d4cbb28c6d44e50ed1fcbe
Instruction ID: 683c79a761524da91316f7a972f8740088dc3dce9a1cce0b7c72746da1918862
Opcode Fuzzy Hash: 375e20a99bf2319a86a66ff350dcc740ae14344422d4cbb28c6d44e50ed1fcbe
Instruction Fuzzy Hash: 8F118435714B4982EA9A9B12B8443AA6351FB4CFC0F099036FE4F07755DF3CC6998340

Function 0000000180006D99 Relevance: 9.1, APIs: 6, Instructions: 60clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 000000018000776B
GetClipboardData.USER32 ref: 0000000180007783
GlobalSize.KERNEL32 ref: 00000001800077B4
GlobalLock.KERNEL32 ref: 00000001800077C1
GlobalUnlock.KERNEL32 ref: 00000001800077EF
CloseClipboard.USER32 ref: 00000001800077F5

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ClipboardGlobal$CloseDataLockOpenSizeUnlock
String ID:
API String ID: 1964585863-0
Opcode ID: 5e27bf2a7382e610c6a91c43ad33970337c36fceabc1802507e96028b810b86a
Instruction ID: ba8cbadef7bf09348e7265ddccb45d7e132c969cb973bab97690c3bb7856a0fd
Opcode Fuzzy Hash: 5e27bf2a7382e610c6a91c43ad33970337c36fceabc1802507e96028b810b86a
Instruction Fuzzy Hash: C4213D32718A8882E7969B52F4583AA7360F78CFC5F189026FE4A07B56DF3DC659C700

Function 000000018000D154 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000D18B
GetCurrentProcessId.KERNEL32 ref: 000000018000D196
GetCurrentThreadId.KERNEL32 ref: 000000018000D1A2
GetTickCount.KERNEL32 ref: 000000018000D1AE
QueryPerformanceCounter.KERNEL32 ref: 000000018000D1BF

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 74ebcfaa1585adeb4553c2b651c04ae91b55a7832ce35f07ceca5609dd6a977e
Instruction ID: 64199a0b69e1a65d1df8218f42b8becb81c33f6c64bd41741b06a6c4f539d25f
Opcode Fuzzy Hash: 74ebcfaa1585adeb4553c2b651c04ae91b55a7832ce35f07ceca5609dd6a977e
Instruction Fuzzy Hash: A0015B31265B4C92E7C28F21F8443966361F74EBD0F55A522FE6A477A0DE38CA998300

Function 0000000180002880 Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00000001800029CA, 0000000180002F28, 000000018000308F

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 459f5504e9e704ec9cd6536985179fca075ed0b2fdb4cbfe3347bd892f916517
Instruction ID: ea451133cc71beb6ead4a8e2b9dcfa473d362eb5e7058315a1ebab0c0645d117
Opcode Fuzzy Hash: 459f5504e9e704ec9cd6536985179fca075ed0b2fdb4cbfe3347bd892f916517
Instruction Fuzzy Hash: CF528E732092C48FD36ACF29E44079EBBA0F369B48F448129EBC587B45DB78D959CB50

Function 0000000180007591 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(?,?), ref: 00000001800073E2
GetDeviceCaps.GDI32 ref: 000000018000740A
GetDeviceCaps.GDI32 ref: 0000000180007447
MapVirtualKeyW.USER32 ref: 00000001800074B3
keybd_event.USER32 ref: 00000001800074CD
mouse_event.USER32 ref: 000000018000765E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CapsDevice$BlockInputVirtualkeybd_eventmouse_event
String ID:
API String ID: 1381131145-0
Opcode ID: cfbf087a84474e10d918829ffa8c6be962006b0e009a0cda664c11313fd55a8a
Instruction ID: 595ed494fcdefadc8ac681faddca1516c98c0760401290edadde9f4cea5416c8
Opcode Fuzzy Hash: cfbf087a84474e10d918829ffa8c6be962006b0e009a0cda664c11313fd55a8a
Instruction Fuzzy Hash: ABE06D66718984C2E2528B19B00138BA761F7987D5F245112EF8D43B68CE39C29ACB00

Function 0000000180030DA0 Relevance: .7, Instructions: 679COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80290d1d8bad87e0592b8ef29a3c3ec20167a743bd2eff6d23ab07c448ac93f8
Instruction ID: 0325a7ae0354827c0e2fddb97fec9f8c092c603d59696671edbf51ea75ce31cc
Opcode Fuzzy Hash: 80290d1d8bad87e0592b8ef29a3c3ec20167a743bd2eff6d23ab07c448ac93f8
Instruction Fuzzy Hash: 06626F766017548BD7A68F26C0807AD37B1F34CFA9F269216EF4A43789CB34C995CB90

Function 00000001800103F0 Relevance: 107.7, APIs: 86, Instructions: 180COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000180010405

Part of subcall function 0000000180009640: RtlFreeHeap.NTDLL(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009656
Part of subcall function 0000000180009640: _errno.LIBCMT ref: 0000000180009660
Part of subcall function 0000000180009640: GetLastError.KERNEL32(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009668

free.LIBCMT ref: 000000018001040E
free.LIBCMT ref: 0000000180010417
free.LIBCMT ref: 0000000180010420
free.LIBCMT ref: 0000000180010429
free.LIBCMT ref: 0000000180010432
free.LIBCMT ref: 000000018001043A
free.LIBCMT ref: 0000000180010443
free.LIBCMT ref: 000000018001044C
free.LIBCMT ref: 0000000180010455
free.LIBCMT ref: 000000018001045E
free.LIBCMT ref: 0000000180010467
free.LIBCMT ref: 0000000180010470
free.LIBCMT ref: 0000000180010479
free.LIBCMT ref: 0000000180010482
free.LIBCMT ref: 000000018001048B
free.LIBCMT ref: 0000000180010497
free.LIBCMT ref: 00000001800104A3
free.LIBCMT ref: 00000001800104AF
free.LIBCMT ref: 00000001800104BB
free.LIBCMT ref: 00000001800104C7
free.LIBCMT ref: 00000001800104D3
free.LIBCMT ref: 00000001800104DF
free.LIBCMT ref: 00000001800104EB
free.LIBCMT ref: 00000001800104F7
free.LIBCMT ref: 0000000180010503
free.LIBCMT ref: 000000018001050F
free.LIBCMT ref: 000000018001051B
free.LIBCMT ref: 0000000180010527
free.LIBCMT ref: 0000000180010533
free.LIBCMT ref: 000000018001053F
free.LIBCMT ref: 000000018001054B
free.LIBCMT ref: 0000000180010557
free.LIBCMT ref: 0000000180010563
free.LIBCMT ref: 000000018001056F
free.LIBCMT ref: 000000018001057B
free.LIBCMT ref: 0000000180010587
free.LIBCMT ref: 0000000180010593
free.LIBCMT ref: 000000018001059F
free.LIBCMT ref: 00000001800105AB
free.LIBCMT ref: 00000001800105B7
free.LIBCMT ref: 00000001800105C3
free.LIBCMT ref: 00000001800105CF
free.LIBCMT ref: 00000001800105DB
free.LIBCMT ref: 00000001800105E7
free.LIBCMT ref: 00000001800105F3
free.LIBCMT ref: 00000001800105FF
free.LIBCMT ref: 000000018001060B
free.LIBCMT ref: 0000000180010617
free.LIBCMT ref: 0000000180010623
free.LIBCMT ref: 000000018001062F
free.LIBCMT ref: 000000018001063B
free.LIBCMT ref: 0000000180010647
free.LIBCMT ref: 0000000180010653
free.LIBCMT ref: 000000018001065F
free.LIBCMT ref: 000000018001066B
free.LIBCMT ref: 0000000180010677
free.LIBCMT ref: 0000000180010683
free.LIBCMT ref: 000000018001068F
free.LIBCMT ref: 000000018001069B
free.LIBCMT ref: 00000001800106A7
free.LIBCMT ref: 00000001800106B3
free.LIBCMT ref: 00000001800106BF
free.LIBCMT ref: 00000001800106CB
free.LIBCMT ref: 00000001800106D7
free.LIBCMT ref: 00000001800106E3
free.LIBCMT ref: 00000001800106EF
free.LIBCMT ref: 00000001800106FB
free.LIBCMT ref: 0000000180010707
free.LIBCMT ref: 0000000180010713
free.LIBCMT ref: 000000018001071F
free.LIBCMT ref: 000000018001072B
free.LIBCMT ref: 0000000180010737
free.LIBCMT ref: 0000000180010743
free.LIBCMT ref: 000000018001074F
free.LIBCMT ref: 000000018001075B
free.LIBCMT ref: 0000000180010767
free.LIBCMT ref: 0000000180010773
free.LIBCMT ref: 000000018001077F
free.LIBCMT ref: 000000018001078B
free.LIBCMT ref: 0000000180010797
free.LIBCMT ref: 00000001800107A3
free.LIBCMT ref: 00000001800107AF
free.LIBCMT ref: 00000001800107BB
free.LIBCMT ref: 00000001800107C7
free.LIBCMT ref: 00000001800107D3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 021b41133cd1ead1be3f60199342001b1f29ae534ddb99bc225400cd6796cf43
Instruction ID: be9f4a51adaeba7f25736ffa2ce7e74a650e6789f8973609459047087f1058fd
Opcode Fuzzy Hash: 021b41133cd1ead1be3f60199342001b1f29ae534ddb99bc225400cd6796cf43
Instruction Fuzzy Hash: BCA1543225255885EB86FFF1C8953ED3321ABC8F84F048132BB4D5B5A7CE12CA49C390

Function 00000001800080D0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

Part of subcall function 00000001800066B0: LoadCursorW.USER32 ref: 000000018000677E

Part of subcall function 0000000180008840: GetCurrentThreadId.KERNEL32 ref: 0000000180008867
Part of subcall function 0000000180008840: GetThreadDesktop.USER32 ref: 000000018000886F
Part of subcall function 0000000180008840: GetUserObjectInformationW.USER32 ref: 00000001800088AD
Part of subcall function 0000000180008840: OpenInputDesktop.USER32 ref: 00000001800088BD
Part of subcall function 0000000180008840: GetUserObjectInformationW.USER32 ref: 00000001800088F5
Part of subcall function 0000000180008840: lstrcmpiW.KERNEL32 ref: 0000000180008908
Part of subcall function 0000000180008840: SetThreadDesktop.USER32 ref: 0000000180008915
Part of subcall function 0000000180008840: CloseDesktop.USER32 ref: 0000000180008921
Part of subcall function 0000000180008840: CloseDesktop.USER32 ref: 000000018000892A

