Edit tour

Windows Analysis Report
utkin.exe

Overview

General Information

Sample name:	utkin.exe
Analysis ID:	1581171
MD5:	119891f3f60e7bba10a6b60731a8d211
SHA1:	576db62811bd9aa8c735b90851b8f872bf223248
SHA256:	ad9b276a5d2f75e7d1c6b21f95d8a7cb70f482f2621847bca4864d90753de72f
Tags:	exeuser-lontze7
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

utkin.exe (PID: 1772 cmdline: "C:\Users\user\Desktop\utkin.exe" MD5: 119891F3F60E7BBA10A6B60731A8D211)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "hellres", "links": "", "port": 15666}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x114944:$str01: emoji 0x1175d8:$str02: %d-%m-%Y, %H:%M:%S 0x117648:$str03: [UTC 0x117650:$str04: user_name 0x117698:$str05: computer_name 0x117670:$str06: timezone 0x1175a8:$str07: current_path() 0x114908:$str08: [json.exception. 0x12f42c:$str09: GDI32.dll 0x12f69e:$str10: GdipGetImageEncoders 0x12f716:$str10: GdipGetImageEncoders 0x12ecb0:$str11: GetGeoInfoA
Process Memory Space: utkin.exe PID: 1772	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: utkin.exe PID: 1772	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.utkin.exe.1c739630000.0.raw.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
0.2.utkin.exe.1c739630000.0.raw.unpack	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x114944:$str01: emoji 0x1175d8:$str02: %d-%m-%Y, %H:%M:%S 0x117648:$str03: [UTC 0x117650:$str04: user_name 0x117698:$str05: computer_name 0x117670:$str06: timezone 0x1175a8:$str07: current_path() 0x114908:$str08: [json.exception. 0x12f42c:$str09: GDI32.dll 0x12f69e:$str10: GdipGetImageEncoders 0x12f716:$str10: GdipGetImageEncoders 0x12ecb0:$str11: GetGeoInfoA
0.2.utkin.exe.1c739630000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
0.2.utkin.exe.1c739630000.0.unpack	infostealer_win_meduzastealer	Finds MeduzaStealer samples based on specific strings	Sekoia.io	0x113144:$str01: emoji 0x115dd8:$str02: %d-%m-%Y, %H:%M:%S 0x115e48:$str03: [UTC 0x115e50:$str04: user_name 0x115e98:$str05: computer_name 0x115e70:$str06: timezone 0x115da8:$str07: current_path() 0x113108:$str08: [json.exception. 0x12dc2c:$str09: GDI32.dll 0x12de9e:$str10: GdipGetImageEncoders 0x12df16:$str10: GdipGetImageEncoders 0x12d4b0:$str11: GetGeoInfoA

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T06:52:07.358485+0100	2049441	1	A Network Trojan was detected	192.168.2.4	49730	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T06:52:07.358485+0100	2050806	1	A Network Trojan was detected	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.478244+0100	2050806	1	A Network Trojan was detected	192.168.2.4	49730	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T06:52:07.358485+0100	2050807	1	A Network Trojan was detected	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.478244+0100	2050807	1	A Network Trojan was detected	192.168.2.4	49730	193.3.19.151	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "hellres", "links": "", "port": 15666}

Multi AV Scanner detection for submitted file

Source: utkin.exe	Virustotal: Detection: 62%			Perma Link
Source: utkin.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A7BA0 CryptUnprotectData,LocalFree,	0_2_000001C7396A7BA0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,Concurrency::cancel_current_task,	0_2_000001C7396A8440
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A83C0 BCryptCloseAlgorithmProvider,	0_2_000001C7396A83C0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705660 BCryptCloseAlgorithmProvider,	0_2_000001C739705660
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739663A30 BCryptDestroyKey,	0_2_000001C739663A30
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739667C20 CryptUnprotectData,LocalFree,	0_2_000001C739667C20
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A7EC0 CryptProtectData,LocalFree,	0_2_000001C7396A7EC0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8020 BCryptDecrypt,BCryptDecrypt,	0_2_000001C7396A8020
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705090 CryptUnprotectData,	0_2_000001C739705090

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: utkin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB500 FindClose,FindFirstFileExW,GetLastError,	0_2_000001C7396EB500
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705100 FindFirstFileW,	0_2_000001C739705100

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B73F0 GetLogicalDriveStringsW,

0_2_000001C7396B73F0

Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 193.3.19.151:15666

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.3.19.151:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 193.3.19.151 193.3.19.151
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B5240 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

0_2_000001C7396B5240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/A:
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/a
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgW
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B5B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_000001C7396B5B70

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,	0_2_000001C7396BA430
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705720 NtQueryObject,	0_2_000001C739705720
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B9D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,	0_2_000001C7396B9D30

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B5240	0_2_000001C7396B5240
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C918C	0_2_000001C7396C918C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660450	0_2_000001C739660450
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739696350	0_2_000001C739696350
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739675310	0_2_000001C739675310
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396F0658	0_2_000001C7396F0658
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966E610	0_2_000001C73966E610
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B76A0	0_2_000001C7396B76A0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BC5CB	0_2_000001C7396BC5CB
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0	0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966D570	0_2_000001C73966D570
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B6860	0_2_000001C7396B6860
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73965F730	0_2_000001C73965F730
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966CA10	0_2_000001C73966CA10
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739695970	0_2_000001C739695970
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966ECB0	0_2_000001C73966ECB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739662CA0	0_2_000001C739662CA0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739661B90	0_2_000001C739661B90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B5B70	0_2_000001C7396B5B70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739664B70	0_2_000001C739664B70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D2E3C	0_2_000001C7396D2E3C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73965FE20	0_2_000001C73965FE20
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BD050	0_2_000001C7396BD050
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B8030	0_2_000001C7396B8030
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AF020	0_2_000001C7396AF020
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396620B0	0_2_000001C7396620B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73969D080	0_2_000001C73969D080
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739679F80	0_2_000001C739679F80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C1220	0_2_000001C7396C1220
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A02C0	0_2_000001C7396A02C0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C3150	0_2_000001C7396C3150
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C6164	0_2_000001C7396C6164
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DC128	0_2_000001C7396DC128
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968C0F0	0_2_000001C73968C0F0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D71D8	0_2_000001C7396D71D8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739636180	0_2_000001C739636180
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DA44F	0_2_000001C7396DA44F
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA430	0_2_000001C7396BA430
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968C420	0_2_000001C73968C420
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AB420	0_2_000001C7396AB420
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D14E4	0_2_000001C7396D14E4
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968B480	0_2_000001C73968B480
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AE2F0	0_2_000001C7396AE2F0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396583D0	0_2_000001C7396583D0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DA3C8	0_2_000001C7396DA3C8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C5394	0_2_000001C7396C5394
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A63A6	0_2_000001C7396A63A6
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739636610	0_2_000001C739636610
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D46E4	0_2_000001C7396D46E4
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D36A8	0_2_000001C7396D36A8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D8674	0_2_000001C7396D8674
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C666C	0_2_000001C7396C666C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B6540	0_2_000001C7396B6540
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739656510	0_2_000001C739656510
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739655520	0_2_000001C739655520
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C5598	0_2_000001C7396C5598
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396698CD	0_2_000001C7396698CD
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AC8E0	0_2_000001C7396AC8E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739692750	0_2_000001C739692750
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739684720	0_2_000001C739684720
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CF7E6	0_2_000001C7396CF7E6
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C579C	0_2_000001C7396C579C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968B780	0_2_000001C73968B780
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA780	0_2_000001C7396BA780
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739663A30	0_2_000001C739663A30
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968BAB0	0_2_000001C73968BAB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A5AB0	0_2_000001C7396A5AB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739690AC0	0_2_000001C739690AC0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D6A68	0_2_000001C7396D6A68
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660A80	0_2_000001C739660A80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CA924	0_2_000001C7396CA924
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739681AF0	0_2_000001C739681AF0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8B00	0_2_000001C7396A8B00
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DBB90	0_2_000001C7396DBB90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B0E90	0_2_000001C7396B0E90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739667E70	0_2_000001C739667E70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660E80	0_2_000001C739660E80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C8D50	0_2_000001C7396C8D50
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A4D40	0_2_000001C7396A4D40
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C0D14	0_2_000001C7396C0D14
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739687CEB	0_2_000001C739687CEB
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968BDD0	0_2_000001C73968BDD0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966ADD0	0_2_000001C73966ADD0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739635DB0	0_2_000001C739635DB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396370E0	0_2_000001C7396370E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CF0D8	0_2_000001C7396CF0D8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D30B8	0_2_000001C7396D30B8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966BF40	0_2_000001C73966BF40
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A5EF0	0_2_000001C7396A5EF0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EFFBC	0_2_000001C7396EFFBC

Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C73965BA80 appears 32 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C73965E1D0 appears 33 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C739666940 appears 41 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C7396C8254 appears 34 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C7396786B0 appears 54 times

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BB9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		0_2_000001C7396BB9B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705008 AdjustTokenPrivileges,CredEnumerateA,		0_2_000001C739705008

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000001C73966E610

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396A4ED0 CoCreateInstance,

0_2_000001C7396A4ED0

Source: C:\Users\user\Desktop\utkin.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963BBED9AD4

Source: utkin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: utkin.exe	Virustotal: Detection: 62%
Source: utkin.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\utkin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: utkin.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: utkin.exe

Static file information: File size 2749952 > 1048576

Source: utkin.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24bc00

Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: utkin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: utkin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_000001C73966D570

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73967CAB2 push rdi; retf 0004h

0_2_000001C73967CAB5

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396AC600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

0_2_000001C7396AC600

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB500 FindClose,FindFirstFileExW,GetLastError,	0_2_000001C7396EB500
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705100 FindFirstFileW,	0_2_000001C739705100

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B73F0 GetLogicalDriveStringsW,

0_2_000001C7396B73F0

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396C9038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_000001C7396C9038

Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp, utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\utkin.exe	API call chain: ExitProcess graph end node			graph_0-64316
Source: C:\Users\user\Desktop\utkin.exe	API call chain: ExitProcess graph end node			graph_0-64321

Source: C:\Users\user\Desktop\utkin.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396BA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

0_2_000001C7396BA430

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7397052D0 IsDebuggerPresent,

0_2_000001C7397052D0

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396ED804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000001C7396ED804

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_000001C73966D570

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396D9EEC GetProcessHeap,

0_2_000001C7396D9EEC

Source: C:\Users\user\Desktop\utkin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7397052E0 SetUnhandledExceptionFilter,		0_2_000001C7397052E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C7F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000001C7396C7F68

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396AB420 ShellExecuteW,

0_2_000001C7396AB420

Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_000001C7396EB170
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000001C7396D9468
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,	0_2_000001C7396D9310
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,	0_2_000001C7397053A0
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000001C7396D964C
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,	0_2_000001C7396D9518
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,	0_2_000001C7396CDAE0
Source: C:\Users\user\Desktop\utkin.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_000001C7396D8C04
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,	0_2_000001C7396D9030
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,	0_2_000001C7396CE020
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000001C7396D90C8
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,	0_2_000001C7396D8F60

Source: C:\Users\user\Desktop\utkin.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396C840C GetSystemTimeAsFileTime,

0_2_000001C7396C840C

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B6150 GetUserNameW,

0_2_000001C7396B6150

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B76A0 GetTimeZoneInformation,

0_2_000001C7396B76A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: utkin.exe, 00000000.00000002.1945948907.000001C739925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Email Collection	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Account Discovery	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
utkin.exe	62%	Virustotal		Browse
utkin.exe	68%	ReversingLabs	Win64.Trojan.MeduzaStealer

Source	Detection	Scanner	Label	Link
https://api.ipify.org_	0%	Avira URL Cloud	safe
https://api.ipify.orgW	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	172.67.74.152	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/a	utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org_	utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/A:	utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.orgW	utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.3.19.151	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true
172.67.74.152	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581171
Start date and time:	2024-12-27 06:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	utkin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.3.19.151	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	duschno.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	1Sj5F6P4nv.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	5LEXIucyEP.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	44qLDKzsfO.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	gP5rh6fa0S.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	urkOkB0BdX.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
	8F0oMWUhg7.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse
172.67.74.152	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	malware.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	systemConfigChecker.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	api.ipify.org/
	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	104.26.12.205
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tg.exe	Get hash	malicious	Babadeda	Browse	172.67.74.152
	tg.exe	Get hash	malicious	Babadeda	Browse	104.26.12.205
	setup.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://www.canva.com/design/DAGZxEJMIA0/pFi0b1a1Y78oAGDuII8Hjg/view?utm_content=DAGZxEJMIA0&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=hdcdec8ed4a	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	billys.exe	Get hash	malicious	Meduza Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	armv7l.elf	Get hash	malicious	Unknown	Browse	149.62.103.197
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	193.3.184.24
	bot.sh4.elf	Get hash	malicious	Mirai	Browse	95.87.151.57
	duschno.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.3.19.151
	jade.arm.elf	Get hash	malicious	Mirai	Browse	95.87.151.72
	https://u48551708.ct.sendgrid.net/ls/click?upn=u001.ztPEaTmy8WofhPYJ48HDSCunUq5pm5yTGRhe-2B0bVSngC8hMYiy6PgMy1xJOG8JJZaOsK-2FG9SE7UmhEzeQSXDmEf7Z3nlXZDH-2BW1HSMP6c8uYUvXDTaJRyLbPDV6bI3nnDyIlM0OJKevMwAF04rpfLmQEYS641NQTMU227kkOtBQgQK-2FNlHeN6DpPMLDgH6kuMS3X_2vbC1nrAFjePip8HYuHYOlkYXiy7Z-2FrO9MQN7lNoEgxRkovUJGAEvKvTFyRmFsa9AQlcDpFhpJzgHajMOC0yWTZOc2DdmxhrlyPvteyXbl8nlhAtf2p-2FHw4RnlZ8cxDY-2BWJeBsszGnsrXuNOI8LpL5ZYI3ad04OdxC8tHHA5tO-2Be1xS3Z9Z3VrOTM-2FT5ptoYnx5N-2FTYKQ13RZ-2FookVMhAtJ6OV43Zayd1qOmHGLwUI8-3D	Get hash	malicious	Phisher	Browse	193.3.19.55
	https://santa-secret.ru/api/verify?a=NjgyODEwNCw1bWluOHE2MHpuX3J1LC9hY2NvdW50L2JveGVzLHZsYWRpbWlyLmdsdXNoZW5rb0Bob2NobGFuZC5ydSwyNDE0MTYzMg==	Get hash	malicious	Unknown	Browse	193.3.184.46
CLOUDFLARENETUS	0Gs0WEGB1E.dll	Get hash	malicious	Unknown	Browse	104.21.22.88
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	NewI Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.218.163
	http://kxyaiaqyijjz.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pdf-ezy.com/pdf-ez.exe	Get hash	malicious	Unknown	Browse	172.67.152.3
	b8ygJBG5cb.msi	Get hash	malicious	Unknown	Browse	172.67.194.29
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.49.159
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	script.ps1	Get hash	malicious	Vidar	Browse	172.67.74.152
	libcurl.dll	Get hash	malicious	Matanbuchus	Browse	172.67.74.152
	b8ygJBG5cb.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	installer.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.74.152
	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	172.67.74.152
	00000.ps1	Get hash	malicious	LummaC	Browse	172.67.74.152

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	3.912125441286115
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	utkin.exe
File size:	2'749'952 bytes
MD5:	119891f3f60e7bba10a6b60731a8d211
SHA1:	576db62811bd9aa8c735b90851b8f872bf223248
SHA256:	ad9b276a5d2f75e7d1c6b21f95d8a7cb70f482f2621847bca4864d90753de72f
SHA512:	694f22d1c9f351e8d3d31d33c04cdb403afaf1afb45df65150298d8707c9228c05b8e5b2f7245c48dcf06270eed8dae79a51b23c9cc20470ee860e2584cec4bf
SSDEEP:	24576:V9L8hJZ4uB+Ch0lhSMXl72x+GsNompILTDyWD5Q:PL8hD4aurpompILTDyz
TLSH:	59D5F195B3E854F9E0B78278C8A60A4AE773780507519BCF03A487B62F336D35E3A751
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\7...V...V...V.......V.......V.......V......yV..S....V..S....V..S....V.. ....V..P...<V..S....V...V...V..S....V..S.a..V..S....V.

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14003e230
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6762C4F4 [Wed Dec 18 12:49:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	259e8414ffd4b8ab603913db518e276c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F5C3145F46Ch
dec eax
add esp, 28h
jmp 00007F5C3145E8DFh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F5C3145EA72h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F5C3145EA75h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F5C3145EA6Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F5C3145E4A6h
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000FE37h]
dec eax
mov ecx, ebx
call dword ptr [0000FE26h]
call dword ptr [0000FD90h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000FE1Ch]
dec eax
mov dword ptr [esp+00h], ecx

Rich Headers

Programming Language:

[IMP] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x298c04	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a3000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x29e000	0x4038	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a4000	0xad0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x290d80	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x290c40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x438	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4cdc0	0x4ce00	f0c0ea36bf296498c8b89c1a1671ba6c	False	0.5267625762195122	data	6.539312086987541	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0x24ba3a	0x24bc00	c4fdbadb7f84ccde32e829c09e5d4bfd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29a000	0x330c	0x1800	d1ebd331d3cf6c8adbb31602bd239ee4	False	0.1865234375	data	3.2382802275840623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x29e000	0x4038	0x4200	8411825e2467307cedb8b6c4f15d3cdf	False	0.47123579545454547	data	5.575992239724539	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2a3000	0x1e0	0x200	fd7f3c77b3b8152760b71a549e0deae5	False	0.52734375	data	4.7113407225994175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a4000	0xad0	0xc00	49c311309af6d41eb0a329b47e6c6fcc	False	0.4716796875	data	5.228340394510781	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x2a3060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
ntdll.dll	RtlImageDirectoryEntryToData, RtlLeaveCriticalSection, RtlEnterCriticalSection, RtlCompareMemory, NtProtectVirtualMemory, RtlImageNtHeader, NtQueryVirtualMemory, RtlGetNtVersionNumbers
KERNEL32.dll	FreeEnvironmentStringsW, GetEnvironmentStringsW, VirtualFree, VirtualAlloc, GetModuleHandleW, LoadLibraryA, ReadFile, WriteFile, CreateFileW, CloseHandle, GetProcAddress, GetCurrentProcess, FlushInstructionCache, VirtualQuery, WriteProcessMemory, EnterCriticalSection, GetModuleFileNameW, LeaveCriticalSection, GetModuleHandleA, MultiByteToWideChar, GetWindowsDirectoryW, ExitProcess, WideCharToMultiByte, GetLastError, SetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, CreateThread, ExitThread, FreeLibrary, FreeLibraryAndExitThread, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, GetCurrentThreadId, DeleteCriticalSection, GetStdHandle, GetFileType, GetStartupInfoW, RaiseException, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, LoadLibraryExW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, HeapReAlloc, HeapSize, GetProcessHeap, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, GetFileSizeEx, SetFilePointerEx, SetStdHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadConsoleW, WriteConsoleW, GetCurrentProcessId, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, WakeAllConditionVariable, QueryPerformanceCounter, LCMapStringEx, DecodePointer, InitializeCriticalSectionEx, GetFileInformationByHandleEx, FormatMessageA, QueryPerformanceFrequency, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, Sleep, WaitForSingleObjectEx, GetExitCodeThread, LocalFree, GetLocaleInfoEx, FindClose, FindFirstFileW, FindFirstFileExW, FindNextFileW, GetFileAttributesExW, AreFileApisANSI
USER32.dll	LoadAcceleratorsW, LoadAcceleratorsA
ADVAPI32.dll	GetTokenInformation, OpenProcessToken
OLEAUT32.dll	SysAllocString, SafeArrayPutElement, SafeArrayUnaccessData, SafeArrayCreate, SafeArrayCreateVector, SafeArrayAccessData, SysFreeString, SafeArrayDestroy
mscoree.dll	CLRCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T06:52:07.358485+0100	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.358485+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.358485+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.478244+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.4	49730	193.3.19.151	15666	TCP
2024-12-27T06:52:07.478244+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.4	49730	193.3.19.151	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 06:52:04.382441998 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:04.501955986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:04.502084970 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:04.698810101 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:04.698846102 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:04.698928118 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:04.703459024 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:04.703474998 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:05.982940912 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:05.983016968 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.374373913 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.374397039 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:06.374711990 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:06.374778986 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.376332998 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.423333883 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:06.714621067 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:06.714699984 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:06.714735985 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.714759111 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.719501019 CET	49731	443	192.168.2.4	172.67.74.152
Dec 27, 2024 06:52:06.719518900 CET	443	49731	172.67.74.152	192.168.2.4
Dec 27, 2024 06:52:07.358484983 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.478121042 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478138924 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478199959 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478208065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478244066 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.478285074 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478296041 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478321075 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478342056 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.478358984 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.478404045 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478414059 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.478457928 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.560250998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.560317039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.597790956 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.597846985 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.597866058 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.597877026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.597906113 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.597937107 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.597946882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.597958088 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.597995043 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.597997904 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598043919 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.598100901 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598146915 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598150969 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.598189116 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.598227978 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598239899 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598275900 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.598332882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598344088 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.598385096 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.679934978 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.680062056 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717408895 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717506886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717526913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717549086 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717556000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717606068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717680931 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717731953 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717731953 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717780113 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717830896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717881918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717881918 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717930079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.717956066 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.717998028 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718005896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718045950 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718139887 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718185902 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718239069 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718254089 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718262911 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718281984 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718312979 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718346119 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718355894 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718398094 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718437910 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718478918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718482018 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718522072 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718540907 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718552113 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718576908 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718585014 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718591928 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718621016 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718636990 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718672037 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718698978 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718708992 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.718727112 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.718761921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.799675941 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.799686909 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.799719095 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.799752951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.799771070 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.799813032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.836990118 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837048054 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837158918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837184906 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837207079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837224960 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837385893 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837435961 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837443113 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837481022 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837585926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837595940 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837636948 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837655067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837680101 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837697983 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837718010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837821960 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837833881 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837861061 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837878942 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837912083 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837956905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.837956905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.837999105 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838109970 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838119984 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838159084 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838176966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838186979 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838215113 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838228941 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838265896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838304996 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838305950 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838344097 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838371992 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838396072 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838459015 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838479042 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838500023 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838510036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838555098 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838613033 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838651896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838656902 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838692904 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838728905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838737965 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838772058 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838792086 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838804007 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838838100 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838888884 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838902950 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838937998 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.838969946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.838979006 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839008093 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839010000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839020014 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839021921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839051962 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839067936 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839087009 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839127064 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839129925 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839164972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839184046 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839196920 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839243889 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839245081 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839286089 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839335918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839346886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839374065 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839390993 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839405060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839416981 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839425087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839452028 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839457989 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839469910 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839500904 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839509010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839510918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839548111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839616060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839633942 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839643955 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839653969 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839658976 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839675903 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839689016 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839782000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839792013 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839818001 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839840889 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839915991 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839926004 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.839962959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.839968920 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.840010881 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.840032101 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.840075016 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.840107918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.840117931 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.840142965 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.840162039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919329882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919395924 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919450045 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919467926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919475079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919513941 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919521093 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919538975 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919543028 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919559956 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919565916 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.919589043 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.919601917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.951172113 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.951282978 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956573963 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956628084 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956751108 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956779003 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956779003 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956814051 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956840038 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956871986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956899881 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.956921101 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956938028 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.956988096 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957020044 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957045078 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957051992 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957072020 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957098007 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957115889 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957165003 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957168102 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957194090 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957221031 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957226038 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957238913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957277060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957278967 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957326889 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957365036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957418919 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957449913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957479000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957504034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957508087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957524061 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957552910 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957556963 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957585096 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957607031 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957634926 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957650900 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957680941 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957705021 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957712889 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957726955 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957767010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957793951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957844973 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957864046 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957928896 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.957935095 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.957987070 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958034039 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958062887 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958079100 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958108902 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958132982 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958163977 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958188057 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958210945 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958240986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958291054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958297014 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958342075 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958408117 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958436966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958460093 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958483934 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958527088 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958559036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958581924 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958602905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958652020 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958702087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958713055 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958731890 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958756924 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958766937 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958769083 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958812952 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958818913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958847046 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958865881 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958884954 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958897114 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958925962 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.958949089 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958961010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.958965063 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959009886 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959013939 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959064007 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959065914 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959094048 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959117889 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959126949 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959141016 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959182978 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959199905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959228039 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959250927 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959273100 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959278107 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959330082 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959395885 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959424019 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959449053 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959456921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959476948 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959491014 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959502935 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959536076 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959572077 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959599018 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959618092 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959642887 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959665060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959695101 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959714890 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959731102 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959744930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959774017 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959796906 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959816933 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959822893 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959851980 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959870100 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959903955 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959903955 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959933996 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959953070 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959961891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.959978104 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.959992886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960012913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960037947 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960042000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960072041 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960098982 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960103989 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960113049 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960155964 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960159063 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960185051 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960206032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960244894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960252047 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960283041 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960309029 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960310936 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960320950 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960352898 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960361004 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960390091 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960417986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960422039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960445881 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960447073 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960469961 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960491896 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960495949 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960525990 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960546970 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960553885 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960577965 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960582018 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960625887 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960632086 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960659981 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960680962 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960690975 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960705042 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960720062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960731030 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960771084 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960772991 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960802078 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960819960 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960829973 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960844994 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960859060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960875034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960900068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960910082 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960938931 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960961103 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960966110 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.960985899 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.960999966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961015940 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961045027 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961050034 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961078882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961102962 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961107016 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961121082 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961136103 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961152077 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961169958 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961179018 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961199045 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961224079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961227894 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961247921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961256981 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961265087 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961308002 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961309910 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961338997 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961365938 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961366892 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961384058 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961395025 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961406946 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961421967 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961424112 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961472034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961477041 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961505890 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961524010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961533070 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961551905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961561918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961579084 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961592913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961605072 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961638927 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961643934 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961674929 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961694956 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961703062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961709976 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961730957 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961738110 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961760044 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961780071 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961805105 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961823940 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961834908 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961848021 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961864948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:07.961880922 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:07.961913109 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039056063 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039160967 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039197922 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039216042 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039247036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039273024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039280891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039285898 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039330959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039372921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039407969 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039426088 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039446115 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039479017 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039513111 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039530039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039551020 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039598942 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039649963 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039653063 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039700985 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039719105 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039768934 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039802074 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039854050 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.039885998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.039931059 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.070856094 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.070977926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.070985079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.071022987 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.076282024 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.076337099 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.076354027 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.076375008 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.076684952 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.076745987 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.076838970 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.076884031 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077014923 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077054024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077142000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077189922 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077289104 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077299118 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077327013 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077342033 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077347040 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077388048 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077409029 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077420950 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077447891 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077469110 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077512026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077553034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077699900 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077713966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077723980 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077753067 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077791929 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077804089 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077832937 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077855110 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.077954054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077964067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.077997923 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078002930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078006983 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078044891 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078078985 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078115940 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078125954 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078134060 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078150988 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078161955 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078562975 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078609943 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078757048 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078800917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078825951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.078866959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.078994989 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.079036951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.079041004 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.079047918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.079077959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.079093933 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.079648972 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.079838991 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081341028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081389904 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081403017 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081413984 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081445932 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081458092 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081459999 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081471920 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081507921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081604004 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081648111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081665039 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081676960 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081702948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081703901 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081715107 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081739902 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081862926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081873894 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081907034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081923962 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081935883 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.081964016 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081974030 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.081979036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082021952 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082062960 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082075119 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082102060 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082118988 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082134008 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082145929 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082173109 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082185984 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082246065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082257032 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082282066 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082305908 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082309961 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082320929 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082345009 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082353115 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082360983 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082390070 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082396030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082432032 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082442999 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082449913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082470894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082480907 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082485914 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082529068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082578897 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082619905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082643986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082684994 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082691908 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082704067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082729101 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082751036 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082818031 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082859039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082865953 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082894087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082905054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082906008 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082930088 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082943916 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.082971096 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.082982063 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083015919 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083028078 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083055019 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083069086 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083093882 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083101034 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083113909 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083141088 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083236933 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083247900 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083281994 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083285093 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083324909 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083328009 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083357096 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083365917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083401918 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083409071 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083421946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083446026 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083462954 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083551884 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083564043 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083592892 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083609104 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083611965 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083638906 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083652020 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083679914 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083692074 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083704948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083722115 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083735943 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083753109 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083838940 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083851099 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083882093 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083890915 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083908081 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.083920956 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.083964109 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084018946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084038019 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084048033 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084064007 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084079981 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084089041 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084126949 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084139109 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084170103 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084172010 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084192038 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084208012 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084311962 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084333897 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084345102 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084362984 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084376097 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084394932 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084470034 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084481955 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084508896 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084526062 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084528923 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084541082 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084573030 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084583044 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084614038 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084624052 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084656000 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084664106 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084681988 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084700108 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084733009 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084743977 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084753990 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084779024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084793091 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084853888 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084870100 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084891081 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084892988 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084903002 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084913015 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084928989 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084945917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.084976912 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.084990025 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085022926 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085031986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085033894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085043907 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085072041 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085078001 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085081100 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085119009 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085139990 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085180998 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085237026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085247993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085258961 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085292101 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085390091 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085433006 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085455894 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085468054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085499048 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085516930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085517883 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085529089 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085557938 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085573912 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085612059 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085623026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085648060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085656881 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085661888 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085666895 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085689068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085704088 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085757971 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085778952 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085803032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085820913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085839987 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085850000 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085870981 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085884094 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085894108 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085922003 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.085954905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085966110 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.085994959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086004972 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086016893 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086018085 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086050034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086062908 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086174965 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086194038 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086215973 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086227894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086230993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086271048 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086299896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086327076 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086337090 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086343050 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086369038 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086374998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086388111 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086390972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086414099 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086419106 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086431026 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086458921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086541891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086553097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086589098 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086601019 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086611986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086622953 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086651087 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086671114 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086766958 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086780071 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086808920 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086817026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086827993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086838961 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086844921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.086855888 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086869955 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.086886883 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087061882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087081909 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087106943 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087111950 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087117910 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087143898 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087153912 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087173939 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087184906 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087214947 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087285042 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087321043 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087331057 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087335110 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087352991 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087361097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087373972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087403059 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087501049 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087512016 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087522030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087543964 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087544918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087554932 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087558985 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087577105 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087588072 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087599993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087605000 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087615967 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087636948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087651968 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087683916 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087711096 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087723970 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087759972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087762117 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087791920 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087805986 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087838888 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087845087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087888002 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087908030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087918043 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.087944031 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.087961912 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088026047 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088037014 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088068962 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088169098 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088180065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088191986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088203907 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088212013 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088227987 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088252068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088265896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088285923 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088300943 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088321924 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088332891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088344097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088381052 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088383913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088426113 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088454008 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088495970 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088562012 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088603020 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088639021 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088650942 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088677883 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088699102 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088725090 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088737011 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088746071 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088756084 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088769913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088788986 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088799000 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088851929 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088862896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.088893890 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.088911057 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.112461090 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.112618923 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159107924 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159156084 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159185886 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159194946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159204006 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159224987 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159246922 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159260988 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159266949 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159306049 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159416914 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159456015 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159495115 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159526110 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159533024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159559965 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159567118 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159610033 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159641981 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159686089 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159715891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159744978 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159755945 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159782887 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159805059 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159856081 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159857988 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159910917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.159950018 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.159980059 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160000086 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160024881 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160029888 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160077095 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160079002 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160125017 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160202026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160232067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160248041 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160276890 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160289049 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160341024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160341024 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160391092 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160402060 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160435915 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160459042 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160515070 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160532951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160562992 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160576105 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160609961 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160614014 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160645008 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.160656929 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.160695076 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.190584898 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.190599918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.190613031 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.190648079 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.190671921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.190687895 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.190732002 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.195858955 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.195869923 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.195911884 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.195944071 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.195983887 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.195990086 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196026087 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196229935 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196278095 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196310043 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196357965 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196419954 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196463108 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196521044 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196566105 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196652889 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196662903 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196703911 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196712017 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196749926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196758032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196794033 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196814060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196834087 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196856976 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196877003 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.196926117 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196969986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.196969986 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197012901 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197029114 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197069883 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197099924 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197144032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197175026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197185993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197223902 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197249889 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197259903 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197279930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197305918 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197319031 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197326899 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197372913 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197411060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197422028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197457075 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197498083 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197526932 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197540998 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197566032 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197576046 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197607040 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197639942 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197689056 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197722912 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197731972 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197772980 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197782993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197792053 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197829008 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197863102 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197874069 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197913885 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.197937965 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197947979 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.197987080 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198019028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198029041 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198070049 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198107004 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198117018 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198152065 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198168039 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198199034 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198211908 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198240995 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198246002 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198266029 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198287964 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198307037 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198331118 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198339939 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198383093 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198427916 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198476076 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198476076 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198522091 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198534966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198561907 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198570967 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198580027 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198596001 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198612928 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198704004 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198714018 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198721886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198750973 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198772907 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.198785067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198795080 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.198834896 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.199327946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.199369907 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.199454069 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.199497938 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.200839043 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.200889111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.200922966 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.200932026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.200973988 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.200999022 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201046944 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201061010 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201100111 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201107025 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201143026 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201163054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201190948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201209068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201220989 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201236963 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201256990 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201265097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201311111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201323986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201366901 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201369047 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201402903 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201409101 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201447010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201493979 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201538086 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201575994 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201586962 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201595068 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201613903 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201623917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201641083 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201652050 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201658964 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201698065 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201756954 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201767921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201803923 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201881886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201893091 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201932907 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.201978922 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.201988935 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202028990 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202059031 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202071905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202100039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202117920 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202147007 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202189922 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202193975 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202234030 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202234030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202244997 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202284098 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202359915 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202368975 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202405930 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202440977 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202459097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202481985 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202497959 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202522993 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202549934 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202579021 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202595949 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202609062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202637911 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202652931 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202685118 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202722073 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202732086 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202769995 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202801943 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202815056 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202848911 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202893019 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202918053 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202936888 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202960014 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.202967882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.202989101 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203010082 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203037024 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203037024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203075886 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203110933 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203139067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203152895 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203164101 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203165054 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203207970 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203234911 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203255892 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203279972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203296900 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203342915 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203353882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203391075 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203440905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203470945 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203493118 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203509092 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203558922 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203598976 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203603029 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203641891 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203668118 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203679085 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203722000 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203744888 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203756094 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203792095 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203836918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203862906 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203887939 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203905106 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203927040 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.203969002 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.203969955 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204010963 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204037905 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204047918 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204082012 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204099894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204154968 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204165936 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204200029 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204205990 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204211950 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204235077 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204250097 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204277039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204339027 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204381943 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204411030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204421997 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204456091 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204483986 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204494953 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204511881 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204530001 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204546928 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204582930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204624891 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204627037 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204668999 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204699039 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204715014 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204736948 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204751968 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204792976 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204829931 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204843044 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204864979 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204885006 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204931021 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.204931974 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.204973936 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205034971 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205044031 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205070972 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205080032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205121040 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205137014 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205180883 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205195904 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205239058 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205255032 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205271959 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205280066 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205297947 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205312967 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205384016 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205393076 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205430984 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205440998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205488920 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205497026 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205539942 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205558062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205569983 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205610991 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205641031 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205651045 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205691099 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205694914 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205712080 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205759048 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205775023 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205800056 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205821037 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205838919 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205864906 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205908060 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205909967 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205954075 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.205974102 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.205992937 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206002951 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206022024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206043005 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206137896 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206149101 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206156969 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206167936 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206177950 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206192017 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206214905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206248045 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206259012 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206295013 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206316948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206327915 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206366062 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206442118 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206453085 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206492901 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206518888 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206528902 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206572056 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206603050 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206614971 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206650972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206657887 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206669092 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206706047 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206726074 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206775904 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206824064 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206840992 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206850052 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206865072 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206887007 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206912994 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206913948 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206938028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.206960917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206970930 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.206990957 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207034111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207058907 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207082987 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207099915 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207115889 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207138062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207182884 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207199097 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207247019 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207273960 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207283974 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207321882 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207333088 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207345009 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207381964 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207411051 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207427979 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207459927 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207475901 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207505941 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207516909 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207546949 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207554102 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207576036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207582951 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207616091 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207660913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207673073 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207706928 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207707882 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207724094 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207751036 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207768917 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207807064 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207843065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207854986 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207873106 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207884073 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207926989 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207942009 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207986116 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.207988024 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.207998991 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208029032 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208044052 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208046913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208071947 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208091974 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208117962 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208151102 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208162069 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208199024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208218098 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208229065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208267927 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208307028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208333015 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208353043 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208369970 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208442926 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208455086 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208489895 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208533049 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208543062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208583117 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208609104 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208621979 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208650112 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208664894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208692074 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208694935 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208734035 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208734989 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208776951 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208811998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208856106 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.208880901 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208890915 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.208930969 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.249845028 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.250307083 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.250380039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.250428915 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.250482082 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.250535965 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.250582933 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.292824030 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.293050051 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.356869936 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.357038021 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357100010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357151985 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357199907 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357248068 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357295990 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357340097 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357394934 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357439995 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357490063 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357532024 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357578039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357626915 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357677937 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357726097 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357780933 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.357814074 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.385478020 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.385695934 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.385770082 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.385826111 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.385896921 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.385950089 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.386001110 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.397691011 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.397778034 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.436954021 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.437078953 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.476548910 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.476675987 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.476756096 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505306005 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.505502939 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505578041 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505623102 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505675077 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505717993 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505773067 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505815029 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505884886 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505933046 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.505986929 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.506021023 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.543380976 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.543673038 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.543744087 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557198048 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.557399035 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557467937 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557512045 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557559013 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557610035 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557667017 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557708979 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557755947 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557806015 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557846069 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.557868004 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.596427917 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.596555948 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.624978065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.625281096 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.625346899 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.663229942 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.663395882 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.673556089 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.673801899 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.673867941 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674449921 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.674642086 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674698114 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674747944 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674803972 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674855947 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674912930 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.674962044 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.675013065 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.675055027 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.675120115 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.675136089 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.677309990 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.677375078 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716073036 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.716222048 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716468096 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716538906 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716588020 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716640949 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716687918 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716741085 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716805935 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716861010 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.716888905 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.745131016 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.745305061 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.782964945 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.783210039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.787854910 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.788039923 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.788110971 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.789660931 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.789841890 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.789906979 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.789959908 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.790024042 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793525934 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793590069 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793597937 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793639898 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793674946 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793685913 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793728113 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793729067 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793741941 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793780088 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793803930 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793844938 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793865919 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793876886 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793914080 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793917894 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793951035 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.793975115 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.793994904 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794014931 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794034958 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794053078 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794095039 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794104099 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794146061 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794171095 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794182062 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794212103 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794226885 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794239998 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794254065 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794290066 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.794295073 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.794331074 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.835741997 CET	15666	49730	193.3.19.151	192.168.2.4
Dec 27, 2024 06:52:08.836338997 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836407900 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836451054 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836496115 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836560011 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836606979 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836651087 CET	49730	15666	192.168.2.4	193.3.19.151
Dec 27, 2024 06:52:08.836708069 CET	49730	15666	192.168.2.4	193.3.19.151

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 06:52:04.555978060 CET	192.168.2.4	1.1.1.1	0xcf53	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 06:52:04.692914963 CET	1.1.1.1	192.168.2.4	0xcf53	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:52:04.692914963 CET	1.1.1.1	192.168.2.4	0xcf53	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 27, 2024 06:52:04.692914963 CET	1.1.1.1	192.168.2.4	0xcf53	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	172.67.74.152	443	1772	C:\Users\user\Desktop\utkin.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 05:52:06 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-12-27 05:52:06 UTC	424	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 05:52:06 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8f870ae8ee3178e7-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1929&rtt_var=747&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=738&delivery_rate=1442687&cwnd=234&unsent_bytes=0&cid=caf50f04eee66047&ts=745&x=0"
2024-12-27 05:52:06 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Target ID:	0
Start time:	00:52:02
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\utkin.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\utkin.exe"
Imagebase:	0x7ff680ff0000
File size:	2'749'952 bytes
MD5 hash:	119891F3F60E7BBA10A6B60731A8D211
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: infostealer_win_meduzastealer, Description: Finds MeduzaStealer samples based on specific strings, Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Author: Sekoia.io
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	73

Executed Functions

Function 000001C7396B5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 000001C7396B5BB1
GetSystemMetrics.USER32 ref: 000001C7396B5BBF
GetSystemMetrics.USER32 ref: 000001C7396B5BCD
GetSystemMetrics.USER32 ref: 000001C7396B5BDB
GetDC.USER32 ref: 000001C7396B5BE5
GetDeviceCaps.GDI32 ref: 000001C7396B5BFB
GetDeviceCaps.GDI32 ref: 000001C7396B5C0B
CreateCompatibleDC.GDI32 ref: 000001C7396B5C18
CreateCompatibleBitmap.GDI32 ref: 000001C7396B5C30
SelectObject.GDI32 ref: 000001C7396B5C46
BitBlt.GDI32 ref: 000001C7396B5C7C
SHCreateMemStream.SHLWAPI ref: 000001C7396B5CB2
SelectObject.GDI32 ref: 000001C7396B5CC8
DeleteDC.GDI32 ref: 000001C7396B5CD1
ReleaseDC.USER32 ref: 000001C7396B5CDC
DeleteObject.GDI32 ref: 000001C7396B5CE5
EnterCriticalSection.KERNEL32 ref: 000001C7396B5DDC
LeaveCriticalSection.KERNEL32 ref: 000001C7396B5DEE
IStream_Size.SHLWAPI ref: 000001C7396B5E25
IStream_Reset.SHLWAPI ref: 000001C7396B5E36
IStream_Read.SHLWAPI ref: 000001C7396B5EBB
SelectObject.GDI32 ref: 000001C7396B5F15
DeleteDC.GDI32 ref: 000001C7396B5F1E
ReleaseDC.USER32 ref: 000001C7396B5F2B
DeleteObject.GDI32 ref: 000001C7396B5F34