ReleaseDC.USER32 ref: 0000000180008124
GetDesktopWindow.USER32 ref: 000000018000812E
GetDC.USER32 ref: 000000018000813B
GetTickCount.KERNEL32 ref: 0000000180008153
GetDC.USER32 ref: 0000000180008176
GetDeviceCaps.GDI32 ref: 0000000180008187
GetDeviceCaps.GDI32 ref: 0000000180008197
GetDeviceCaps.GDI32 ref: 00000001800081A5
GetDeviceCaps.GDI32 ref: 00000001800081B5
ReleaseDC.USER32 ref: 00000001800081D7
GetSystemMetrics.USER32 ref: 00000001800081E2
GetSystemMetrics.USER32 ref: 0000000180008200
GetSystemMetrics.USER32 ref: 0000000180008255
GetSystemMetrics.USER32 ref: 0000000180008273
CreateCompatibleDC.GDI32(?), ref: 00000001800082A8
CreateCompatibleDC.GDI32 ref: 00000001800082B6
CreateCompatibleDC.GDI32 ref: 00000001800082C4
CreateDIBSection.GDI32 ref: 000000018000831D
CreateDIBSection.GDI32 ref: 0000000180008345
SelectObject.GDI32 ref: 000000018000835D
SelectObject.GDI32 ref: 000000018000836E

Strings

U, xrefs: 000000018000829D
, xrefs: 0000000180008145

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Desktop$Create$CapsDeviceMetricsObjectSystem$CompatibleThread$CloseInformationReleaseSectionSelectUser$CountCurrentCursorInputLoadOpenTickWindowlstrcmpi
String ID: $U
API String ID: 2893566681-770038575
Opcode ID: b86f48dc643f242cefc531a4be5a3682f6d023113ff47b511178bb2e5ed44561
Instruction ID: 5a974b94c51b32a5b076b50a0235f2bb3082aa2d84b1aa1b7f751e748a0e9dcb
Opcode Fuzzy Hash: b86f48dc643f242cefc531a4be5a3682f6d023113ff47b511178bb2e5ed44561
Instruction Fuzzy Hash: D9912F32610B888ED396DF35E8443C937A5F74CB98F118226FA4993B58DF38D599CB40

Function 0000000180036FD0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180036FF8
_invalid_parameter_noinfo.LIBCMT ref: 0000000180037003
__wtomb_environ.LIBCMT ref: 00000001800370E5
_errno.LIBCMT ref: 00000001800370EE
free.LIBCMT ref: 00000001800371DF
SetEnvironmentVariableA.KERNEL32 ref: 0000000180037310
_errno.LIBCMT ref: 000000018003731D
free.LIBCMT ref: 000000018003732B
free.LIBCMT ref: 0000000180037338
free.LIBCMT ref: 000000018003735F

Strings

JPEGMEM, xrefs: 0000000180036FDA

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free$_errno$EnvironmentVariable__wtomb_environ_invalid_parameter_noinfo
String ID: JPEGMEM
API String ID: 101574016-443077373
Opcode ID: baab3304b54c17fea864bf69aebbbcbc65c4dc0821fdc2b3a32c301d9a29cbd1
Instruction ID: 57832427582ab62e04a86cddfd81d4d0de5ccd9b3dcea064d25929bca40df8ea
Opcode Fuzzy Hash: baab3304b54c17fea864bf69aebbbcbc65c4dc0821fdc2b3a32c301d9a29cbd1
Instruction Fuzzy Hash: 7EA1B13230279881FAF7AB15A9003EB6391BB49BD8F1AC515BE5D477D6EF34C6498300

Function 0000000180004240 Relevance: 21.1, APIs: 14, Instructions: 127networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000000018000427B
WSAIoctl.WS2_32 ref: 00000001800042D0
setsockopt.WS2_32 ref: 00000001800042F2
setsockopt.WS2_32 ref: 0000000180004314
WSACreateEvent.WS2_32(?,?,?,?,?,?,?,?,?,00000000,?,0000000180004015), ref: 000000018000431A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,0000000180004015), ref: 0000000180004327
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,0000000180004015), ref: 000000018000434A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,0000000180004015), ref: 0000000180004364
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,0000000180004015), ref: 0000000180004387
gethostbyname.WS2_32 ref: 0000000180004394

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
String ID:
API String ID: 2536029566-0
Opcode ID: be85cae740309082365b1f24e25b9b4c6b74c0fabf9c05cb2245f7859b4bb23b
Instruction ID: b91bf29bcf1dd2fc12c05ac5a62fecd5c3412f371c6058c3f5659cdc7577f7ed
Opcode Fuzzy Hash: be85cae740309082365b1f24e25b9b4c6b74c0fabf9c05cb2245f7859b4bb23b
Instruction Fuzzy Hash: D7515F76214B4886E751CF65F84039AB7A5F788BE4F104216FE9A47BA8CF3CC259CB04

Function 000000018000F0A8 Relevance: 19.6, APIs: 13, Instructions: 90COMMON

Download Yara Rule

APIs

__free_lconv_mon.LIBCMT ref: 000000018000F100

Part of subcall function 000000018001084C: free.LIBCMT ref: 000000018001086A
Part of subcall function 000000018001084C: free.LIBCMT ref: 000000018001087C
Part of subcall function 000000018001084C: free.LIBCMT ref: 000000018001088E
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108A0
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108B2
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108C4
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108D6
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108E8
Part of subcall function 000000018001084C: free.LIBCMT ref: 00000001800108FA
Part of subcall function 000000018001084C: free.LIBCMT ref: 000000018001090C
Part of subcall function 000000018001084C: free.LIBCMT ref: 0000000180010921
Part of subcall function 000000018001084C: free.LIBCMT ref: 0000000180010936
Part of subcall function 000000018001084C: free.LIBCMT ref: 000000018001094B

free.LIBCMT ref: 000000018000F0F4

Part of subcall function 0000000180009640: RtlFreeHeap.NTDLL(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009656
Part of subcall function 0000000180009640: _errno.LIBCMT ref: 0000000180009660
Part of subcall function 0000000180009640: GetLastError.KERNEL32(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009668

free.LIBCMT ref: 000000018000F116
__free_lconv_num.LIBCMT ref: 000000018000F122
free.LIBCMT ref: 000000018000F12E
free.LIBCMT ref: 000000018000F13A
free.LIBCMT ref: 000000018000F15E
free.LIBCMT ref: 000000018000F172
free.LIBCMT ref: 000000018000F181
free.LIBCMT ref: 000000018000F18D
free.LIBCMT ref: 000000018000F1BA
free.LIBCMT ref: 000000018000F1E2
free.LIBCMT ref: 000000018000F1FC

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free$ErrorFreeHeapLast__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 518839503-0
Opcode ID: 9f04c1d14f6d1e3e207a0491a1d211b8977080727f5d106970ebcecb83eb6337
Instruction ID: d1dd2f2dfdf9e00dee34c292536803119a0a1827377dc0545368fc7bc2e3df82
Opcode Fuzzy Hash: 9f04c1d14f6d1e3e207a0491a1d211b8977080727f5d106970ebcecb83eb6337
Instruction Fuzzy Hash: DF41FC36602688C4FFE6DFA1C4503F933A1EB8CBD4F188032BA194A795CF69C699D350

Function 0000000180005FA0 Relevance: 16.6, APIs: 11, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000000180005FC8
EnterCriticalSection.KERNEL32 ref: 0000000180005FEA
SetLastError.KERNEL32 ref: 0000000180005FFD
LeaveCriticalSection.KERNEL32 ref: 0000000180006007

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 43feb2fd4a2469da3acbd97ccbcc7864171f01f7b687db1fcdc4d3f3b824b837
Instruction ID: f057f36e22cf24516504c3ef6b47dbec7fc18d1ede4cc798e6b081c25042d96d
Opcode Fuzzy Hash: 43feb2fd4a2469da3acbd97ccbcc7864171f01f7b687db1fcdc4d3f3b824b837
Instruction Fuzzy Hash: AF41613260424C87E796EF24E4587DF77A9FB4C7E1F059126EA1A832A1DF38D649C700

Function 00000001800063F0 Relevance: 16.6, APIs: 11, Instructions: 98networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180006434
WSASetLastError.WS2_32 ref: 0000000180006446
LeaveCriticalSection.KERNEL32 ref: 0000000180006450

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 41b014c9e8fd6412a41d98cabfe8a4d72fe6ebac2a16b7390c8065aabf1d94b0
Instruction ID: 371efd4154eb484db3ea27ba105f86e393cf1da87a3e353abf91c6e69ccef9a9
Opcode Fuzzy Hash: 41b014c9e8fd6412a41d98cabfe8a4d72fe6ebac2a16b7390c8065aabf1d94b0
Instruction Fuzzy Hash: 20316330700A4D87F796EB16A8143AA7352F78EBE5F449122BE26477E5DF38C65D8300

Function 000000018000FEAC Relevance: 15.2, APIs: 10, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018000FF46
malloc.LIBCMT ref: 000000018000FFAF
MultiByteToWideChar.KERNEL32 ref: 000000018000FFE3
LCMapStringW.KERNEL32 ref: 000000018001000A
LCMapStringW.KERNEL32 ref: 0000000180010052
malloc.LIBCMT ref: 00000001800100AF

Part of subcall function 0000000180009680: _FF_MSGBANNER.LIBCMT ref: 00000001800096B0
Part of subcall function 0000000180009680: HeapAlloc.KERNEL32(?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75), ref: 00000001800096D5
Part of subcall function 0000000180009680: _callnewh.LIBCMT ref: 00000001800096EE
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 00000001800096F9
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 0000000180009704

LCMapStringW.KERNEL32 ref: 00000001800100E4
WideCharToMultiByte.KERNEL32 ref: 0000000180010124
free.LIBCMT ref: 0000000180010138
free.LIBCMT ref: 0000000180010149

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: c6d857fe6f0f78d55d900201d5d5a589df3c7a53c660cb7af49781f728ee279f
Instruction ID: 52c0a84bf8a2e05631db068ac20ee0467e36e31dacc09e872cb42c16212d318a
Opcode Fuzzy Hash: c6d857fe6f0f78d55d900201d5d5a589df3c7a53c660cb7af49781f728ee279f
Instruction Fuzzy Hash: 8181D232300B8986EBA69F25A8403EA7395FB4DBE4F548225FA5D47BD4DF78C609C300

Function 000000018000F39C Relevance: 15.1, APIs: 10, Instructions: 123COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000F3E3
_invalid_parameter_noinfo.LIBCMT ref: 000000018000F3EF
_errno.LIBCMT ref: 000000018000F439
_errno.LIBCMT ref: 000000018000F444
_errno.LIBCMT ref: 000000018000F476
_invalid_parameter_noinfo.LIBCMT ref: 000000018000F480
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,000000018000F56F), ref: 000000018000F4F2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,000000018000F56F), ref: 000000018000F50F
_errno.LIBCMT ref: 000000018000F535
_invalid_parameter_noinfo.LIBCMT ref: 000000018000F541

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: c52785b3262bb0dfee42e3c25cdfc1a26fc2b908a9e576ce46cdcbb2cb4f113f
Instruction ID: d3279eee94bd3acad321d930761277f3f857973e89029d5b282bde406992e120
Opcode Fuzzy Hash: c52785b3262bb0dfee42e3c25cdfc1a26fc2b908a9e576ce46cdcbb2cb4f113f
Instruction Fuzzy Hash: FC518D326016888AFBF7DB65C4403FD76A0A748BE8F14C135BE5946FD6DF288B4A9701

Function 000000018000C8B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 000000018000C8D1

Part of subcall function 000000018000C6D8: Sleep.KERNEL32(?,?,ceil,000000018000C007,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 000000018000C71D

GetFileType.KERNEL32 ref: 000000018000CA3C
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000CA7A

Strings

@, xrefs: 000000018000CB35

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 146308c57673dcaa00c052c5a74b247c91614403510e9e44b48620217c0db704
Instruction ID: 2fbf92190b07b31d717272316cc8c3129a207059a927e50151699144c49d7e07
Opcode Fuzzy Hash: 146308c57673dcaa00c052c5a74b247c91614403510e9e44b48620217c0db704
Instruction Fuzzy Hash: 7B81607230078986EB96DF24D84479977A1E749BB8F58C325EA79433E1DF38C659C302

Function 000000018000A680 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 000000018000A6A9

Part of subcall function 000000018000D41C: _amsg_exit.LIBCMT ref: 000000018000D446

DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,000000018000A85D,?,?,00000000,000000018000D44B,?,?,00000000,000000018000BF75), ref: 000000018000A6DC
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,000000018000A85D,?,?,00000000,000000018000D44B,?,?,00000000,000000018000BF75), ref: 000000018000A6FA
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,000000018000A85D,?,?,00000000,000000018000D44B,?,?,00000000,000000018000BF75), ref: 000000018000A73A
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,000000018000A85D,?,?,00000000,000000018000D44B,?,?,00000000,000000018000BF75), ref: 000000018000A754
DecodePointer.KERNEL32(?,?,00000000,?,?,ceil,00000000,000000018000A85D,?,?,00000000,000000018000D44B,?,?,00000000,000000018000BF75), ref: 000000018000A764
ExitProcess.KERNEL32 ref: 000000018000A7F0

Strings

ceil, xrefs: 000000018000A690

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID: ceil
API String ID: 3411037476-3069211559
Opcode ID: e05cc1b73c426745f44764d451be97a631cba6024066b2eab7424b92b4bd2763
Instruction ID: 7ccfd90f358deb18b6c558725189fbc00dd08bcdc79013f2d31b745a0aaf9daa
Opcode Fuzzy Hash: e05cc1b73c426745f44764d451be97a631cba6024066b2eab7424b92b4bd2763
Instruction Fuzzy Hash: 1041597121AB4C81FAD3DB11FC4439AB2A5B78DBD4F14C126BA8D437A5EF38C6598701

Function 0000000180006260 Relevance: 13.6, APIs: 9, Instructions: 101timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800062CA
timeGetTime.WINMM ref: 00000001800062F8
WSASetLastError.WS2_32 ref: 0000000180006319
LeaveCriticalSection.KERNEL32 ref: 0000000180006323
timeGetTime.WINMM ref: 000000018000633A
SetEvent.KERNEL32 ref: 0000000180006374
LeaveCriticalSection.KERNEL32 ref: 0000000180006386
LeaveCriticalSection.KERNEL32 ref: 00000001800063B5
WSASetLastError.WS2_32 ref: 00000001800063DE

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 6c6187700454bc4c59a4335baf926a9c00d97f8409c49833492fe45c45125409
Instruction ID: b2dda1a618636ee271e064bde461f634b13a8de8d6a379aa51d70fdee50eeccf
Opcode Fuzzy Hash: 6c6187700454bc4c59a4335baf926a9c00d97f8409c49833492fe45c45125409
Instruction Fuzzy Hash: 4B4164325046488BE7B2DB11E4503AEB3A2F79C794F048116EB8A43BA4DF7CE799C740

Function 0000000180006140 Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 000000018000615A
TryEnterCriticalSection.KERNEL32 ref: 000000018000617B
TryEnterCriticalSection.KERNEL32 ref: 000000018000618D
SetLastError.KERNEL32 ref: 00000001800061A6
LeaveCriticalSection.KERNEL32 ref: 00000001800061B0
LeaveCriticalSection.KERNEL32 ref: 00000001800061BA

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 509216e4530071335b692588b47e4367fec6eb90552f125319ab030dc0d1f72b
Instruction ID: 75e3335b1e87918230f6a9c373441254f2ba43e3bbdc08f9cd9113b1b29240e6
Opcode Fuzzy Hash: 509216e4530071335b692588b47e4367fec6eb90552f125319ab030dc0d1f72b
Instruction Fuzzy Hash: A9318F32A10949D7E792CF24E4543DD37A5FB48F88F558121EA16872B5DF39CA9EC700

Function 0000000180008840 Relevance: 13.6, APIs: 9, Instructions: 61threadstringCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180008867
GetThreadDesktop.USER32 ref: 000000018000886F
GetUserObjectInformationW.USER32 ref: 00000001800088AD
OpenInputDesktop.USER32 ref: 00000001800088BD
GetUserObjectInformationW.USER32 ref: 00000001800088F5
lstrcmpiW.KERNEL32 ref: 0000000180008908
SetThreadDesktop.USER32 ref: 0000000180008915
CloseDesktop.USER32 ref: 0000000180008921
CloseDesktop.USER32 ref: 000000018000892A

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Desktop$Thread$CloseInformationObjectUser$CurrentInputOpenlstrcmpi
String ID:
API String ID: 3718465862-0
Opcode ID: fd2f48d1e6d1968eaee02ee160a19b2c28ca0775cb4ff9dc85cc901e1692a986
Instruction ID: 96f2aa2bc74b01c33155bad7b66987432dd12a3f0d009d3960013aa5692eb5d5
Opcode Fuzzy Hash: fd2f48d1e6d1968eaee02ee160a19b2c28ca0775cb4ff9dc85cc901e1692a986
Instruction Fuzzy Hash: FE214F31314B8992FA61DB22F4597DA6360F78DBC4F458022EA9A47755DF3CC60AC740

Function 0000000180008AF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

CreateRectRgnIndirect.GDI32 ref: 0000000180008BC1
GetRegionData.GDI32 ref: 0000000180008C63
GetRegionData.GDI32 ref: 0000000180008C7D
DeleteObject.GDI32 ref: 0000000180008C86

Strings

gfff, xrefs: 0000000180008C38

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: DataRegion$CreateDeleteIndirectObjectRect
String ID: gfff
API String ID: 2186813130-1553575800
Opcode ID: 210b1052776d665a791326807686c54679e9d2d37cfd61b82ee3dbe07363b580
Instruction ID: bc2ed40e1d0f4b74609d4687d17f06db3ad57190d21ec97fb4438f9dc19cd448
Opcode Fuzzy Hash: 210b1052776d665a791326807686c54679e9d2d37cfd61b82ee3dbe07363b580
Instruction Fuzzy Hash: 0A518F767056488BE769CB26B95479A77A1FB4CBC4F004125EB8B83750EF38D64ADB00

Function 0000000180008CC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123windowCOMMON

Download Yara Rule

APIs

CreateDIBSection.GDI32 ref: 0000000180008D62
SelectObject.GDI32 ref: 0000000180008D76
BitBlt.GDI32 ref: 0000000180008DAA
BitBlt.GDI32 ref: 0000000180008DE2
DeleteObject.GDI32 ref: 0000000180008E81
free.LIBCMT ref: 0000000180008E94

Strings

, xrefs: 0000000180008DB8

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Object$CreateDeleteSectionSelectfree
String ID:
API String ID: 2595996717-3916222277
Opcode ID: f6782e0ec75eb355608d6baa56bdc04460804f101ee914dbec3cc0b645ff9191
Instruction ID: 5b4268221a54ee5ace4949b13ecdcb8b86921d6e4c027daeeaf1fedb3c418b76
Opcode Fuzzy Hash: f6782e0ec75eb355608d6baa56bdc04460804f101ee914dbec3cc0b645ff9191
Instruction Fuzzy Hash: 1D510876604B848BC769DF2AE48475EB7A5F788B90F15811AEBCE83714DF38E545CB00

Function 0000000180004AF0 Relevance: 12.1, APIs: 8, Instructions: 120memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180004CF0: EnterCriticalSection.KERNEL32 ref: 0000000180004D1E
Part of subcall function 0000000180004CF0: LeaveCriticalSection.KERNEL32 ref: 0000000180004D72

send.WS2_32 ref: 0000000180004B43
EnterCriticalSection.KERNEL32 ref: 0000000180004B57
LeaveCriticalSection.KERNEL32 ref: 0000000180004B6B
HeapFree.KERNEL32 ref: 0000000180004BE7
WSAGetLastError.WS2_32 ref: 0000000180004C34
EnterCriticalSection.KERNEL32 ref: 0000000180004C48
LeaveCriticalSection.KERNEL32 ref: 0000000180004C96
HeapFree.KERNEL32 ref: 0000000180004CD4

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
String ID:
API String ID: 1701177279-0
Opcode ID: 5e93c71d42a5c305066e613e53868e62f4b53e08804066344f535b4be8cad9c5
Instruction ID: a620b2b09fab4021b60d4499ff936709b967cc0508b128f9f8bfd0d5c675bc9b
Opcode Fuzzy Hash: 5e93c71d42a5c305066e613e53868e62f4b53e08804066344f535b4be8cad9c5
Instruction Fuzzy Hash: 24515072201A889AE7E6CF26E4547DD37A0F748BD4F408125EB0A4BF94DF38D6A9C744

Function 0000000180005480 Relevance: 12.1, APIs: 8, Instructions: 82networksleeptimeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00000001800054B0
timeGetTime.WINMM ref: 00000001800054D6
GetCurrentThreadId.KERNEL32 ref: 00000001800054F9
send.WS2_32 ref: 000000018000553C
SetEvent.KERNEL32 ref: 000000018000555A
WSACloseEvent.WS2_32 ref: 0000000180005570
shutdown.WS2_32 ref: 0000000180005589
closesocket.WS2_32 ref: 0000000180005593