Strings

, xrefs: 000001C7396B5C51

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: b6d8309bfc4d2428f6a65325859bc04d77e5cbab02dabebe1c17cd2043633e10
Instruction ID: b4f80cfb6d2d9666a856b02210fab165664c1a3eb0657a9da09375135eb5fb2a
Opcode Fuzzy Hash: b6d8309bfc4d2428f6a65325859bc04d77e5cbab02dabebe1c17cd2043633e10
Instruction Fuzzy Hash: 84B13F72649BC086F760DB22F8587DEB3A5F789B80F40A515DA8E43B99DF78C084DB41

Function 000001C7396EB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 000001C7396EB65D
GetLastError.KERNEL32 ref: 000001C7396EB667
FindFirstFileW.KERNEL32 ref: 000001C7396EB67E
GetLastError.KERNEL32 ref: 000001C7396EB68A
FindClose.KERNEL32 ref: 000001C7396EB698
__std_fs_open_handle.LIBCPMT ref: 000001C7396EB72B
CloseHandle.KERNEL32 ref: 000001C7396EB741
CloseHandle.KERNEL32 ref: 000001C7396EB8B4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction ID: d8390fb234e124c38e29b1a4d55bab5c701e5c0924abf1567b881a4d1ff9bf23
Opcode Fuzzy Hash: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction Fuzzy Hash: B591B43178BAC686FB744B37A904BDA2390B7457B4F586718DA76477D4DBB9C400AF00

Function 000001C7396B8030 Relevance: 22.6, APIs: 3, Strings: 9, Instructions: 1600COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396B6C70: GetCurrentHwProfileW.ADVAPI32 ref: 000001C7396B6CAC

Part of subcall function 000001C7396B6540: EnumDisplayDevicesW.USER32 ref: 000001C7396B6657
Part of subcall function 000001C7396B6540: EnumDisplayDevicesW.USER32 ref: 000001C7396B66FB

Part of subcall function 000001C7396B6460: RegGetValueA.ADVAPI32 ref: 000001C7396B64C9

Part of subcall function 000001C7396B6150: GetUserNameW.ADVAPI32 ref: 000001C7396B6195

Part of subcall function 000001C7396B61F0: GetComputerNameW.KERNEL32 ref: 000001C7396B6235

GlobalMemoryStatusEx.KERNEL32 ref: 000001C7396B87BC
wcsftime.LIBCMT ref: 000001C7396B8FB2
GetModuleFileNameA.KERNEL32 ref: 000001C7396B9146

Strings

ram, xrefs: 000001C7396B889B
gpu, xrefs: 000001C7396B8562
time, xrefs: 000001C7396B9081
system, xrefs: 000001C7396B8424, 000001C7396B8513, 000001C7396B8609, 000001C7396B8703, 000001C7396B884B, 000001C7396B8945, 000001C7396B8A38, 000001C7396B8BBF, 000001C7396B8DB0, 000001C7396B9031, 000001C7396B91F4, 000001C7396B940E, 000001C7396B95AD, 000001C7396B9757, 000001C7396B981D
user_name, xrefs: 000001C7396B846F
%d-%m-%Y, %H:%M:%S, xrefs: 000001C7396B8F9F
computer_name, xrefs: 000001C7396B8994
timezone, xrefs: 000001C7396B9454
cpu, xrefs: 000001C7396B8658

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Name$DevicesDisplayEnum$ComputerCurrentFileGlobalMemoryModuleProfileStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 2509368203-1182675529
Opcode ID: 30d7319eb40d475d05298705ab6769d1baa6955a93ccd1e35d3be10f0adcd950
Instruction ID: 001f00551d7f43558e24409773963b4eb9879d47c29af6ba5aea2bb02d3ebea9
Opcode Fuzzy Hash: 30d7319eb40d475d05298705ab6769d1baa6955a93ccd1e35d3be10f0adcd950
Instruction Fuzzy Hash: 29F28F33659BC085EB21CF25E8907DD77A1F789798F406216EA9D07BE9EB78C640DB00

Function 000001C73966D570 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 000001C73966D65C
GetProcAddress.KERNEL32 ref: 000001C73966D767
GetProcAddress.KERNEL32 ref: 000001C73966D829
GetProcAddress.KERNEL32 ref: 000001C73966D8A3
GetProcAddress.KERNEL32 ref: 000001C73966D925
GetProcAddress.KERNEL32 ref: 000001C73966D99F
GetProcAddress.KERNEL32 ref: 000001C73966DA23
FreeLibrary.KERNEL32 ref: 000001C73966E551

Strings

system, xrefs: 000001C73966E35D
cannot use push_back() with , xrefs: 000001C73966E59F
vault, xrefs: 000001C73966E3B3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2449869053-1741236777
Opcode ID: 14a44dc6fb82f75e548dc859a86869ca9b38599269f0f1e248bb3f1695781141
Instruction ID: e8fb3e88b98a8b7ff6a9a7cf72383fda23b39961ba641f4ec6b9641502dc6a77
Opcode Fuzzy Hash: 14a44dc6fb82f75e548dc859a86869ca9b38599269f0f1e248bb3f1695781141
Instruction Fuzzy Hash: 8A926972249BC4C9EB618F29E8843DD73B0F789798F105216EA9C4BB99EF74C694D700

Function 000001C739695970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

filename, xrefs: 000001C739696D9C, 000001C7396978E3, 000001C739698376, 000001C739698E23, 000001C739699793, 000001C739699F35, 000001C73969D5FC, 000001C73969DAE0
directory_iterator::directory_iterator, xrefs: 000001C73969A5A5, 000001C73969A853, 000001C73969A875, 000001C73969A8AD, 000001C73969CA83, 000001C73969DE23, 000001C73969F4A4, 000001C73969F78C
content, xrefs: 000001C739696EB7, 000001C7396979CA, 000001C73969845D, 000001C739698F0A, 000001C7396998AE, 000001C73969A03E, 000001C73969D6B3, 000001C73969DB94
status, xrefs: 000001C73969A5B5, 000001C73969A600, 000001C73969A6D9, 000001C73969A790, 000001C73969A863, 000001C73969A885, 000001C73969A89B, 000001C73969A8BD, 000001C73969CA99, 000001C73969DE11, 000001C73969DE33, 000001C73969DE5B, 000001C73969DE83, 000001C73969F764
cannot use push_back() with , xrefs: 000001C73969A625, 000001C73969A6FE, 000001C73969A7B5, 000001C73969DDD5
@, xrefs: 000001C739699B9B
prefs.js, xrefs: 000001C73969E5E2
key, xrefs: 000001C73969C60E, 000001C73969C740
recursive_directory_iterator::recursive_directory_iterator, xrefs: 000001C73969A68F, 000001C73969A6C9, 000001C73969A81F
recursive_directory_iterator::operator++, xrefs: 000001C73969A678, 000001C73969A745, 000001C73969A808
exists, xrefs: 000001C739695F90, 000001C73969A58E, 000001C73969A5DE, 000001C73969A6AC, 000001C73969A76E, 000001C73969A83C, 000001C73969CA70, 000001C73969D060, 000001C73969F48D, 000001C73969F779
chrome_key, xrefs: 000001C73969C851, 000001C73969C97F
., xrefs: 000001C739695C70
@, xrefs: 000001C73969A32B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: .$@$@$cannot use push_back() with $chrome_key$content$directory_iterator::directory_iterator$exists$filename$key$prefs.js$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 0-4287193513
Opcode ID: d85864b6336acd62be5f7280330fa91da0aadc80efc30bd9caf6eb99ab158536
Instruction ID: 720f74c61f93e4ff5c9a2483f1f720ccfffacd9725e96c2e46b1988b4181123d
Opcode Fuzzy Hash: d85864b6336acd62be5f7280330fa91da0aadc80efc30bd9caf6eb99ab158536
Instruction Fuzzy Hash: F2C1AF3238ABC5C6FB608F25D4A4BED63A1F348794F546256EE99437C8DBB8C841DB40

Function 000001C7396AC600 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001C7396AF820: GetCurrentProcess.KERNEL32 ref: 000001C7396AF85B
Part of subcall function 000001C7396AF820: OpenProcessToken.ADVAPI32 ref: 000001C7396AF86E
Part of subcall function 000001C7396AF820: GetTokenInformation.ADVAPI32 ref: 000001C7396AF8AA

ExitProcess.KERNEL32 ref: 000001C7396AC647
OpenMutexA.KERNEL32 ref: 000001C7396AC762
ExitProcess.KERNEL32 ref: 000001C7396AC772
CreateMutexA.KERNEL32 ref: 000001C7396AC791
ExitProcess.KERNEL32 ref: 000001C7396AC7B7

Part of subcall function 000001C7396AFB60: GetModuleFileNameW.KERNEL32 ref: 000001C7396AFBAA

Part of subcall function 000001C7396BA780: CoInitializeEx.OLE32 ref: 000001C7396BA7EA

Strings

SeImpersonatePrivilege, xrefs: 000001C7396AC65A
SeDebugPrivilege, xrefs: 000001C7396AC64E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Process$Exit$MutexOpenToken$CreateCurrentFileInformationInitializeModuleName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 470559343-3768118664
Opcode ID: 82a755083252892966ab8bc9dde21b921714433f0c879b0685c854f70dbecbb4
Instruction ID: c170c42d391766621ad6b0757d2f322668293876c7caeccf35d53a6ff5e3a32a
Opcode Fuzzy Hash: 82a755083252892966ab8bc9dde21b921714433f0c879b0685c854f70dbecbb4
Instruction Fuzzy Hash: BB61B17279EAC4C1FA10AB79B455BDE63A0FB89390F403515E69E426D7EFACC440AF01

Function 000001C739664B70 Relevance: 15.3, APIs: 3, Strings: 5, Instructions: 1343registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C73966509B
RegQueryValueExA.ADVAPI32 ref: 000001C7396650E9
RegCloseKey.ADVAPI32 ref: 000001C739665186

Strings

filename, xrefs: 000001C73966549A, 000001C739665A28, 000001C739665F59
directory_iterator::directory_iterator, xrefs: 000001C739666441
content, xrefs: 000001C7396655A3, 000001C739665BF6, 000001C739666120
status, xrefs: 000001C739666403, 000001C739666413
exists, xrefs: 000001C739666398, 000001C7396663E3, 000001C73966647A

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: fe3211bc73b06561a5331d7d63e42b42732aa675f08c187653434cd3505a4dd2
Instruction ID: 611147b014fdd2c15e4c6b5fdd12a3d9b7623d51b15bcf9e43fe7356d2f7c9c5
Opcode Fuzzy Hash: fe3211bc73b06561a5331d7d63e42b42732aa675f08c187653434cd3505a4dd2
Instruction Fuzzy Hash: 16E29E72659BC0CAEB619F34D880BDD33A4F785798F506216EA9C4BAD9DFB4C680D700

Function 000001C739662CA0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 789
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C739663022
RegQueryValueExA.ADVAPI32 ref: 000001C73966306A
RegCloseKey.ADVAPI32 ref: 000001C7396630F7

Strings

filename, xrefs: 000001C739663500
directory_iterator::directory_iterator, xrefs: 000001C7396639DD
content, xrefs: 000001C739663694
status, xrefs: 000001C7396639F9
exists, xrefs: 000001C7396639BE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3677997916-3429737954
Opcode ID: 6b76c364891b896342186e2f3d38f0c0b407971aaf84533d3eb8fdecf1b57304
Instruction ID: a4d0ac114091876dea0de3bec942f77f277ec3900077ed6944b7d11f415eee74
Opcode Fuzzy Hash: 6b76c364891b896342186e2f3d38f0c0b407971aaf84533d3eb8fdecf1b57304
Instruction Fuzzy Hash: BA827A72656BC4CAEB208F35D880BDD73A0F789798F106216EA9D07BD9EB74C584DB40

Function 000001C7396D2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 000001C7396D2E81

Part of subcall function 000001C7396D24E8: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D24FC

Part of subcall function 000001C7396CD3C8: HeapFree.KERNEL32 ref: 000001C7396CD3DE
Part of subcall function 000001C7396CD3C8: GetLastError.KERNEL32 ref: 000001C7396CD3E8

Part of subcall function 000001C7396DBA84: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396DB9CF

_get_daylight.LIBCMT ref: 000001C7396D2E70

Part of subcall function 000001C7396D2548: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D255C

_get_daylight.LIBCMT ref: 000001C7396D30E6
_get_daylight.LIBCMT ref: 000001C7396D30F7
_get_daylight.LIBCMT ref: 000001C7396D3108
GetTimeZoneInformation.KERNEL32 ref: 000001C7396D312F

Strings

Eastern Summer Time, xrefs: 000001C7396D31ED
Eastern Standard Time, xrefs: 000001C7396D31D5

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 355007559-239921721
Opcode ID: 6ff4704e37b1592320c13e659d1f856dd22dc212be1b833c6838491f576543a9
Instruction ID: 76a88964cf3d299cd67d623ccdc9bc253b62818f548754008b3abb40c37ad81b
Opcode Fuzzy Hash: 6ff4704e37b1592320c13e659d1f856dd22dc212be1b833c6838491f576543a9
Instruction Fuzzy Hash: 8DD1B23374A2C0C6F724EF36D850FE96761F784788F846125EE6A476C6DBB8C451AB40