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Event$CloseCurrentSleepThreadTimeclosesocketsendshutdowntime
String ID:
API String ID: 929257074-0
Opcode ID: 9d61f2e2c9447a3d8bcb9984658d70241f89799c3ed2799b6cf06c82dabcd3d5
Instruction ID: dda0e94db9e172848c5fc71e5c628d20ec21edfcea274629e6847fb904bf0f32
Opcode Fuzzy Hash: 9d61f2e2c9447a3d8bcb9984658d70241f89799c3ed2799b6cf06c82dabcd3d5
Instruction Fuzzy Hash: 34317532510A5887E792DF25E85039E3362F78CFEAF158226FA96476D8CF34C989C740

Function 0000000180004E80 Relevance: 12.1, APIs: 8, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004EA5
ResetEvent.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004EB2
ResetEvent.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004EBF
ResetEvent.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004ECC
HeapFree.KERNEL32 ref: 0000000180004F2F
HeapDestroy.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004F4F
HeapCreate.KERNEL32(?,?,00000000,0000000180004E64), ref: 0000000180004F69
SetEvent.KERNEL32 ref: 0000000180004F9D

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Event$HeapReset$CreateCriticalDestroyEnterFreeSection
String ID:
API String ID: 1658878062-0
Opcode ID: 5fe672df45f1e2bbed79aef643380a6c9a2424feeacc98cb5f0f77531cfcc87f
Instruction ID: 9703f8dc8471dfc0476053e93f52503ebf4fed76f355431aaf0e94b4b4928632
Opcode Fuzzy Hash: 5fe672df45f1e2bbed79aef643380a6c9a2424feeacc98cb5f0f77531cfcc87f
Instruction Fuzzy Hash: 2931D476211B89E3E68EDB21E6843EDB364F788BC1F418126EB6943651CF34D6B9C740

Function 0000000180004FC0 Relevance: 12.1, APIs: 8, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 0000000180004FE7
MsgWaitForMultipleObjects.USER32 ref: 0000000180005018
PeekMessageW.USER32 ref: 0000000180005034
TranslateMessage.USER32 ref: 0000000180005045
DispatchMessageW.USER32 ref: 0000000180005050
PeekMessageW.USER32 ref: 000000018000506B
SetLastError.KERNEL32 ref: 0000000180005097
CloseHandle.KERNEL32 ref: 00000001800050AC

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Message$Peek$CloseDispatchErrorEventHandleLastMultipleObjectsTranslateWait
String ID:
API String ID: 1713936993-0
Opcode ID: 6dee3109de8a5924e932cc8fd2037b2e751a14fc2ff686e065d7e26951ee4ef5
Instruction ID: 332fe93a0e92dbbaa167667d86b0f1f0310324c209a84aaee6c2a70f1db9f668
Opcode Fuzzy Hash: 6dee3109de8a5924e932cc8fd2037b2e751a14fc2ff686e065d7e26951ee4ef5
Instruction Fuzzy Hash: 5921713221064C82F7A2CF34E4587AF33A1FB88B85F549115FA99865A4DF38CA4DCB41

Function 000000018000D334 Relevance: 12.1, APIs: 8, Instructions: 59COMMON

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018000D35B

Part of subcall function 000000018000AAEC: _set_error_mode.LIBCMT ref: 000000018000AAF5
Part of subcall function 000000018000AAEC: _set_error_mode.LIBCMT ref: 000000018000AB04

Part of subcall function 000000018000A88C: _set_error_mode.LIBCMT ref: 000000018000A8D1
Part of subcall function 000000018000A88C: _set_error_mode.LIBCMT ref: 000000018000A8E2
Part of subcall function 000000018000A88C: GetModuleFileNameW.KERNEL32 ref: 000000018000A944

Part of subcall function 000000018000A4EC: ExitProcess.KERNEL32 ref: 000000018000A4FB

Part of subcall function 000000018000C658: malloc.LIBCMT ref: 000000018000C683
Part of subcall function 000000018000C658: Sleep.KERNEL32(?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75,?,?,00000000,000000018000C02C), ref: 000000018000C696

_errno.LIBCMT ref: 000000018000D39D
_lock.LIBCMT ref: 000000018000D3B1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,000000018000D43F,?,?,00000000,000000018000BF75,?,?,00000000,000000018000C02C,?,?,?,000000018000999D), ref: 000000018000D3C7
free.LIBCMT ref: 000000018000D3D4
_errno.LIBCMT ref: 000000018000D3D9
LeaveCriticalSection.KERNEL32(?,?,?,000000018000D43F,?,?,00000000,000000018000BF75,?,?,00000000,000000018000C02C,?,?,?,000000018000999D), ref: 000000018000D3FC

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: 5340cad30271600366c56f56e91e848f64c22deddf261063ff2b6cbe4c9027cc
Instruction ID: 6f0eb30842c2824cc797e0ece3ec5bb34fb6c6b379f0403c7b3753d2049b81df
Opcode Fuzzy Hash: 5340cad30271600366c56f56e91e848f64c22deddf261063ff2b6cbe4c9027cc
Instruction Fuzzy Hash: D021473160568C82F6E7EB51A8447EE7365E7897C0F14D02ABA4A476C2CF38CB488362

Function 0000000180002390 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 339COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800025A6
malloc.LIBCMT ref: 000000018000268D

Part of subcall function 0000000180009680: _FF_MSGBANNER.LIBCMT ref: 00000001800096B0
Part of subcall function 0000000180009680: HeapAlloc.KERNEL32(?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75), ref: 00000001800096D5
Part of subcall function 0000000180009680: _callnewh.LIBCMT ref: 00000001800096EE
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 00000001800096F9
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 0000000180009704

Strings

input ack: sn=%lu rtt=%ld rto=%ld, xrefs: 0000000180002601
input probe, xrefs: 0000000180002705
[RI] %d bytes, xrefs: 00000001800023CA
input psh: sn=%lu ts=%lu, xrefs: 000000018000263E
input wins: %lu, xrefs: 000000018000272E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
API String ID: 3198430600-868042568
Opcode ID: 12c99ae6bd755bc9ede84d896a78c2a432a3bf2c2e8d12f57f17d4c0ca2fb6bd
Instruction ID: 2c4445fc99983dac253dd3de491b6a48f7bcfb93e97130a427c286ea37865d3c
Opcode Fuzzy Hash: 12c99ae6bd755bc9ede84d896a78c2a432a3bf2c2e8d12f57f17d4c0ca2fb6bd
Instruction Fuzzy Hash: 5BE1C5726046948BE7B6CF29E85079E7BA1F3887C5F14C011EB9A43B85DF39DA49CB00

Function 0000000180004450 Relevance: 10.7, APIs: 7, Instructions: 154threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180004480
SetWaitableTimer.KERNEL32 ref: 00000001800044C2
WSAWaitForMultipleEvents.WS2_32 ref: 000000018000456C
SetLastError.KERNEL32 ref: 0000000180004617
GetLastError.KERNEL32 ref: 000000018000461D
WSAGetLastError.WS2_32 ref: 000000018000464A
GetCurrentThreadId.KERNEL32 ref: 000000018000467F

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
String ID:
API String ID: 3058130114-0
Opcode ID: 79bd9b8558d3ad670daa0f2e62ec406135a76d13d5f71c22e12494678d746fea
Instruction ID: 25f4813ffb8264326a26a1ec3c0e5394230e4d6e90a2f7fda1d4210e42b14ad8
Opcode Fuzzy Hash: 79bd9b8558d3ad670daa0f2e62ec406135a76d13d5f71c22e12494678d746fea
Instruction Fuzzy Hash: 41617072200B8886EBE6DF2598543D933A4F749BD8F148225FE1A8B7D5EF35C6488305

Function 0000000180003F10 Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 00000001800040C0: CreateWaitableTimerW.KERNEL32(?,?,?,0000000180003F70), ref: 00000001800040D9
Part of subcall function 00000001800040C0: free.LIBCMT ref: 0000000180004116
Part of subcall function 00000001800040C0: malloc.LIBCMT ref: 0000000180004151

setsockopt.WS2_32 ref: 0000000180003FD6
setsockopt.WS2_32 ref: 0000000180004000
ResetEvent.KERNEL32 ref: 000000018000404E
SetLastError.KERNEL32 ref: 0000000180004079
GetLastError.KERNEL32 ref: 0000000180004091

Part of subcall function 0000000180004DA0: GetCurrentThreadId.KERNEL32 ref: 0000000180004DAD

SetLastError.KERNEL32 ref: 00000001800040A3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateCurrentEventResetThreadTimerWaitablefreemalloc
String ID:
API String ID: 3356772049-0
Opcode ID: 385d7910e8cc1218ff50aec6a7d4baed77c702b4280e88e07e440001cc7534b2
Instruction ID: 695c8c4979a995818427334fd6355189642c83d14db7d618803583136ccf0baf
Opcode Fuzzy Hash: 385d7910e8cc1218ff50aec6a7d4baed77c702b4280e88e07e440001cc7534b2
Instruction Fuzzy Hash: A7419172600B4887E792CF16E50439E73A0F748788F108025FB8947B91CF7ED269CB04

Function 0000000180009D50 Relevance: 10.6, APIs: 7, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A438: HeapCreate.KERNEL32 ref: 000000018000A44E
Part of subcall function 000000018000A438: GetVersion.KERNEL32 ref: 000000018000A460
Part of subcall function 000000018000A438: HeapSetInformation.KERNEL32 ref: 000000018000A47E

_RTC_Initialize.LIBCMT ref: 0000000180009D82
GetCommandLineA.KERNEL32 ref: 0000000180009D87

Part of subcall function 000000018000CFF0: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D009
Part of subcall function 000000018000CFF0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D060
Part of subcall function 000000018000CFF0: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D09B
Part of subcall function 000000018000CFF0: free.LIBCMT ref: 000000018000D0A8
Part of subcall function 000000018000CFF0: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D0B3

Part of subcall function 000000018000C8B0: GetStartupInfoW.KERNEL32 ref: 000000018000C8D1

__setargv.LIBCMT ref: 0000000180009DB0
_cinit.LIBCMT ref: 0000000180009DC4

Part of subcall function 000000018000BEF4: FlsFree.KERNEL32(?,?,?,?,0000000180009E2E), ref: 000000018000BF03
Part of subcall function 000000018000BEF4: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180009E2E), ref: 000000018000D2C7
Part of subcall function 000000018000BEF4: free.LIBCMT ref: 000000018000D2D0
Part of subcall function 000000018000BEF4: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180009E2E), ref: 000000018000D2F7

Part of subcall function 000000018000CB84: free.LIBCMT ref: 000000018000CBD5

Part of subcall function 000000018000C6D8: Sleep.KERNEL32(?,?,ceil,000000018000C007,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 000000018000C71D

FlsSetValue.KERNEL32 ref: 0000000180009E5E
GetCurrentThreadId.KERNEL32 ref: 0000000180009E72
free.LIBCMT ref: 0000000180009E81

Part of subcall function 0000000180009640: RtlFreeHeap.NTDLL(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009656
Part of subcall function 0000000180009640: _errno.LIBCMT ref: 0000000180009660
Part of subcall function 0000000180009640: GetLastError.KERNEL32(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009668

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 125979975-0
Opcode ID: 2dc076293398fcd7fe5081731f78aa6e849789c0d8a445cc61a0c5aec1a05bee
Instruction ID: fe4a1015b7d026f5d258e19d2ee1d233b5ab80a77d8628e2f8495522dc74437f
Opcode Fuzzy Hash: 2dc076293398fcd7fe5081731f78aa6e849789c0d8a445cc61a0c5aec1a05bee
Instruction Fuzzy Hash: 9431703060664E81FAE7F7F199013EE3195AB9D3D4F24C12AB921851C7EF298B4D4363

Function 0000000180006860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32 ref: 00000001800068A4

Part of subcall function 00000001800066B0: LoadCursorW.USER32 ref: 000000018000677E

Part of subcall function 0000000180009738: malloc.LIBCMT ref: 0000000180009752

GetDesktopWindow.USER32 ref: 0000000180006914
GetDC.USER32 ref: 000000018000691D
GetSystemMetrics.USER32 ref: 000000018000692F
GetSystemMetrics.USER32 ref: 000000018000693D

Part of subcall function 00000001800080D0: ReleaseDC.USER32 ref: 0000000180008124
Part of subcall function 00000001800080D0: GetDC.USER32 ref: 000000018000813B
Part of subcall function 00000001800080D0: GetTickCount.KERNEL32 ref: 0000000180008153
Part of subcall function 00000001800080D0: GetDC.USER32 ref: 0000000180008176
Part of subcall function 00000001800080D0: GetDeviceCaps.GDI32 ref: 0000000180008187
Part of subcall function 00000001800080D0: GetDeviceCaps.GDI32 ref: 0000000180008197
Part of subcall function 00000001800080D0: GetDeviceCaps.GDI32 ref: 00000001800081A5
Part of subcall function 00000001800080D0: GetDeviceCaps.GDI32 ref: 00000001800081B5
Part of subcall function 00000001800080D0: ReleaseDC.USER32 ref: 00000001800081D7
Part of subcall function 00000001800080D0: GetSystemMetrics.USER32 ref: 00000001800081E2
Part of subcall function 00000001800080D0: GetSystemMetrics.USER32 ref: 0000000180008200
Part of subcall function 00000001800080D0: GetSystemMetrics.USER32 ref: 0000000180008255

Strings

, xrefs: 00000001800068CA

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release$CountCreateCursorDesktopEventLoadTickWindowmalloc
String ID:
API String ID: 423607222-3916222277
Opcode ID: 4b28c52f20ffdf5a9381539c9fc0a716757e8578ec4c97d0e64d7f9e2a4cfef5
Instruction ID: c6fb0172dea399f9ccb69aaaa1339b32bad750d857247de1dd8db271205325a6
Opcode Fuzzy Hash: 4b28c52f20ffdf5a9381539c9fc0a716757e8578ec4c97d0e64d7f9e2a4cfef5
Instruction Fuzzy Hash: 42319F72100B4486E796CF35E4443CA77E5FB4CB98F10822AEA4D477A9DF79C258C740

Function 000000018000DB1C Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018000DB3F
_errno.LIBCMT ref: 000000018000DB47

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3ce7682d629f21e628ed1582799be254755e637483a93035ce180d5811f39bea
Instruction ID: c411a6d4b71dfe7a62226b1d763e97ff5680ec92d5c3d0ce38a709bc0164baa9
Opcode Fuzzy Hash: 3ce7682d629f21e628ed1582799be254755e637483a93035ce180d5811f39bea
Instruction Fuzzy Hash: 0121B03221064C85EA97EB5999413FD76516788BF1F4A820ABE34073E3DF7886498721

Function 000000018000E360 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018000E383
_errno.LIBCMT ref: 000000018000E38B

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 219b57bc18c8537710296174296c9a777b41f9f22e72160e046d0417abce71e1
Instruction ID: 208e345af04c41b1c6889ad1f81cdd3c543414e6f2b63189b4a0446d3012c127
Opcode Fuzzy Hash: 219b57bc18c8537710296174296c9a777b41f9f22e72160e046d0417abce71e1
Instruction Fuzzy Hash: FF21013221068845F797EB69A8413FD3A11A7897E1F49C118FA24073E3CFB886899720

Function 0000000180010C90 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180010CA9
FlushFileBuffers.KERNEL32(?,00000000,00000000,000000018000FDA6,?,?,00000001,000000018000FE4F,?,?,?,?,?,000000018000E5E5), ref: 0000000180010D0C
GetLastError.KERNEL32(?,00000000,00000000,000000018000FDA6,?,?,00000001,000000018000FE4F,?,?,?,?,?,000000018000E5E5), ref: 0000000180010D16
__doserrno.LIBCMT ref: 0000000180010D26
_errno.LIBCMT ref: 0000000180010D2D

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: 65d40c243bdbd2d8c40f04e9232bb7ffd2095a59ea85331859790807e3c7c2bb
Instruction ID: 443c4df203018a09317fca6b1f576f251987f8ae4d4f93c0a6d464d5531fe614
Opcode Fuzzy Hash: 65d40c243bdbd2d8c40f04e9232bb7ffd2095a59ea85331859790807e3c7c2bb
Instruction Fuzzy Hash: 8121C631300A4C45F797AFA8B9813FD3751A74D7D0F298128BA560B3E2DFB89649C301

Function 0000000180010FD4 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180010FED
_errno.LIBCMT ref: 0000000180010FF5
_close_nolock.LIBCMT ref: 000000018001104C

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_close_nolock_errno
String ID:
API String ID: 186997739-0
Opcode ID: 25288049dd324bc4337847358e2c5e3441b6c920b1bebd3c2c4621ae3f576b75
Instruction ID: 43e174b3b8f34985c6bd657e4b35ac7fd052195ae9cb6f3272742aa463ed8682
Opcode Fuzzy Hash: 25288049dd324bc4337847358e2c5e3441b6c920b1bebd3c2c4621ae3f576b75
Instruction Fuzzy Hash: 60110A32A0468C49F39BAF6498413EC3651578C7E1F55C528B529073D3CFF88689C310

Function 000000018000B2B8 Relevance: 10.6, APIs: 7, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000B2DC
_errno.LIBCMT ref: 000000018000B2F5
write_char.LIBCMT ref: 000000018000B30A
_errno.LIBCMT ref: 000000018000B317
write_char.LIBCMT ref: 000000018000B329
_errno.LIBCMT ref: 000000018000B332
_errno.LIBCMT ref: 000000018000B33C

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$write_char
String ID:
API String ID: 1772936973-0
Opcode ID: 59595e8c2d60516688eb06fa007e0346238e38a8beb115a9248a300fee8233ca
Instruction ID: a675aab5ad95e2bbcca2c7ec28b259220c6970b63d32f20c08e1c2afe2d83584
Opcode Fuzzy Hash: 59595e8c2d60516688eb06fa007e0346238e38a8beb115a9248a300fee8233ca
Instruction Fuzzy Hash: D1113D3250079886E7A39B5A94013ED77A0F79DBD0F68D024FB544B796CF38DA858B41

Function 0000000180008400 Relevance: 10.5, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

ReleaseDC.USER32 ref: 000000018000841D
DeleteDC.GDI32 ref: 0000000180008427
DeleteDC.GDI32 ref: 0000000180008431
DeleteDC.GDI32 ref: 000000018000843B
DeleteObject.GDI32 ref: 0000000180008448
DeleteObject.GDI32 ref: 0000000180008455
DestroyCursor.USER32(?,?,?,00000001800083E4), ref: 00000001800084B3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Delete$Object$CursorDestroyRelease
String ID:
API String ID: 1665608007-0
Opcode ID: b0ca0f8ae1253b7dc544d5714d81f1b2868fd1a7ecfc3c098af9debe0b337dff
Instruction ID: 359be030e64ea643b08230aa0655e70d7668aea15539991674f6677d56f8235d
Opcode Fuzzy Hash: b0ca0f8ae1253b7dc544d5714d81f1b2868fd1a7ecfc3c098af9debe0b337dff
Instruction Fuzzy Hash: 1311E936605A4895EB86EF65F8903E93361FB88FC5F558032EE8E46265CE28CA5DC350

Function 00000001800055D0 Relevance: 9.2, APIs: 6, Instructions: 156memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000001800055F3
VirtualAlloc.KERNEL32 ref: 0000000180005680
VirtualFree.KERNEL32 ref: 00000001800056C2
VirtualAlloc.KERNEL32 ref: 000000018000574F
VirtualFree.KERNEL32 ref: 0000000180005791
GetCurrentThreadId.KERNEL32 ref: 0000000180005853

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Virtual$AllocCurrentFreeThread
String ID:
API String ID: 1155560630-0
Opcode ID: 742b0adb832181635398d9b2203ec9d917de59162bfa4663d63228d996a146c5
Instruction ID: 9b0cc06c8a2fc3553dae8b8c4d95b0b666bb54d2c98ffac3feb2bae3b8b6bb9e
Opcode Fuzzy Hash: 742b0adb832181635398d9b2203ec9d917de59162bfa4663d63228d996a146c5
Instruction Fuzzy Hash: 97716A32314B8497E79ECB25E24479EB3A4F748BC1F508115FB9987654DF34E6A9CB00

Function 000000018000ED70 Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018000ED8F

Part of subcall function 000000018000C058: _amsg_exit.LIBCMT ref: 000000018000C06E

Part of subcall function 000000018000E9AC: _getptd.LIBCMT ref: 000000018000E9B6
Part of subcall function 000000018000E9AC: _amsg_exit.LIBCMT ref: 000000018000EA53

Part of subcall function 000000018000EA68: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,000000018000EDAA,?,?,?,?,?,000000018000EF67), ref: 000000018000EA92

Part of subcall function 000000018000C658: malloc.LIBCMT ref: 000000018000C683
Part of subcall function 000000018000C658: Sleep.KERNEL32(?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75,?,?,00000000,000000018000C02C), ref: 000000018000C696

free.LIBCMT ref: 000000018000EE1A

Part of subcall function 0000000180009640: RtlFreeHeap.NTDLL(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009656
Part of subcall function 0000000180009640: _errno.LIBCMT ref: 0000000180009660
Part of subcall function 0000000180009640: GetLastError.KERNEL32(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009668