Function 000001C7396B5240 Relevance: 13.9, APIs: 9, Instructions: 408
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000001C7396B540B
InternetOpenUrlA.WININET ref: 000001C7396B54E8
HttpQueryInfoW.WININET ref: 000001C7396B5549
HttpQueryInfoW.WININET ref: 000001C7396B55E2
InternetQueryDataAvailable.WININET ref: 000001C7396B5626
InternetReadFile.WININET ref: 000001C7396B56E9
InternetQueryDataAvailable.WININET ref: 000001C7396B57B4
InternetCloseHandle.WININET ref: 000001C7396B585E
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396B58BB

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen$CloseConcurrency::cancel_current_taskFileHandleRead
String ID:
API String ID: 1475545111-0
Opcode ID: b4a67bf27b190389b47e20fe4808ec14f8bc7091f1142d39328f3268e31cbe3f
Instruction ID: b269a0530c4065a22d6ea726c7730a34dd975cab9517b3f1f9138a4e54365ff9
Opcode Fuzzy Hash: b4a67bf27b190389b47e20fe4808ec14f8bc7091f1142d39328f3268e31cbe3f
Instruction Fuzzy Hash: 1E026C32B59BD486FB10CB6AE84079E77A5F785794F105215EE9817BE8EFB8C080DB00

Function 000001C7396F0658 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001C7396F023C: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396F027D
Part of subcall function 000001C7396F023C: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396F02FB
Part of subcall function 000001C7396F023C: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396F034C

CreateFileW.KERNEL32 ref: 000001C7396F075E
CreateFileW.KERNEL32 ref: 000001C7396F07AE
GetLastError.KERNEL32 ref: 000001C7396F07DE
GetFileType.KERNEL32 ref: 000001C7396F07F3
GetLastError.KERNEL32 ref: 000001C7396F07FD
CloseHandle.KERNEL32 ref: 000001C7396F0830
CloseHandle.KERNEL32 ref: 000001C7396F0993
CreateFileW.KERNEL32 ref: 000001C7396F09C8
GetLastError.KERNEL32 ref: 000001C7396F09D7

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction ID: 8bbc6966212b06543c08442a2751461a05f71403d1b6d9ad5507e543e2002d7a
Opcode Fuzzy Hash: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction Fuzzy Hash: 72C1AC3672AAC0C6FB10CFA9D490AAC3761F389BA8F112205DE2B9B3D5DB74C051DB40

Function 000001C739696350 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

directory_iterator::directory_iterator, xrefs: 000001C73969A853, 000001C73969A875, 000001C73969A8AD
status, xrefs: 000001C73969A600, 000001C73969A6D9, 000001C73969A790, 000001C73969A863, 000001C73969A885, 000001C73969A89B, 000001C73969A8BD
recursive_directory_iterator::recursive_directory_iterator, xrefs: 000001C73969A68F, 000001C73969A6C9, 000001C73969A81F
recursive_directory_iterator::operator++, xrefs: 000001C73969A678, 000001C73969A745, 000001C73969A808
exists, xrefs: 000001C73969A5DE, 000001C73969A6AC, 000001C73969A76E, 000001C73969A83C
cannot use push_back() with , xrefs: 000001C73969A625, 000001C73969A6FE, 000001C73969A7B5

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 3645842244-1862120484
Opcode ID: cd1bca6a5a41ade10dfd5961f74e5b4551cb376a021ab083342a08ad147c1b4d
Instruction ID: ab347daf76322d60c813669958c1101b6815bb291d0b1b323a39a91789a242ae
Opcode Fuzzy Hash: cd1bca6a5a41ade10dfd5961f74e5b4551cb376a021ab083342a08ad147c1b4d
Instruction Fuzzy Hash: 45D22372649BC885E6708B19F88179BB3A0F7D8784F406215EACC53B99EBBCC254DF44

Function 000001C7396620B0 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 684
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C739662409
RegQueryValueExA.ADVAPI32 ref: 000001C73966244E
RegCloseKey.ADVAPI32 ref: 000001C7396624F7

Strings

filename, xrefs: 000001C739662787
directory_iterator::directory_iterator, xrefs: 000001C739662C64
content, xrefs: 000001C739662915
exists, xrefs: 000001C739662C42

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 3677997916-1400943384
Opcode ID: cb9aa58938da6b49ba1894efae24ecc9cf9ba2f97e2b10405ece78056545280d
Instruction ID: 5fa06d033edec128e9043241f716cc7f1a4d29561e679b7e0f4d11643d9bd7a2
Opcode Fuzzy Hash: cb9aa58938da6b49ba1894efae24ecc9cf9ba2f97e2b10405ece78056545280d
Instruction Fuzzy Hash: D7729C72655BC4C9EB208F35D8807DD37A0F789798F10A216EA9D4BB99DFB8C680D740

Function 000001C7396AF020 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileSize.KERNEL32 ref: 000001C7396AF261
SetFilePointer.KERNEL32 ref: 000001C7396AF314
ReadFile.KERNEL32 ref: 000001C7396AF343

Strings

ios_base::eofbit set, xrefs: 000001C7396AF784
ios_base::failbit set, xrefs: 000001C7396AF77D
exists, xrefs: 000001C7396AF7CA
ios_base::badbit set, xrefs: 000001C7396AF771, 000001C7396AF7EF

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: File$PointerReadSize
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 404940565-15404121
Opcode ID: 0f732557667016ad2f44b27ad5f7d812f2ea60c8c16fe37747896be402b60ec8
Instruction ID: db451c0e69207022ddd3526407c1179973b61095c5f8940ee9361c483c5625d8
Opcode Fuzzy Hash: 0f732557667016ad2f44b27ad5f7d812f2ea60c8c16fe37747896be402b60ec8
Instruction Fuzzy Hash: 64322472759BC4C9EB20CF34E880BDD37A5F784B88F509216DA4D4BA99EBB4C644DB01

Function 000001C7396D30B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000001C7396D30E6

Part of subcall function 000001C7396D2548: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D255C

_get_daylight.LIBCMT ref: 000001C7396D30F7

Part of subcall function 000001C7396D24E8: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D24FC

_get_daylight.LIBCMT ref: 000001C7396D3108

Part of subcall function 000001C7396D2518: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D252C

Part of subcall function 000001C7396CD3C8: HeapFree.KERNEL32 ref: 000001C7396CD3DE
Part of subcall function 000001C7396CD3C8: GetLastError.KERNEL32 ref: 000001C7396CD3E8

GetTimeZoneInformation.KERNEL32 ref: 000001C7396D312F

Strings

Eastern Summer Time, xrefs: 000001C7396D31ED
Eastern Standard Time, xrefs: 000001C7396D31D5

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 12951480f3fe79566017d45e51369301be5158125170c6a9e6aaf334c955a331
Instruction ID: 5531e4c91dff5dfc47062e49b95417d03aca263c71e65a840035af519b57a6af
Opcode Fuzzy Hash: 12951480f3fe79566017d45e51369301be5158125170c6a9e6aaf334c955a331
Instruction Fuzzy Hash: 67518F337596C0C6F720EF35E980ED96760F788788F84612AEA59436D6DBB8C410AF40

Function 000001C7396C918C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C91AE
_get_daylight.LIBCMT ref: 000001C7396C920E
_get_daylight.LIBCMT ref: 000001C7396C921F
_get_daylight.LIBCMT ref: 000001C7396C9230
_isindst.LIBCMT ref: 000001C7396C9281
_isindst.LIBCMT ref: 000001C7396C92D4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction ID: 7802895a1f119d8e150e7b9764706fa8318a50834b37a36f0566dc5d27e507ce
Opcode Fuzzy Hash: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction Fuzzy Hash: 6081F8B37052C5CBFB588F24C905BE833A5F754B88F04A029EA498A7C9EB78D951DF40

Function 000001C739679F80 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 417COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 000001C73967A134
__std_exception_destroy.LIBVCRUNTIME ref: 000001C73967A142
__std_exception_destroy.LIBVCRUNTIME ref: 000001C73967A3C5
__std_exception_destroy.LIBVCRUNTIME ref: 000001C73967A3D3

Strings

value, xrefs: 000001C73967A05A, 000001C73967A2F3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: 7afc2a118a2f97ee2e1dbb668883972f551b5140c0b1444d4a8b68e0e24547db
Instruction ID: fcf920abbfaf1a21685a328999ca1903a3a0b8e8d04413d46b07ffd90ba2c958
Opcode Fuzzy Hash: 7afc2a118a2f97ee2e1dbb668883972f551b5140c0b1444d4a8b68e0e24547db
Instruction Fuzzy Hash: 30029F7276ABC0C5FB10CB74E8847ED6761F7857A4F106215FA9D02ADADBB9C184DB00

Function 000001C73966E610 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000001C73966E65A
Process32FirstW.KERNEL32 ref: 000001C73966E69C
Process32NextW.KERNEL32 ref: 000001C73966E893
CloseHandle.KERNEL32 ref: 000001C73966EB0A

Strings

[PID: , xrefs: 000001C73966E6DE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 420147892-2210602247
Opcode ID: da2514e2a50d607937f4d0c845f87deea6a217878e7a1236ca67ab02a7d76dd4
Instruction ID: ed45e55f8a4b1fffdf50c696be9afdf25c53ffbf9b9baf02b9a336f2e61d1b4e
Opcode Fuzzy Hash: da2514e2a50d607937f4d0c845f87deea6a217878e7a1236ca67ab02a7d76dd4
Instruction Fuzzy Hash: 60E1C172659BC0C6EB21CB25E8847DE77A1F3897A4F506215EA9D07BD9DFB8C240DB00

Function 000001C7396BB9B0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001C7396BB9FE
OpenProcessToken.ADVAPI32 ref: 000001C7396BBA11
LookupPrivilegeValueW.ADVAPI32 ref: 000001C7396BBA32
AdjustTokenPrivileges.ADVAPI32 ref: 000001C7396BBA78
CloseHandle.KERNEL32 ref: 000001C7396BBA98

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction ID: ebc5106c2b26e914fc09de93aa3a9ccda52d5c6d3c3b66d36c513e66ff763ced
Opcode Fuzzy Hash: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction Fuzzy Hash: 39217332259BC086F760CF22F84878AB3A0F788B80F555125EA8943B98DFBDC544DB40

Function 000001C73969D080 Relevance: 6.8, Strings: 5, Instructions: 599COMMON

Download Yara Rule

Strings

directory_iterator::directory_iterator, xrefs: 000001C73969DE23, 000001C73969F4A4
prefs.js, xrefs: 000001C73969E5E2
status, xrefs: 000001C73969DE11, 000001C73969DE33, 000001C73969DE5B, 000001C73969DE83
exists, xrefs: 000001C73969F48D
cannot use push_back() with , xrefs: 000001C73969DDD5

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$prefs.js$status
API String ID: 0-2713369562
Opcode ID: 250213ee893bbf7e2e88070c249904ea97ff6f4a3dec7fb2de0204bbbaae5af1
Instruction ID: ecb4be6582872c0f78fe35171ea5ce707833420cb6e458fb450a2b014a13b7b0
Opcode Fuzzy Hash: 250213ee893bbf7e2e88070c249904ea97ff6f4a3dec7fb2de0204bbbaae5af1
Instruction Fuzzy Hash: 5252367224AFC494E6B19B15F8817DEB3A4F7C9780F506226DACC42B99EF78C194DB00

Function 000001C73966CA10 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 671COMMON

Download Yara Rule

APIs

CredEnumerateA.ADVAPI32 ref: 000001C73966CA72
CredFree.ADVAPI32 ref: 000001C73966D496

Strings

cannot use push_back() with , xrefs: 000001C73966D4E4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 3403564193-4122110429
Opcode ID: 199add8d0e2bc265c88e3562f9ca6a0166586038291029f513a5964dfa5a37f3
Instruction ID: 2b36d5635a6855963407b00a4225a351a2cb4b2e6c59f7a1692d3e63fa225d17
Opcode Fuzzy Hash: 199add8d0e2bc265c88e3562f9ca6a0166586038291029f513a5964dfa5a37f3
Instruction Fuzzy Hash: 6A628D73649BC0C9EB208F24E8807DD77A0F789798F506215EAAC17BD9DB78C284DB40

Function 000001C7396B76A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 000001C7396B79D0

Strings

[UTC, xrefs: 000001C7396B79A3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: de80adb858a2cb87177607bd567b5d3f67dece91724860684e3a46072110df29
Instruction ID: 6ba0d3e267f58661f067b0c14a76bcf5822a7a10d44e4e03324fcf8cbda7e247
Opcode Fuzzy Hash: de80adb858a2cb87177607bd567b5d3f67dece91724860684e3a46072110df29
Instruction Fuzzy Hash: A1B15B32619FC88AE7718F29E8416DAB7A0F78C788F105315EACC57B59EB78C250CB40

Function 000001C7396A7BA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 000001C7396A7BF8
LocalFree.KERNEL32 ref: 000001C7396A7C8A

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction ID: 461b788f602116c7971485485d3c28d409236e491b396eb507f9e77355cd4187
Opcode Fuzzy Hash: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction Fuzzy Hash: 11412632758BC0CEF3208F74E4407DD37A4F75978CF446229AA8906E8ADBB9C6A49744

Function 000001C7396B73F0 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 000001C7396B7461

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: 6d1ffa6fec0003b0fbd489ce7d38838dc3c2be19604cc3c090430bd7da8d485f
Instruction ID: 3f734d25665c16c381ea34395ef2b4541b2015872dfd99a29391eb7f0fc77cc8
Opcode Fuzzy Hash: 6d1ffa6fec0003b0fbd489ce7d38838dc3c2be19604cc3c090430bd7da8d485f
Instruction Fuzzy Hash: 49519D32A49BC0C2F7108F29E48479E7775F784798F106205EA9813BE9EBB8D591EB40