_lock.LIBCMT ref: 000000018000EE4A
free.LIBCMT ref: 000000018000EEED
free.LIBCMT ref: 000000018000EF19
_errno.LIBCMT ref: 000000018000EF1E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 3894533514-0
Opcode ID: d0407b1aac2213962a0f91f087d9c3433d8333d46dfff0cda28676efbf43b31c
Instruction ID: 8855c7a5f5d7c36327045c9948b09f230b9737fbd2f617063f3c55710e8465d9
Opcode Fuzzy Hash: d0407b1aac2213962a0f91f087d9c3433d8333d46dfff0cda28676efbf43b31c
Instruction Fuzzy Hash: 9651C1322006C886E7D6DB21D8403E977A1F78EBD4F14C126FA5A57396CF38C649C701

Function 0000000180033E94 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180033EC1
_invalid_parameter_noinfo.LIBCMT ref: 0000000180033ECC
_fileno.LIBCMT ref: 0000000180033EFD
_errno.LIBCMT ref: 0000000180033F6D
_invalid_parameter_noinfo.LIBCMT ref: 0000000180033F78
_ftbuf.LIBCMT ref: 0000000180033FA8

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_fileno_ftbuf
String ID:
API String ID: 2434734397-0
Opcode ID: 6db1d4df1e3ebed4864d0548da5bce2e2edce094884e200ce3494b53dfa676cf
Instruction ID: f5b71796390f9364027b54fca3220aebf077891c2c4cf0c7b84bc7359f2ee352
Opcode Fuzzy Hash: 6db1d4df1e3ebed4864d0548da5bce2e2edce094884e200ce3494b53dfa676cf
Instruction Fuzzy Hash: 9631E87170174D45FAD7D7695C923FE23916B59BE0FA1D229FD29862D1CF28C64D8300

Function 00000001800017C0 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 00000001800017F5
malloc.LIBCMT ref: 0000000180001861

Part of subcall function 0000000180009680: _FF_MSGBANNER.LIBCMT ref: 00000001800096B0
Part of subcall function 0000000180009680: HeapAlloc.KERNEL32(?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75), ref: 00000001800096D5
Part of subcall function 0000000180009680: _callnewh.LIBCMT ref: 00000001800096EE
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 00000001800096F9
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 0000000180009704

free.LIBCMT ref: 000000018000188A

Part of subcall function 0000000180009640: RtlFreeHeap.NTDLL(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009656
Part of subcall function 0000000180009640: _errno.LIBCMT ref: 0000000180009660
Part of subcall function 0000000180009640: GetLastError.KERNEL32(?,?,00000000,000000018000C040,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 0000000180009668

Strings

d, xrefs: 0000000180001934
d, xrefs: 000000018000190B
d, xrefs: 0000000180001901

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$Heapmalloc$AllocErrorFreeLast_callnewhfree
String ID: d$d$d
API String ID: 161857241-1898527202
Opcode ID: de9c947b52f5cced65e5fb739daeeab5d91237964ee81a3d91c2b650cd86eca5
Instruction ID: 26baca00d8837cea124759d0b50b5e6c371a394a4fe92fdb92bc423769365a07
Opcode Fuzzy Hash: de9c947b52f5cced65e5fb739daeeab5d91237964ee81a3d91c2b650cd86eca5
Instruction Fuzzy Hash: 5041E472112B94C9E781CF25E4403993BA9F748F88F59C13AEB8847798EF75C558CB60

Function 000000018000CFF0 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D009
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D060
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D09B
free.LIBCMT ref: 000000018000D0A8
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D0B3
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0000000180009D99), ref: 000000018000D0C1

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 135297dcab80fc6b00751f3c01c8083bc8f0bde01277529d9eb1e37cdddd8d3d
Instruction ID: 10efca17ea9078b3eb5f2cd84dac7c3252626ee7f6f8a3ef5586864f9dde1f99
Opcode Fuzzy Hash: 135297dcab80fc6b00751f3c01c8083bc8f0bde01277529d9eb1e37cdddd8d3d
Instruction Fuzzy Hash: 8B21813260578886EBA6CF22B45079A77E5F78CBC0F488016EE8E07B58DF39C655C700

Function 0000000180005370 Relevance: 9.1, APIs: 6, Instructions: 66synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 000000018000538C
ResetEvent.KERNEL32 ref: 0000000180005399
timeGetTime.WINMM ref: 000000018000539F
WaitForSingleObject.KERNEL32 ref: 00000001800053F3
ResetEvent.KERNEL32 ref: 0000000180005410

Part of subcall function 0000000180004DA0: GetCurrentThreadId.KERNEL32 ref: 0000000180004DAD

ResetEvent.KERNEL32 ref: 0000000180005437

Part of subcall function 0000000180009AEC: _errno.LIBCMT ref: 0000000180009B17
Part of subcall function 0000000180009AEC: _invalid_parameter_noinfo.LIBCMT ref: 0000000180009B22

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: EventReset$CurrentObjectSingleThreadTimeWait_errno_invalid_parameter_noinfotime
String ID:
API String ID: 2543248268-0
Opcode ID: 1e8666e7e51f2ff4dd7147b107d66f999c8e4a748aa071a7d8a9cb6ed039a13f
Instruction ID: 843b933302644989679a588d04cb5c6b417eadd3ac19e309017223f44c84dac6
Opcode Fuzzy Hash: 1e8666e7e51f2ff4dd7147b107d66f999c8e4a748aa071a7d8a9cb6ed039a13f
Instruction Fuzzy Hash: 55214C36204B5486D782CF21F84039A73A4F788F99F198122EE8D87768DF34C68A8700

Function 0000000180004DA0 Relevance: 9.1, APIs: 6, Instructions: 57networkthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180004DAD

Part of subcall function 0000000180004180: SwitchToThread.KERNEL32(?,?,00000000,0000000180004DBD), ref: 00000001800041BE
Part of subcall function 0000000180004180: SetLastError.KERNEL32(?,?,00000000,0000000180004DBD), ref: 0000000180004205

send.WS2_32 ref: 0000000180004DF9
SetEvent.KERNEL32 ref: 0000000180004E17
WSACloseEvent.WS2_32 ref: 0000000180004E2B
shutdown.WS2_32 ref: 0000000180004E44
closesocket.WS2_32 ref: 0000000180004E4E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: EventThread$CloseCurrentErrorLastSwitchclosesocketsendshutdown
String ID:
API String ID: 779811758-0
Opcode ID: 1e86ea1f8ff452546b779ee4e855d81d8d01c69a684822cfa20fc278bfcbf352
Instruction ID: b5ea4ee48596f9abde93df30d7473071f8ae0aa078d83123165f73c6978b95ef
Opcode Fuzzy Hash: 1e86ea1f8ff452546b779ee4e855d81d8d01c69a684822cfa20fc278bfcbf352
Instruction Fuzzy Hash: 0121337260064986EB96DF29F4403993361F78CFE4F558222AA2A4B6D5DF34C989C744

Function 00000001800069E0 Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180006A27
WaitForSingleObject.KERNEL32 ref: 0000000180006A34
CloseHandle.KERNEL32 ref: 0000000180006A3E
CloseHandle.KERNEL32 ref: 0000000180006A48
ReleaseDC.USER32 ref: 0000000180006A57
DestroyCursor.USER32 ref: 0000000180006A93

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CursorDestroyRelease
String ID:
API String ID: 1831285251-0
Opcode ID: 95848810752ff7ad233cd3893918d47de91eb8e101ab5f5df24dde70a11c90f1
Instruction ID: acc23cfdb0e0807efd00d533c1861ebf9783fd11ccc118f83a28eb62b8736fb9
Opcode Fuzzy Hash: 95848810752ff7ad233cd3893918d47de91eb8e101ab5f5df24dde70a11c90f1
Instruction Fuzzy Hash: E6212A32600F4896DB56DF29E8843897370F788BA0F548226EB6E437B4DF39D569C700

Function 000000018000BFD4 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000BFDE
FlsGetValue.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000BFEC
SetLastError.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000C044

Part of subcall function 000000018000C6D8: Sleep.KERNEL32(?,?,ceil,000000018000C007,?,?,?,000000018000999D,?,?,?,?,000000018003BFEA), ref: 000000018000C71D

FlsSetValue.KERNEL32(?,?,?,000000018000999D,?,?,?,?,000000018003BFEA,?,?,?,?,000000018003BBF1), ref: 000000018000C018
free.LIBCMT ref: 000000018000C03B

Part of subcall function 000000018000BF1C: _lock.LIBCMT ref: 000000018000BF70
Part of subcall function 000000018000BF1C: _lock.LIBCMT ref: 000000018000BF8F

GetCurrentThreadId.KERNEL32 ref: 000000018000C02C

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: b529eeb46b1eede4f9805dd231701478292caae48f7d7ff7bc1546388e4f010e
Instruction ID: 9c7733a4ee0f26d526643a21944fc58a4594e8f998939a9de4bbebd5f52ac11c
Opcode Fuzzy Hash: b529eeb46b1eede4f9805dd231701478292caae48f7d7ff7bc1546388e4f010e
Instruction Fuzzy Hash: BA01713020174D82EB8B9B65A8447AA3291AB4DBE0F18C228F926463D1DE3CC64DC701

Function 0000000180001970 Relevance: 8.9, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001800019DF
free.LIBCMT ref: 0000000180001A2F
free.LIBCMT ref: 0000000180001A7F
free.LIBCMT ref: 0000000180001ACF
free.LIBCMT ref: 0000000180001AFA
free.LIBCMT ref: 0000000180001B1B
free.LIBCMT ref: 0000000180001B59

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9381d8dfaf48aa47efd066fad4f4c1346dad4c0f21544f4db727ecede13f6623
Instruction ID: 0380db5dcc4011a8ee892774553080b5cf429d8a0f9f119caa4bb88c45e776b7
Opcode Fuzzy Hash: 9381d8dfaf48aa47efd066fad4f4c1346dad4c0f21544f4db727ecede13f6623
Instruction Fuzzy Hash: 3C713477202B88CAEB92DFA9E4903DD77A1E759B80F18C016EB8A07351CF39D569C311

Function 0000000180013950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 0000000180013A61
swscanf.LIBCMT ref: 0000000180013A84

Strings

JPEGMEM, xrefs: 00000001800139B5
x, xrefs: 0000000180013A7F
%ld%c, xrefs: 0000000180013A75

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _wgetenvswscanf
String ID: %ld%c$JPEGMEM$x
API String ID: 2353447129-3402169052
Opcode ID: 443b9d3dc04f006af0511064b51fe890d6b90718b02c4772b7ea7d8a57b95636
Instruction ID: a6e5e490e4cdb91a01faa44b3030d45d07f3799ec0b821e77b8d5236952550b4
Opcode Fuzzy Hash: 443b9d3dc04f006af0511064b51fe890d6b90718b02c4772b7ea7d8a57b95636
Instruction Fuzzy Hash: 2D41F636215F48A6E786CB25E5813C977A8F748784F908126FB8D47B64EF38D279C780