Function 000001C7396B6150 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 000001C7396B6195

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: abf913a544c6f9fdd308559da787f240108ca61f3614bb29fccc85bbbd2848d6
Instruction ID: 70f1b79e2adcd01699e48a00a0191970762a18392bbf622010d0428e2adbd166
Opcode Fuzzy Hash: abf913a544c6f9fdd308559da787f240108ca61f3614bb29fccc85bbbd2848d6
Instruction Fuzzy Hash: 56016D326587C082EB61DF25F8407DEB3A4FB98788F441225EA8D42689DBBCC194DF40

Function 000001C7396B6860 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

cores, xrefs: 000001C7396B6ABE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: cores
API String ID: 0-2370456839
Opcode ID: 4782d8ae142df3fbbe1f402b8ea7f4404a3f62688b4ed6ff569a3e717857d12b
Instruction ID: 408996e5bed6b8dea7542ab5089e923243c778575dcd36b75306e3550e3904d2
Opcode Fuzzy Hash: 4782d8ae142df3fbbe1f402b8ea7f4404a3f62688b4ed6ff569a3e717857d12b
Instruction Fuzzy Hash: 35C1E073B49BC08AFB10DB79D4417DD7761F3997A8F106305EAA812ADADBB8C281D740

Function 000001C7396BD050 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\u%04x, xrefs: 000001C7396BD242

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: \u%04x
API String ID: 0-2916071157
Opcode ID: 9e27fdddd87e487503e9d89886da6c1f4bc39dabfcea7ce3971d64c145b27d8a
Instruction ID: 1d08f8b7dbd3b503f5f1419a1c4ff3785664022080557a81569859bc8f30edc6
Opcode Fuzzy Hash: 9e27fdddd87e487503e9d89886da6c1f4bc39dabfcea7ce3971d64c145b27d8a
Instruction Fuzzy Hash: DC81F2B374A6C4C2FA54DB26D560BEE6760F785B80F846022DB4A077D6EBB8C515EB00

Function 000001C7396BC5CB Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

": , xrefs: 000001C7396BC6B1, 000001C7396BC75E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: ":
API String ID: 0-3662656813
Opcode ID: 623d0e739afdfe6c4eb05fdf86bf9dc96b8be9e4523e5d2b3e11945a2a75cf4e
Instruction ID: 446edb732c82a38d48fe0a9e52a343e4194441cb51684baaf30ca00c8c788555
Opcode Fuzzy Hash: 623d0e739afdfe6c4eb05fdf86bf9dc96b8be9e4523e5d2b3e11945a2a75cf4e
Instruction Fuzzy Hash: 2D911576308AC5C1EB209F2AD194B9D63A1F788FC8F40A002CB5E4BBA5DF79C559DB01

Function 000001C739675310 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 000001C739675399

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 0-1713319389
Opcode ID: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction ID: d78df7ef99690c5c2c3e91c23d6c458a63d9ecc98c695961cf6dd8ba1458b15d
Opcode Fuzzy Hash: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction Fuzzy Hash: 3E41D47361E6E04AE702CB3984113BD7FB2E366B89F1C9192E7D48775AD62DC206DB10

Function 000001C73966ECB0 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f91c036b848660344979b7fee74d045a30220520900a35ae3b78e510eb5fae8
Instruction ID: 29abebb5da6b6a3de562b2ad83df54bb91574019b5c06a1d3c869a3db86ba8b8
Opcode Fuzzy Hash: 5f91c036b848660344979b7fee74d045a30220520900a35ae3b78e510eb5fae8
Instruction Fuzzy Hash: A3726B72659BC4C9EB208B69E8807DE73B5F789798F106315EADC17B99DB78C240DB00

Function 000001C73965F730 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b1d3d8c1ff6df015164b1f67f73bf15ff1b8f8e9c9c871f04261440ddcc325
Instruction ID: 46036907cd78dddf8e28436bd24ca010fd7cd8f7fa7ce061afc38999e5d25e18
Opcode Fuzzy Hash: 00b1d3d8c1ff6df015164b1f67f73bf15ff1b8f8e9c9c871f04261440ddcc325
Instruction Fuzzy Hash: 0EF17172A19FC4CAEB208B69E44139E77A4F78C798F101315EEDC57B99EB78C1909B00

Function 000001C739660450 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e974bc6abc71f49e1c7373c8faf163cbc5ba19ef6d2c8e91e87d7e265f7007
Instruction ID: 018a21416ba903c822349ef1f38edc77bfda30fb4b941722885371c8f95855c6
Opcode Fuzzy Hash: 87e974bc6abc71f49e1c7373c8faf163cbc5ba19ef6d2c8e91e87d7e265f7007
Instruction Fuzzy Hash: F0F16072A59FC88AEB208B69E44039D77B0F78C798F101315EEDC57B99EB78C1909B40

Function 000001C73965FE20 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cada13f10c4d7d4a8bd3881dce51d167af1f29721fa899a39b3ac1a4c8550cb
Instruction ID: a58f65166411960c0a334cd6e7b5a8c5758d4470450c0c6bd4861b33c6f7ea5f
Opcode Fuzzy Hash: 8cada13f10c4d7d4a8bd3881dce51d167af1f29721fa899a39b3ac1a4c8550cb
Instruction Fuzzy Hash: 5CF15F72609FC88AEB608B69E48039D77B4F78C798F105315EEDC57B99EB78C1909B40

Function 000001C739661B90 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cada6a5b7e8a7cae4888a235f98ce17bc4ee4fe26c1b4970d68a984a1361966d
Instruction ID: c5fbff3a009bf1ecdfaef477241777ec592ed25ac7f3a10f7f5c287cc8122736
Opcode Fuzzy Hash: cada6a5b7e8a7cae4888a235f98ce17bc4ee4fe26c1b4970d68a984a1361966d
Instruction Fuzzy Hash: AED16672B49BC0D9F701CBB8D4407ED37B6B75978CF016215AA8C26ADADBB4D190D384

Function 000001C7396AEBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001C7396AE970: InitializeCriticalSectionEx.KERNEL32 ref: 000001C7396AE9C1
Part of subcall function 000001C7396AE970: GetLastError.KERNEL32 ref: 000001C7396AE9CB

EnterCriticalSection.KERNEL32 ref: 000001C7396AEC31
GdiplusStartup.GDIPLUS ref: 000001C7396AEC58
LeaveCriticalSection.KERNEL32 ref: 000001C7396AEC66
LeaveCriticalSection.KERNEL32 ref: 000001C7396AEC94
GdipGetImageEncodersSize.GDIPLUS ref: 000001C7396AECA2
GdipGetImageEncoders.GDIPLUS ref: 000001C7396AED36
GdipCreateBitmapFromScan0.GDIPLUS ref: 000001C7396AEE00
GdipSaveImageToStream.GDIPLUS ref: 000001C7396AEE1E
GdipDisposeImage.GDIPLUS ref: 000001C7396AEE83
GdipDisposeImage.GDIPLUS ref: 000001C7396AEE97

Strings

&, xrefs: 000001C7396AEDFA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: a8acf4c30521e0b103c2fcdde0fb3c4e475dd063595cef953f87abbe68ddc33c
Instruction ID: 8d727a1276799a7ff2936deaea9b89bd975a819468797d8147c0338ad9c16e61
Opcode Fuzzy Hash: a8acf4c30521e0b103c2fcdde0fb3c4e475dd063595cef953f87abbe68ddc33c
Instruction Fuzzy Hash: 8C9189B2745BC0CAFB218F21E804BDC37A4F758B98F44A615EA4947BD4DBB8C591EB40

Function 000001C7396AFCA0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 226
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001C7396B58D0: GetUserGeoID.KERNEL32 ref: 000001C7396B58F7
Part of subcall function 000001C7396B58D0: GetGeoInfoA.KERNEL32 ref: 000001C7396B5911
Part of subcall function 000001C7396B58D0: GetGeoInfoA.KERNEL32 ref: 000001C7396B5961

WSAStartup.WS2_32 ref: 000001C7396AFDBE
socket.WS2_32 ref: 000001C7396AFDDB
htons.WS2_32 ref: 000001C7396AFE00
inet_pton.WS2_32 ref: 000001C7396AFE42
connect.WS2_32 ref: 000001C7396AFE5C
closesocket.WS2_32 ref: 000001C7396AFE7B
WSACleanup.WS2_32 ref: 000001C7396AFE81

Strings

system, xrefs: 000001C7396AFD2A
geo, xrefs: 000001C7396AFD6B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 213021568-2364779556
Opcode ID: a6ab0192a73360814eb1b46789744ea8c9602dadba190edcdf2b6ee58bf4112f
Instruction ID: 6b44ab6a21793ffc472ff80d3ccd63629d38429a0c43bc705ac4ad4511ecfd91
Opcode Fuzzy Hash: a6ab0192a73360814eb1b46789744ea8c9602dadba190edcdf2b6ee58bf4112f
Instruction Fuzzy Hash: ADB1DFB2B9AAC0C5FB009B75E8847DC3372BB44798F406216DA58177E9DFB4C446EB40

Function 000001C7396D092C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396D0D59

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8d4d1184268d38eb40f1b2f8de77a3be335aedca5c603a4bb4196d88dea7cd4c
Instruction ID: b681ae3508ff8b17ebc35a324d4acd75607865b14ef06ad04ae009ef31b3f98b
Opcode Fuzzy Hash: 8d4d1184268d38eb40f1b2f8de77a3be335aedca5c603a4bb4196d88dea7cd4c
Instruction Fuzzy Hash: 9CC1C13334EAC4D2F7619B159404BED7B64F385B84F952111EA6A077D2CBF9C865AF00

Function 000001C7396AEA50 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000001C7396AEA93
EnterCriticalSection.KERNEL32 ref: 000001C7396AEAA5
EnterCriticalSection.KERNEL32 ref: 000001C7396AEAB5
GdiplusShutdown.GDIPLUS ref: 000001C7396AEAC3
LeaveCriticalSection.KERNEL32 ref: 000001C7396AEAD0
LeaveCriticalSection.KERNEL32 ref: 000001C7396AEADA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 1b7b61a38a63b081bff35aca47e28058416965252d8064730de28877217ecf05
Instruction ID: 47d330888c3858732c840fa5193774f5526fdcbfd35b70cb77be9639415cc76b
Opcode Fuzzy Hash: 1b7b61a38a63b081bff35aca47e28058416965252d8064730de28877217ecf05
Instruction Fuzzy Hash: 5A1149B2206BC0C1FB508F25F84858D7364FB44FA4B685215DA5E023E4CF74C896CB40

Function 000001C7396D4FB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001C7396D4FDD
GetProcAddress.KERNEL32 ref: 000001C7396D4FF3
FreeLibrary.KERNEL32 ref: 000001C7396D501A

Strings

mscoree.dll, xrefs: 000001C7396D4FD4
CorExitProcess, xrefs: 000001C7396D4FEC

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 780b3f1f3aecbe1eb4b75bb10cd40d76e1f940e32b271abccdf7c11bca0f4dbd
Instruction ID: d64d30d51fbc3061be87d6b7c93122617dacc7d6d840729a0b557383a94e9add
Opcode Fuzzy Hash: 780b3f1f3aecbe1eb4b75bb10cd40d76e1f940e32b271abccdf7c11bca0f4dbd
Instruction Fuzzy Hash: 41F0C271359AC081FB548B34F85CB9A5330BB897E5F942215D569467E4CFBCC044AB41

Function 000001C7396B4A30 Relevance: 6.4, APIs: 4, Instructions: 417networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000001C7396B4C0C
recv.WS2_32 ref: 000001C7396B50EC
closesocket.WS2_32 ref: 000001C7396B50FE
WSACleanup.WS2_32 ref: 000001C7396B5104

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: recv$Cleanupclosesocket
String ID:
API String ID: 146070474-0
Opcode ID: 69107cf426781341a2e41c1d67e247645d907e89b754311159d9a63ffe30949a
Instruction ID: 9309911f55ad82a6d9f831c551e08f5e4b903188fdba598f847ab76d4fe7b783
Opcode Fuzzy Hash: 69107cf426781341a2e41c1d67e247645d907e89b754311159d9a63ffe30949a
Instruction Fuzzy Hash: B6128F7275EBC0C1FA219B25E4547DEA761F7C9790F506601EAED06ADADFB8C480EB00

Function 000001C7396B6460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32 ref: 000001C7396B64C9

Strings

ProductName, xrefs: 000001C7396B64B4
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 000001C7396B64BB

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Value
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3702945584-1787575317
Opcode ID: 90eba9bd83b4afa86cd2ee236f153541bf9db5d3659e4be9251c3f7309c160e5
Instruction ID: d685a2cd351974933b67899b5315c6ba9c8c3eff564dabc1f1bc924925c57049
Opcode Fuzzy Hash: 90eba9bd83b4afa86cd2ee236f153541bf9db5d3659e4be9251c3f7309c160e5
Instruction Fuzzy Hash: AA114932258BC0C2EB209F26F4457DAB3A4F789788F505215EA9847B99DFBCC155CB40

Function 000001C7396B4DB7 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000001C7396B50EC
closesocket.WS2_32 ref: 000001C7396B50FE
WSACleanup.WS2_32 ref: 000001C7396B5104

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Cleanupclosesocketrecv
String ID:
API String ID: 3447645871-0
Opcode ID: 1428a4937e1200ee8cfabd98a676664139f9ae8229762a649129d206fd801dd7
Instruction ID: 5d7899e8febf70b593b2ec6022385371df3d15b0178f5efaa0d17685775b517b
Opcode Fuzzy Hash: 1428a4937e1200ee8cfabd98a676664139f9ae8229762a649129d206fd801dd7
Instruction Fuzzy Hash: 1D917273B59BC081FA219B25E4547DE6761F7C97A0F506301EAAD07ADADFB8C480EB40