Function 000000018000AFE8 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000000018000B005

Part of subcall function 000000018000E708: _errno.LIBCMT ref: 000000018000E711
Part of subcall function 000000018000E708: _invalid_parameter_noinfo.LIBCMT ref: 000000018000E71C

_errno.LIBCMT ref: 000000018000B015
_errno.LIBCMT ref: 000000018000B031
_isatty.LIBCMT ref: 000000018000B092
_getbuf.LIBCMT ref: 000000018000B09E

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: ea75e5cf20b7f7844c4b8bc67faf072f29965c7ad569393f5253f051f69abf3d
Instruction ID: 6a7a9942f3966caa066fa294b396ed4a18fc749f67481194838face732c5f580
Opcode Fuzzy Hash: ea75e5cf20b7f7844c4b8bc67faf072f29965c7ad569393f5253f051f69abf3d
Instruction Fuzzy Hash: 5741C472610B4C86EBAADF28D4513EE37A0E748FD4F148215EA75873D6EE34CA59CB40

Function 0000000180010210 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018001026A
malloc.LIBCMT ref: 00000001800102CE
MultiByteToWideChar.KERNEL32 ref: 0000000180010316
GetStringTypeW.KERNEL32 ref: 000000018001032D
free.LIBCMT ref: 0000000180010341

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 2a3790eea4a4617312d8e4a9442f6424bede9cf37a8252f36d331abd6b65284e
Instruction ID: abc54c1b28ca8ca362bcab6cb60de8bd725865527ee158dc4e020e444684f391
Opcode Fuzzy Hash: 2a3790eea4a4617312d8e4a9442f6424bede9cf37a8252f36d331abd6b65284e
Instruction Fuzzy Hash: 57415032201B8886EB929F65D8147DA7395FB4CBE8F288216FE69477D5DF78C649C300

Function 0000000180004970 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00000001800049A4
SetLastError.KERNEL32 ref: 00000001800049DE
WSAGetLastError.WS2_32 ref: 0000000180004A32
WSASetLastError.WS2_32 ref: 0000000180004A88
GetLastError.KERNEL32 ref: 0000000180004A97

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 14e5b7a9948d1e94ba054851c6eb7a6bed2ab8c873f0c59e5f30a48817030090
Instruction ID: 6199e5bf986f86425fbbc0522af38a7fcd77c4a4bcf61ee2ee22b2f26d195f40
Opcode Fuzzy Hash: 14e5b7a9948d1e94ba054851c6eb7a6bed2ab8c873f0c59e5f30a48817030090
Instruction Fuzzy Hash: 104191B2700A4885E792DF39E4443DE33A1E74DBC8F548126EE198B699DF39CA88C715

Function 0000000180009C2C Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 0000000180009C55
DecodePointer.KERNEL32(?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 0000000180009C65

Part of subcall function 000000018000C874: _errno.LIBCMT ref: 000000018000C87D
Part of subcall function 000000018000C874: _invalid_parameter_noinfo.LIBCMT ref: 000000018000C888

EncodePointer.KERNEL32(?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 0000000180009CE3

Part of subcall function 000000018000C75C: realloc.LIBCMT ref: 000000018000C787
Part of subcall function 000000018000C75C: Sleep.KERNEL32(?,?,00000000,0000000180009CD3,?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 000000018000C7A3

EncodePointer.KERNEL32(?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 0000000180009CF3
EncodePointer.KERNEL32(?,?,?,0000000180009D41,?,?,?,?,00000001800097B3), ref: 0000000180009D00

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: 24608c62e4ce1b5fb8eecf5b2368e6216a0b19e46f6bda97ba43d3487df48692
Instruction ID: a3e2518ee86cc6793519812862cdabeece31c64530b0cc53dad98b323b8d5f8e
Opcode Fuzzy Hash: 24608c62e4ce1b5fb8eecf5b2368e6216a0b19e46f6bda97ba43d3487df48692
Instruction Fuzzy Hash: 6C216931302B4891EA83DB91E9483DAB3A1B74CBD0F54C826FA4E07765EE78C68CC340

Function 0000000180005E30 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,0000000180004E9E,?,?,00000000,0000000180004E64), ref: 0000000180005E55
EnterCriticalSection.KERNEL32(?,?,00000000,0000000180004E9E,?,?,00000000,0000000180004E64), ref: 0000000180005E5F
LeaveCriticalSection.KERNEL32(?,?,00000000,0000000180004E9E,?,?,00000000,0000000180004E64), ref: 0000000180005E6F
LeaveCriticalSection.KERNEL32(?,?,00000000,0000000180004E9E,?,?,00000000,0000000180004E64), ref: 0000000180005E79

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7a81fae3a11a7c8614ce4b52f652239c74409d90b28903bf66d9faeaf82510ad
Instruction ID: b4ff77fc8091b79fa2e2e34a0cce3b936a653a81ca79f27a33948fa61e49d118
Opcode Fuzzy Hash: 7a81fae3a11a7c8614ce4b52f652239c74409d90b28903bf66d9faeaf82510ad
Instruction Fuzzy Hash: AC113D3262494983EBA6DB21F4943DA7360F748795F459021EBCB42A60DF7CDACAC700

Function 000000018000FA34 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018000FA3D
_errno.LIBCMT ref: 000000018000FA45

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 2adebc5d330ba20866aa6a7c2556a59eaf06e391f068851f50b98d17d41064fc
Instruction ID: 58a16bfa7e209c761215f3211aa515af73cb1c68bffe57348d4b1a8d3bf2a951
Opcode Fuzzy Hash: 2adebc5d330ba20866aa6a7c2556a59eaf06e391f068851f50b98d17d41064fc
Instruction Fuzzy Hash: A7016DB230164C44EAA79B5888813F836515B69BE5F65C329F62D067E3CFAC46499312

Function 00000001800059D0 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00000001800059E0
WaitForSingleObject.KERNEL32 ref: 00000001800059F0
Sleep.KERNEL32 ref: 00000001800059FB
CloseHandle.KERNEL32 ref: 0000000180005A1A
CloseHandle.KERNEL32 ref: 0000000180005A27

Part of subcall function 0000000180004DA0: GetCurrentThreadId.KERNEL32 ref: 0000000180004DAD

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$CurrentSleepThread
String ID:
API String ID: 570250148-0
Opcode ID: ece6bab6b59026452e66b88529e7cc8ce58c27b9fbf2850620a6747602fb9a63
Instruction ID: 736addbb9bfff09ec8da44a823191799851d9216327199c24c2f421c8face72c
Opcode Fuzzy Hash: ece6bab6b59026452e66b88529e7cc8ce58c27b9fbf2850620a6747602fb9a63
Instruction Fuzzy Hash: 79F0FF7621094CC2F7879F31F8553993360F78DFA5F198221EE6A4B2A4CF348A9A8710

Function 00000001800046C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115networkCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00000001800046F8
WSAGetLastError.WS2_32(?,?,?,000000018000457E), ref: 0000000180004706
WSAResetEvent.WS2_32(?,?,?,000000018000457E), ref: 0000000180004743

Strings

, xrefs: 000000018000480C

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: EnumErrorEventEventsLastNetworkReset
String ID:
API String ID: 1050048411-3916222277
Opcode ID: a7472dcd841f44729ce3af89710bd7fc3c3b6896eeff7bc9e4c0264139a2461d
Instruction ID: fea11a4b11cfa689fd8695676352b74c4ff2bd00134010754c4c390e4f437825
Opcode Fuzzy Hash: a7472dcd841f44729ce3af89710bd7fc3c3b6896eeff7bc9e4c0264139a2461d
Instruction Fuzzy Hash: 66516FB350868886F3A2CF29D40439E77E1F789BC8F158115EE4D4B689DF79CA498B44

Function 0000000180009738 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000000180009746
malloc.LIBCMT ref: 0000000180009752

Part of subcall function 0000000180009680: _FF_MSGBANNER.LIBCMT ref: 00000001800096B0
Part of subcall function 0000000180009680: HeapAlloc.KERNEL32(?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395,?,?,?,000000018000D43F,?,?,00000000,000000018000BF75), ref: 00000001800096D5
Part of subcall function 0000000180009680: _callnewh.LIBCMT ref: 00000001800096EE
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 00000001800096F9
Part of subcall function 0000000180009680: _errno.LIBCMT ref: 0000000180009704

std::exception::exception.LIBCMT ref: 00000001800097BF

Strings

bad allocation, xrefs: 000000018000978F

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 0be486e1f44dbbdcdc97537e0d2caa062964e2e83d7e8e6b65d3b9047e8da2ea
Instruction ID: 1e2019668250625a1b2b9d31203ed3bbb8279a505be9eb8be6bcc4309ce7e2fd
Opcode Fuzzy Hash: 0be486e1f44dbbdcdc97537e0d2caa062964e2e83d7e8e6b65d3b9047e8da2ea
Instruction Fuzzy Hash: A201177162AB4D91FA92EF50B8413D57361AB8D3C0F948416B96D426A2EF38C34DCB00

Function 000000018000A4B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,000000018000A4F9,?,?,00000028,00000001800096C9,?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395), ref: 000000018000A4BF
GetProcAddress.KERNEL32(?,?,000000FF,000000018000A4F9,?,?,00000028,00000001800096C9,?,?,DEDE000000000000,000000018000C688,?,?,ceil,000000018000D395), ref: 000000018000A4D4

Strings

CorExitProcess, xrefs: 000000018000A4CA
mscoree.dll, xrefs: 000000018000A4B8

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 672ef6b0e385174507540a630beccfc81086d2735ce3595b79ee3def95ae5807
Instruction ID: ffe41d6c2d7918e1b3e091e3a1c6c1f0ba9896b85bdc52aaa2673546b8ae739a
Opcode Fuzzy Hash: 672ef6b0e385174507540a630beccfc81086d2735ce3595b79ee3def95ae5807
Instruction Fuzzy Hash: F1E0127071260C41FF9BDF50B8953A623907B9D780F49902A982E46390DF7CD76CC300

Function 000000018000ADB4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000AE02
_invalid_parameter_noinfo.LIBCMT ref: 000000018000AE0D
DecodePointer.KERNEL32(?,?,?,?,?,00000001800097F4,?,?,?,?,000000018000219E), ref: 000000018000AEBC
_lock.LIBCMT ref: 000000018000AEE7

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 7be1fa04b18b82b6304af40f75c4a51f395efe5f3bf8b949c5798881251678ca
Instruction ID: db3631950fbbbb294078a21d31e159497d84441af4525d3d2c46f9e7a25869a3
Opcode Fuzzy Hash: 7be1fa04b18b82b6304af40f75c4a51f395efe5f3bf8b949c5798881251678ca
Instruction Fuzzy Hash: 3551967260878D46FAE7CB14E8443FA7262E78E7D0F24C525F95A46694DF38DB498301

Function 00000001800084D0 Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ReleaseDC.USER32 ref: 000000018000850B
GetDC.USER32 ref: 0000000180008513
BitBlt.GDI32 ref: 000000018000856C
free.LIBCMT ref: 00000001800085D7

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Releasefree
String ID:
API String ID: 3272087685-0
Opcode ID: 602c15725b8d813e0bbe9a4453e79e735bb61b4ef0baeaa11b2f701d3bc43177
Instruction ID: d36a20cf91c62a3c5da2fb10686ac00aeac2f0e1bd2c67ccd3b48aa5594e4940
Opcode Fuzzy Hash: 602c15725b8d813e0bbe9a4453e79e735bb61b4ef0baeaa11b2f701d3bc43177
Instruction Fuzzy Hash: CA31E636704B849BDB95CB2AE28039A77E1F749790F448125EB8C83B55DF38E5B5CB00

Function 0000000180004870 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32 ref: 00000001800048AE
WSAGetLastError.WS2_32 ref: 00000001800048B9

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ErrorEventLastSelect
String ID:
API String ID: 1135597009-0
Opcode ID: 4eddc6159fb5817f7b92b71e64624adfa859e47db7e01beaee153f9d2d3b1a78
Instruction ID: 60a763c8e145126c332b07c1875366a567e6bff20b8eb41a973b137eb8261982
Opcode Fuzzy Hash: 4eddc6159fb5817f7b92b71e64624adfa859e47db7e01beaee153f9d2d3b1a78
Instruction Fuzzy Hash: C321A4B351054487E792CF7AD44839D37A1E788B98F548115EA188B6D4DF79C9CACB10

Function 00000001800050D0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800050EC
LeaveCriticalSection.KERNEL32 ref: 0000000180005105
LeaveCriticalSection.KERNEL32 ref: 0000000180005185
SetEvent.KERNEL32 ref: 00000001800051A5

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: ae513d91c155502473071655eea00dac2445091deb4c49d91ab79747f7e52d71
Instruction ID: 4418377062219beeb0047eb6f9c3d7a7e649a3d0339aff7300afd703f66b726b
Opcode Fuzzy Hash: ae513d91c155502473071655eea00dac2445091deb4c49d91ab79747f7e52d71
Instruction Fuzzy Hash: 99210A36314B8993D79ACF26E5803DEB3A4F748B90F548125EBAA43724DF34D9A5C740

Function 000000018000FC40 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 000000018000FC54

Part of subcall function 000000018000D41C: _amsg_exit.LIBCMT ref: 000000018000D446

fclose.LIBCMT ref: 000000018000FC84
DeleteCriticalSection.KERNEL32(?,?,?,?,?,000000018000E5F3), ref: 000000018000FCA8
free.LIBCMT ref: 000000018000FCB9

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 0ff1c146e562c8b9ef731e40456d16958a7a062b4949e859bf57337feb6deafa
Instruction ID: 999679cd4892a8d823ebd278223fbb962f6f804c6108240481e7580e3c3cfcc4
Opcode Fuzzy Hash: 0ff1c146e562c8b9ef731e40456d16958a7a062b4949e859bf57337feb6deafa
Instruction Fuzzy Hash: 36119D35104B4C82F6A2CB15E8953ACB361F789BC4F24C626FA6A437B1CF76C64AC704

Function 000000018000E9AC Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018000E9B6

Part of subcall function 000000018000C058: _amsg_exit.LIBCMT ref: 000000018000C06E

_lock.LIBCMT ref: 000000018000E9E4
free.LIBCMT ref: 000000018000EA1A
_amsg_exit.LIBCMT ref: 000000018000EA53

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 426a9eb5d6c89e876dd227587e832aff735dd614218dd979964c76dfd788a66a
Instruction ID: 33ae14cf30371a4dcb097d3cb4d18f5fada779ac3862c5845cfff631a4120995
Opcode Fuzzy Hash: 426a9eb5d6c89e876dd227587e832aff735dd614218dd979964c76dfd788a66a
Instruction Fuzzy Hash: 3A112E36305AC886EAD6DB10E8417E972A1F74E7C0F488026FA5E13395DF28DA58C712

Function 000000018000BEF4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,0000000180009E2E), ref: 000000018000BF03
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180009E2E), ref: 000000018000D2C7
free.LIBCMT ref: 000000018000D2D0
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000180009E2E), ref: 000000018000D2F7

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 276006e167cf1aff04d3b924b3b0065a621c9c7e6871e02c9381d2983fb42916
Instruction ID: d5b0619c1b78ea485a760d09b6761892c619e52fee80dffde751b67dcf8e653d
Opcode Fuzzy Hash: 276006e167cf1aff04d3b924b3b0065a621c9c7e6871e02c9381d2983fb42916
Instruction Fuzzy Hash: 9811A331600A4CC6FBD7CF51F8543A973A0F759BE4F588612FA6506295CF38C699CB11

Function 0000000180009A6C Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180009AA1
ExitThread.KERNEL32 ref: 0000000180009AA9
GetCurrentThreadId.KERNEL32 ref: 0000000180009AB0
_freefls.LIBCMT ref: 0000000180009AE1

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Thread$CurrentErrorExitLast_freefls
String ID:
API String ID: 217443660-0
Opcode ID: dc523210d31c271efce42c5f4489225d318c034fe84fa3c4ac1ff7ac3b89093b
Instruction ID: 5a3ec523d43a9f79c03c4ffc50292547c424952b638033dfd63fc7133ad02ff6
Opcode Fuzzy Hash: dc523210d31c271efce42c5f4489225d318c034fe84fa3c4ac1ff7ac3b89093b
Instruction Fuzzy Hash: 3701E731601B9C85EB86EBB1E40A3DE32A5AB0DBC4F14C434BA1D87397EE75C6588751

Function 0000000180007E80 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001540: HeapFree.KERNEL32 ref: 0000000180001586
Part of subcall function 0000000180001540: free.LIBCMT ref: 00000001800015B2

HeapDestroy.KERNEL32 ref: 0000000180007E9E
HeapCreate.KERNEL32 ref: 0000000180007EAF
free.LIBCMT ref: 0000000180007EC1
HeapDestroy.KERNEL32 ref: 0000000180007EE4

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: Heap$Destroyfree$CreateFree
String ID:
API String ID: 3907340440-0
Opcode ID: b72368671db39447bcebf8604b751b5a650bd80d16f31a87944435ce3b1989b4
Instruction ID: 09c77e5b898923fbf598fb34f1179acc1cfe9d62ff81f816d3f87d2e91f365b8
Opcode Fuzzy Hash: b72368671db39447bcebf8604b751b5a650bd80d16f31a87944435ce3b1989b4
Instruction Fuzzy Hash: 0C011D76612A8497EB8ADF62E6903A93364FB58BC0F14D415EF1A03A51DF34D9B48700

Function 000000018000F27C Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018000F282

Part of subcall function 000000018000C058: _amsg_exit.LIBCMT ref: 000000018000C06E

_getptd.LIBCMT ref: 000000018000F2A2
_lock.LIBCMT ref: 000000018000F2B5
_amsg_exit.LIBCMT ref: 000000018000F2E3

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 1509d1ac26ba87f6e958dbd463ec673252434084bc47c8eababfe531d8c90e1d
Instruction ID: 9f3359b1737a572f573ec7ec3736ab8805c9ebd4f4246a1d20a58ac482fbf322
Opcode Fuzzy Hash: 1509d1ac26ba87f6e958dbd463ec673252434084bc47c8eababfe531d8c90e1d
Instruction Fuzzy Hash: CAF0173564154C82FAE6EB618851BF83261E75DBC0F48C239FE190B3D2DF248A4DE711

Function 0000000180003C30 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180003C40
Sleep.KERNEL32 ref: 0000000180003C4B
WaitForSingleObject.KERNEL32 ref: 0000000180003C60
WaitForSingleObject.KERNEL32 ref: 0000000180003C70

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: b1e917308134ac2fafb3ffbaff7e83120a2ae0e71f17b407860b014fa0df2722
Instruction ID: 806618bc8838a8f2f27bfbe1f8a99ad75248c14d8b969983b08c7d98cb429908
Opcode Fuzzy Hash: b1e917308134ac2fafb3ffbaff7e83120a2ae0e71f17b407860b014fa0df2722
Instruction Fuzzy Hash: 38F08C32200A4C82E7828F76EC0439933A0F78DFA4F168322DA7D472E4CF3485AAC710

Function 00000001800098D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180009855
_invalid_parameter_noinfo.LIBCMT ref: 0000000180009860

Strings

B, xrefs: 0000000180009885

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: B
API String ID: 2959964966-1255198513
Opcode ID: ca5941614373a58d278bb108b282cf9e75e41570224192e68ce77568d080692a
Instruction ID: bad346df8dc404074a7f862b1d6f9a0b8a376c289568912614f9bfd4eafe758c
Opcode Fuzzy Hash: ca5941614373a58d278bb108b282cf9e75e41570224192e68ce77568d080692a
Instruction Fuzzy Hash: B111847221574886EB61DF56D44039DB7A0F78DBD4F58C215BB9907B9ACF38C649CB00

Function 0000000180034064 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003409D
_invalid_parameter_noinfo.LIBCMT ref: 00000001800340A8

Strings

I, xrefs: 00000001800340DD

Memory Dump Source

Source File: 00000000.00000003.2115421052.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000003.2020944681.0000000180075000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115408172.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.000000018003D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180052000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115445774.0000000180062000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115489394.000000018006C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000003.2115502955.0000000180071000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_180000000_EpCAySF1G6.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: I
API String ID: 2959964966-3707901625
Opcode ID: b65754f80cf49d38160d8fdb16d4f47f40f2887a7c681dede45eb3e4f638146e
Instruction ID: b614669ef453788ccb25b9283b1da39d6195e8738e3b23fa787283acb0fccfd3
Opcode Fuzzy Hash: b65754f80cf49d38160d8fdb16d4f47f40f2887a7c681dede45eb3e4f638146e
Instruction Fuzzy Hash: 0911827270474485EB66DB12E54039AB7A5F798FE0F148225FB990BB95CF38D649CB00

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EpCAySF1G6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: EpCAySF1G6.exePID: 6792, Parent PID: 2580

General

Windows Analysis Report
EpCAySF1G6.exe