Function 000001C7396B7151 Relevance: 4.7, APIs: 3, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C7396B7169
RegEnumKeyExA.ADVAPI32 ref: 000001C7396B71AE
RegCloseKey.ADVAPI32 ref: 000001C7396B73A4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID:
API String ID: 1332880857-0
Opcode ID: f249cb42c950096d26dc0d057bbba42e729bfaf06fe9d1dc04dbc244377eada0
Instruction ID: 1355536c7f42ec6d276555fb7d93c2f559db170d3d3c7bbc4f9962e95d800e3c
Opcode Fuzzy Hash: f249cb42c950096d26dc0d057bbba42e729bfaf06fe9d1dc04dbc244377eada0
Instruction Fuzzy Hash: 88718E72B49BC4C5FB10CB69E484B9D6760F7857A8F102205EEA913BD9DBB8C180EB40

Function 000001C7396B70E0 Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C7396B7169
RegEnumKeyExA.ADVAPI32 ref: 000001C7396B71AE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: d80f14cf87453080268adb68deae75d6ba4fc3d7dfc0e44dc0fd8621660a0c44
Instruction ID: 2931f50a5a0c7025d6acc71c888a2013267456228b7fae8b03818602072bc582
Opcode Fuzzy Hash: d80f14cf87453080268adb68deae75d6ba4fc3d7dfc0e44dc0fd8621660a0c44
Instruction Fuzzy Hash: 07318E32755BC586F7208F66E844B9E7364F744798F202215EE9917B94DFB8C191DB00

Function 000001C7396B6E1B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C7396B6E37
RegQueryValueExA.ADVAPI32 ref: 000001C7396B6E76
RegCloseKey.ADVAPI32 ref: 000001C7396B6F14

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: e6e20b6881fdb82b6bb8d29f90d5c6c0788c1c11a5e2a06e5560558ee525252f
Instruction ID: 20e079501be3325cb0f5eb3d727fdff341991a4797cabef1fec0f65107a71f20
Opcode Fuzzy Hash: e6e20b6881fdb82b6bb8d29f90d5c6c0788c1c11a5e2a06e5560558ee525252f
Instruction Fuzzy Hash: 6321C272759BC081FE609B26F480B9EA761FBC57E4F506211EA8D42AD9EE68C084DB00

Function 000001C7396B58D0 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 000001C7396B58F7
GetGeoInfoA.KERNEL32 ref: 000001C7396B5911
GetGeoInfoA.KERNEL32 ref: 000001C7396B5961

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction ID: ab0d5f38cf2f5f9dfb92e4573731192d597f97091e628c6dea782963f83a4996
Opcode Fuzzy Hash: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction Fuzzy Hash: 63119D72A187C182E7109F62F814B9EB3A2F780BC8F046125EB8503B99DFBCD4908B45

Function 000001C7396AF820 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001C7396AF85B
OpenProcessToken.ADVAPI32 ref: 000001C7396AF86E
GetTokenInformation.ADVAPI32 ref: 000001C7396AF8AA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ProcessToken$CurrentInformationOpen
String ID:
API String ID: 2743777493-0
Opcode ID: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction ID: 026893953560051cfa11c6b597f35d00b1f832a74283376f6abb1aec56fad259
Opcode Fuzzy Hash: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction Fuzzy Hash: A6111C72659BC082F7509F22F84478AB3B4F789B80F546125EA9947BA8CF7CC415CF41

Function 000001C7396D4F60 Relevance: 4.5, APIs: 3, Instructions: 15COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001C7396D4F71
TerminateProcess.KERNEL32 ref: 000001C7396D4F7C
ExitProcess.KERNEL32 ref: 000001C7396D4F8B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3909df8ddc6717e2b276abcc8b7868d121cee5230461283d2778d4ce90183b93
Instruction ID: 66f504b6c44d647ac8d8e45204d792dee192e012e25bd48b0f6a555acb214def
Opcode Fuzzy Hash: 3909df8ddc6717e2b276abcc8b7868d121cee5230461283d2778d4ce90183b93
Instruction Fuzzy Hash: 6ED05E703893C493FB486B722C8CADC52253BCC741F40382C8813063E3CDA9CC196A01

Function 000001C739671EB0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73967209C

Strings

, xrefs: 000001C739671F33

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-3916222277
Opcode ID: 7cea7f04241b3362e16951c069b611a737113c18fc8acc1d2695288cd894ba58
Instruction ID: e7d976a6664366fa7668aafaab2904b06ef062560f838c04907993771e68a95e
Opcode Fuzzy Hash: 7cea7f04241b3362e16951c069b611a737113c18fc8acc1d2695288cd894ba58
Instruction Fuzzy Hash: D651677234ABC4D6EA158F2AD49079D73A0F388B90F955622CB5E43BE4CBB9D0A1D700

Function 000001C7396B6C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 000001C7396B6CAC

Strings

Unknown, xrefs: 000001C7396B6D66

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: fa2a8794dd0643dca53051dbcb1a56265043fcac176ea8f876bd69b66baedc90
Instruction ID: 13ffe5974738a95f24b785580e950d4cbc3ecf0c4f9693930847db12709105b1
Opcode Fuzzy Hash: fa2a8794dd0643dca53051dbcb1a56265043fcac176ea8f876bd69b66baedc90
Instruction Fuzzy Hash: 6731CD3362CBC0C6F7109F25E5507DAA760F799B84F546215EBC902A9ADBBCC695CB00

Function 000001C739678560 Relevance: 3.2, APIs: 2, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396786A0
Concurrency::cancel_current_task.LIBCPMT ref: 000001C73967879F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 6bdcc447c31443510a24f73882ca6033231b1e3c0736c26382b73fb7e3e2604b
Instruction ID: cdf415d349ae08e7ff3a8cc239079f7aa67893e2c3a94e43404ba9af4ec2e17f
Opcode Fuzzy Hash: 6bdcc447c31443510a24f73882ca6033231b1e3c0736c26382b73fb7e3e2604b
Instruction Fuzzy Hash: F751087238B7C0D5FE249B11A5847DD6251F704BE4F5836219F6E0B7C6EEB8C991AB00

Function 000001C7396AEED0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 000001C7396AEF29
CoTaskMemFree.OLE32 ref: 000001C7396AEFEA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: FolderFreeKnownPathTask
String ID:
API String ID: 969438705-0
Opcode ID: f45e971e56f82c762ff064703aa579bd5682de5b829f79bca64120356d8f9b1b
Instruction ID: 2ec2caa979d9a2fd0d50588c1439b3defb271c1c9cf239364e001f843740090a
Opcode Fuzzy Hash: f45e971e56f82c762ff064703aa579bd5682de5b829f79bca64120356d8f9b1b
Instruction Fuzzy Hash: E0316272A59BC481F7208F29E48479EB761F7997F4F206315FAA8026D5DBBCC1819B40

Function 000001C7396C4648 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C466F

Part of subcall function 000001C7396C4604: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396C461B

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C4723

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction ID: f35b98d6a51ca05babea65e60879e651089217883c7a40104684790d74077072
Opcode Fuzzy Hash: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction Fuzzy Hash: A831DB3239AAC4C2FA50DB16E850BE92361F7A5B80F952115F68F473D6EBB8C505EF10

Function 000001C7396AD510 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000001C7396AD561
RegCloseKey.ADVAPI32 ref: 000001C7396AD573

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction ID: 88af6ea87b7ecd7001481dd3015f5dbe0d6bde2124b0c2f53d10055ea51518e3
Opcode Fuzzy Hash: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction Fuzzy Hash: 7421EAB2769AC085FE509B26F850BDAA3A0FB99BD4F146111FA4D03BD6DFB8C441DB00

Function 000001C7396AC7CC Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000001C73966E610: CreateToolhelp32Snapshot.KERNEL32 ref: 000001C73966E65A
Part of subcall function 000001C73966E610: Process32FirstW.KERNEL32 ref: 000001C73966E69C

Part of subcall function 000001C73966CA10: CredEnumerateA.ADVAPI32 ref: 000001C73966CA72

Part of subcall function 000001C7396B4A30: recv.WS2_32 ref: 000001C7396B4C0C

ReleaseMutex.KERNEL32 ref: 000001C7396AC83B
CloseHandle.KERNEL32 ref: 000001C7396AC844

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: 72fb62e00b6ab6aed9ff4ba96f9e1c78eea38b06cc76bab37ea7e15b89c760fc
Instruction ID: 9fd6d2493ef815164d4b7ee1cca2fc9609993d4a9fe2f65cf1920b76c65af839
Opcode Fuzzy Hash: 72fb62e00b6ab6aed9ff4ba96f9e1c78eea38b06cc76bab37ea7e15b89c760fc
Instruction Fuzzy Hash: B42193B17DF6C0C1F9117779A416FDD1660BF863A0F147A11E55A415D79EDCC040BE21

Function 000001C7396AC7FD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396B4A30: recv.WS2_32 ref: 000001C7396B4C0C

ReleaseMutex.KERNEL32 ref: 000001C7396AC83B
CloseHandle.KERNEL32 ref: 000001C7396AC844

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: 41d61de7ec251066c83e68ff4745ce2efbe288d020525d85af7cefec082c80a6
Instruction ID: c864829341c4896deeea5b90c80b1bcc6cb3d643508b995d1b2d5e0e11b3c67e
Opcode Fuzzy Hash: 41d61de7ec251066c83e68ff4745ce2efbe288d020525d85af7cefec082c80a6
Instruction Fuzzy Hash: 4F11C6B2BDF6C0C1F910777DB41ABDD1650BB867A0F047601E99A016D79EDCC040BE11

Function 000001C7396D0E9C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 000001C7396D0EE8
GetLastError.KERNEL32 ref: 000001C7396D0EF2

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction ID: 1f9e7b40639e773738540021ae621a445b649db2fb2a40b64424a0fb87822392
Opcode Fuzzy Hash: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction Fuzzy Hash: F31191B2318BC0C1EA50CB26F804699A3A1F785BF4F985311EE79077D9CEB8C461DB40

Function 000001C7396DE888 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396DE8B8

Part of subcall function 000001C7396DF8DC: std::bad_alloc::bad_alloc.LIBCMT ref: 000001C7396DF8E5

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396DE8BE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction ID: dab1cebda28cd587a1683087f4bc4b81643c4859c9e97dada1311a06d7c57cb3
Opcode Fuzzy Hash: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction Fuzzy Hash: EEE0EC62BDB2C9D5FD2A22B22915BE940402B49370F1C3B209975482C3AA94C6B1AE50

Function 000001C7396CD3C8 Relevance: 2.5, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapFree.KERNEL32 ref: 000001C7396CD3DE
GetLastError.KERNEL32 ref: 000001C7396CD3E8

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction ID: bf0074cfba8a232ec189c538eeb90b89b5df88ce0000598948473d8332d0d0a1
Opcode Fuzzy Hash: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction Fuzzy Hash: 73E0C2B1B8B2C4D3FF18A7F3A85CBE412917F98780F447020694AC22D3EDA4C880AE00

Function 000001C7396BF150 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396BF3A0

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 2901ff78e8ac74c6bf6e2d49cc6ee3729ac6bc2a1dd6a79af97c8d9ea9292bcf
Instruction ID: d2e8b50ec23568429e32a5199198474b9c7297a7d779e0cbbda0bfef98298fed
Opcode Fuzzy Hash: 2901ff78e8ac74c6bf6e2d49cc6ee3729ac6bc2a1dd6a79af97c8d9ea9292bcf
Instruction Fuzzy Hash: BE61BD7634AAC0C4FA14AE96D1547AC23A9B304FD8F54A511CE2E073E5EBB9C886E740

Function 000001C73965E2A0 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 000001C73965E3D3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: 76717113ea5da47b132f763876345f8647f0ed2d8c2e72e89c068685f351f031
Instruction ID: 18d63179cdc0ad67bfb64c207b82d6c5f7c9a8bb10d70264ab2fcda8a8331b62
Opcode Fuzzy Hash: 76717113ea5da47b132f763876345f8647f0ed2d8c2e72e89c068685f351f031
Instruction Fuzzy Hash: 4161F2B2B8ABC0E5FF11DF75D4807EC22A1F7447A8F006611DE2D576C5EAB8C891AB44

Function 000001C739678E80 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C739679015

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 75452f2447bcf3f5063f66b21309cc1c3b96f50ddd57ef1b57b762a5a45bb60d
Instruction ID: 47360c777352a0e88df13399dec57d0829d7c33dc3f3386b4bd9b1bd999e6f8f
Opcode Fuzzy Hash: 75452f2447bcf3f5063f66b21309cc1c3b96f50ddd57ef1b57b762a5a45bb60d
Instruction Fuzzy Hash: 7441C07234ABC0C1FA109F15A5447DE6352F749BD4F542A25DF6D0B7C6DEB8C451AB00

Function 000001C739689FB0 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968A157

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: f50f0c3118265bc351c20ef9078aab3826eec49e56110e872c6d5929b9f0b6fe
Instruction ID: a48808efb1a29b910feb3f7d446fca048d9f3e0f7f0aaa0478cc71fe4ff4f2f6
Opcode Fuzzy Hash: f50f0c3118265bc351c20ef9078aab3826eec49e56110e872c6d5929b9f0b6fe
Instruction Fuzzy Hash: A1418D7235ABC4C1FA24CB65E9446AEA3A1F748BD4F509625AFAD03BC5DF78C040DB00

Function 000001C739680790 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396808F4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: e2e12fc60d6456e700a8a5d7db215d80e281faf3cf2bd2de2e2602360e342098
Instruction ID: 167e1324df8993e2a2cf071f79c2e6bceaad5f5a5822c9d5a4d9f623ef1f75bb
Opcode Fuzzy Hash: e2e12fc60d6456e700a8a5d7db215d80e281faf3cf2bd2de2e2602360e342098
Instruction Fuzzy Hash: C93127B235BBC4C1FD14DB26A444AEAA254F344BE4F905E15AEBD177D5CEB8C082A740

Function 000001C739679030 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396791AC

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c4a029f44557a345db7e2f60585a3aaedac72f5aa70ac00bb693cc097c58b2c1
Instruction ID: 1ea701207a344478294f4e70acd1d2f2d046ffedf32b8ee3a32e1de26c7fcb8e
Opcode Fuzzy Hash: c4a029f44557a345db7e2f60585a3aaedac72f5aa70ac00bb693cc097c58b2c1
Instruction Fuzzy Hash: D741F37235BBC0C5FE209B16A908BDEA291B304FD4F545A259F6D0B7C6EEB8C551AB00

Function 000001C739674600 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C739674751

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 41befd2f7c4b4e1948445391c456d12d79bbd4c3c0be3bb508590c1115b665c1
Instruction ID: 466b82a7669ce672eeaf1041a5a279d837b88c63405f4ccee4405fe78fe3002e
Opcode Fuzzy Hash: 41befd2f7c4b4e1948445391c456d12d79bbd4c3c0be3bb508590c1115b665c1
Instruction Fuzzy Hash: 6C31267238B6C0D6FE15AB15E648BEC1282B701FE4F542221DE6D07BC5EEB8C481EB40

Function 000001C7396CD8C8 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396CD8F0

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction ID: 4fb2514af9bb57d8ae027326eb74793cd836e27e9e3341725d33f97d48080fd4
Opcode Fuzzy Hash: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction Fuzzy Hash: 5C41AE3334A6C4C7FB64CB19E551BA973A0F756B90F142205EADA936D2CBB8C402EF51

Function 000001C7396B6290 Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 000001C7396B6320

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 9e562445dd186ac4e3ea6e160ed227f9f7592b7f15d6a1ba227492fa7f0e0638
Instruction ID: 4d7131deb0d137c976c6284bd0730751d1a65cec96a84b357d0deb2b63d9f495
Opcode Fuzzy Hash: 9e562445dd186ac4e3ea6e160ed227f9f7592b7f15d6a1ba227492fa7f0e0638
Instruction Fuzzy Hash: 63517B32B58BC4C9FB10CB68E8447DD7760F789798F506211EB9853A99EFB8C584DB40

Function 000001C7396729B0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C739672AB8

Part of subcall function 000001C73965B820: __std_exception_copy.LIBVCRUNTIME ref: 000001C73965B868

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy
String ID:
API String ID: 317858897-0
Opcode ID: b877bc5c1e1706bbbac12123d48b15ce7493262ddada9eeecf2dd508b60f9e1c
Instruction ID: 689d94ae04c3a9ad596befddd7e5c873aaf0d391bd4d379d711ecb933fe19991
Opcode Fuzzy Hash: b877bc5c1e1706bbbac12123d48b15ce7493262ddada9eeecf2dd508b60f9e1c
Instruction Fuzzy Hash: C021397270BBC5C1FA299B15E5407ED6290F754BA4F2467229E7D03BC2EAB8C4D2E740

Function 000001C7396D080C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396D0892

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction ID: 508697e17b5d4c8125c4f15ad81350b94e91fe62a076d1504fece8defce49e2e
Opcode Fuzzy Hash: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction Fuzzy Hash: 3A31C43375BAC0C6FB51AB659841BDC2690B784BA0F822205EA65473D2CBF8C551EF51

Function 000001C7396D4E91 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001C7396D4EBF

Part of subcall function 000001C7396D4FB8: GetModuleHandleExW.KERNEL32 ref: 000001C7396D4FDD
Part of subcall function 000001C7396D4FB8: GetProcAddress.KERNEL32 ref: 000001C7396D4FF3
Part of subcall function 000001C7396D4FB8: FreeLibrary.KERNEL32 ref: 000001C7396D501A

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction ID: 60d933f9de59869c8af10f860cf2ff4a7bc56f4dfddfa324f839180898a50d3e
Opcode Fuzzy Hash: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction Fuzzy Hash: BA217C32B466C0CAFB648F64C444BEC77A0F38471CF542629E66946AE9DBB4C8A4DB40

Function 000001C7396EE200 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396EE15D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction ID: b7dc776932f44399aea80e7e57641f3c2812793823f7090172e851430cdfac10
Opcode Fuzzy Hash: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction Fuzzy Hash: 6B117532B5E6C0C2FB619F519500BEEA264B789B80F446011FB89577D6CBBAC441AF41

Function 000001C7396EFEF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396EFF1B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction ID: 30613f1c616157f4bae6829d44069313983987349899a485390c0338d1b40491
Opcode Fuzzy Hash: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction Fuzzy Hash: 2721C332719AC0C7FB618F28E540BA976A4F785BD4F545224EA59876D9EBBAC8009F00

Function 000001C7396B0E00 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000001C7396B0E48

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction ID: 48a9b0fc13243db5192c092687e06a8bc901de524568b41ec1cb101479066b4d
Opcode Fuzzy Hash: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction Fuzzy Hash: 9B018F35719AC485EB508F2BB944A59A7A0F788FD4F486130EE5D03B9CEB68C8418B00

Function 000001C739667633 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 000001C739667676

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction ID: 30a730c3075d4ad5e430ccc4f1b8bedfc58c4a93c99d48402a0849e42d618035
Opcode Fuzzy Hash: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction Fuzzy Hash: C0014B3734CAC080EA70DB16F89479AA374F788B94F401022DE8D83B99DE78C886DF00

Function 000001C7396C7374 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C7393

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction ID: 0cdda51b91ad18ac676302df4a71525a0b386f9187521c5d5718231424e94b2b
Opcode Fuzzy Hash: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction Fuzzy Hash: 0AE0927275BAC4C1FB656BA99141AED61607B447F0F546321BAB8422C6DAB4C4606E10

Function 000001C7396EB4C0 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32 ref: 000001C7396EB4C4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction ID: 1b297640cd2ccc8cab08d33f39a401cabf68695f89a659102248e66b0c1aa9d3
Opcode Fuzzy Hash: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction Fuzzy Hash: A9C04865F9E9C2D2F6982B736C8AA8212E0B758791F9821248504802D0DAACC1E6AF12

Function 000001C7396ED0B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 000001C7396ED0BD

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction ID: 8c00bd59684606d9095a3cbb844f870dd66f4c1e8fca2ec47f95dbba21e8720c
Opcode Fuzzy Hash: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction Fuzzy Hash: 65B09276A188C0C3E611EB14EC4A48A7331F794B0AFD00000E28E427A4CE2CCA2A8E00

Function 000001C7396CE8BC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 000001C7396CE8FA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction ID: c363a03123b26ee30753d6c94a5edc8eec144709b0be7ae6a7dfdc627e9d5ca4
Opcode Fuzzy Hash: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction Fuzzy Hash: CDF0127138B7C9D5FF9566726845FED12A07B887B4F4827306D76852C1DAD8CC50BE10

Non-executed Functions

Function 000001C7396C1220 Relevance: 49.1, APIs: 25, Strings: 2, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C1557
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C17BA
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C1A7D
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C1D1D
memcpy_s.LIBCPMT ref: 000001C7396C1F2A
memcpy_s.LIBCPMT ref: 000001C7396C1FC6
memcpy_s.LIBCPMT ref: 000001C7396C247E
memcpy_s.LIBCPMT ref: 000001C7396C24B9
memcpy_s.LIBCPMT ref: 000001C7396C25E5
memcpy_s.LIBCPMT ref: 000001C7396C270C
memcpy_s.LIBCPMT ref: 000001C7396C27B7
memcpy_s.LIBCPMT ref: 000001C7396C27FF
memcpy_s.LIBCPMT ref: 000001C7396C2829
memcpy_s.LIBCPMT ref: 000001C7396C28DA
memcpy_s.LIBCPMT ref: 000001C7396C2ADA
memcpy_s.LIBCPMT ref: 000001C7396C2B1F
memcpy_s.LIBCPMT ref: 000001C7396C2BD6
memcpy_s.LIBCPMT ref: 000001C7396C2D03
memcpy_s.LIBCPMT ref: 000001C7396C23CE

Part of subcall function 000001C7396C3664: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396C3696

memcpy_s.LIBCPMT ref: 000001C7396C2449
memcpy_s.LIBCPMT ref: 000001C7396C2EBD

Strings

, xrefs: 000001C7396C2DB0
, xrefs: 000001C7396C2C83

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction ID: 3200f3db771037b256a241541562220b9b46d23894f3763c60e5c7e1cafc613a
Opcode Fuzzy Hash: 49a4e64996860ac975e7d62cf44a3f3077f64a100a8fbd3398d3c45755aa41bf
Instruction Fuzzy Hash: AB03BC7235A2C0CBF7758F29D980BEA37A1F354788F40611AEA46A7B98D775DA00DF00

Function 000001C7396BA430 Relevance: 34.3, APIs: 18, Strings: 1, Instructions: 1015stringmemorynativeCOMMON

Download Yara Rule

APIs

RtlAcquirePebLock.NTDLL ref: 000001C7396BA473
NtAllocateVirtualMemory.NTDLL ref: 000001C7396BA4AB
lstrcpyW.KERNEL32 ref: 000001C7396BA50D
lstrcatW.KERNEL32 ref: 000001C7396BA5C2
NtAllocateVirtualMemory.NTDLL ref: 000001C7396BA649
lstrcpyW.KERNEL32 ref: 000001C7396BA6FC
RtlInitUnicodeString.NTDLL ref: 000001C7396BA711
RtlInitUnicodeString.NTDLL ref: 000001C7396BA726
LdrEnumerateLoadedModules.NTDLL ref: 000001C7396BA739
RtlReleasePebLock.NTDLL ref: 000001C7396BA73F

Part of subcall function 000001C7396AEED0: SHGetKnownFolderPath.SHELL32 ref: 000001C7396AEF29
Part of subcall function 000001C7396AEED0: CoTaskMemFree.OLE32 ref: 000001C7396AEFEA

CoInitializeEx.OLE32 ref: 000001C7396BA7EA
lstrcpyW.KERNEL32 ref: 000001C7396BA9C9
lstrcatW.KERNEL32 ref: 000001C7396BABCE
CoGetObject.OLE32 ref: 000001C7396BABEC
lstrcpyW.KERNEL32 ref: 000001C7396BB269
lstrcatW.KERNEL32 ref: 000001C7396BB48C
CoGetObject.OLE32 ref: 000001C7396BB4AA
CoUninitialize.OLE32 ref: 000001C7396BB972

Strings

0, xrefs: 000001C7396BB0AA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$AllocateInitLockMemoryObjectStringUnicodeVirtual$AcquireEnumerateFolderFreeInitializeKnownLoadedModulesPathReleaseTaskUninitialize
String ID: 0
API String ID: 1424456515-4108050209
Opcode ID: bffff509ffd6270dadea9e20301829ac4cc6803663d724a08f943be11931e5d8
Instruction ID: b870bc7ea9f5e284f8550b629c5170d14924293aa1b60dfb5e6b9126f3405243
Opcode Fuzzy Hash: bffff509ffd6270dadea9e20301829ac4cc6803663d724a08f943be11931e5d8
Instruction Fuzzy Hash: 27C2B83662AF948AE7808F69E88069DB3B5F788B88F106215FECD57B18EB74C154C740

Function 000001C739636180 Relevance: 30.2, Strings: 24, Instructions: 238COMMON

Download Yara Rule

Strings

ntuser.dat, xrefs: 000001C739636304
d3d9caps.dat, xrefs: 000001C7396363E6
boot.sdi, xrefs: 000001C7396364D1
ntldr, xrefs: 000001C739636292
mib.bin, xrefs: 000001C739636444
bootmgr, xrefs: 000001C73963655E
winsipolicy.p7b, xrefs: 000001C7396362B8
reagent.xml, xrefs: 000001C73963652F
indexervolumeguid, xrefs: 000001C739636473
bootstat.dat, xrefs: 000001C739636415
autorun.inf, xrefs: 000001C7396361A8
bootfont.bin, xrefs: 000001C739636220
wpsettings.dat, xrefs: 000001C7396364A2
bootsect.bak, xrefs: 000001C739636246
ntuser.ini, xrefs: 000001C739636359
BOOTNXT, xrefs: 000001C73963658D
ntuser.dat.log, xrefs: 000001C73963632D
winre.wim, xrefs: 000001C739636500
thumbs.db, xrefs: 000001C739636388
bootmgfw.efi, xrefs: 000001C7396361F9
iconcache.db, xrefs: 000001C7396362DE
desktop.ini, xrefs: 000001C73963626C
gdipfontcachev1.dat, xrefs: 000001C7396363B7
boot.ini, xrefs: 000001C7396361D1

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: BOOTNXT$autorun.inf$boot.ini$boot.sdi$bootfont.bin$bootmgfw.efi$bootmgr$bootsect.bak$bootstat.dat$d3d9caps.dat$desktop.ini$gdipfontcachev1.dat$iconcache.db$indexervolumeguid$mib.bin$ntldr$ntuser.dat$ntuser.dat.log$ntuser.ini$reagent.xml$thumbs.db$winre.wim$winsipolicy.p7b$wpsettings.dat
API String ID: 118556049-850610325
Opcode ID: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction ID: c8504a5ca958f3e107161f26ee0554542b9d957e0d958dbf907f40bab06622fe
Opcode Fuzzy Hash: 22dcfd16a23274500c0631d97ecb7b22965bfb45e38d580db89ddce6ecc7947a
Instruction Fuzzy Hash: B2C17372EA4FCA84F721DB35D8827E95361F7EA344F507306698861896EBE4E3C4D740

Function 000001C739687CEB Relevance: 29.3, APIs: 2, Strings: 14, Instructions: 1339COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C739689311
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396893E6

Part of subcall function 000001C73965BA80: __std_exception_copy.LIBVCRUNTIME ref: 000001C73965BAC3

Part of subcall function 000001C7396E0E88: RtlPcToFileHeader.KERNEL32 ref: 000001C7396E0ED8
Part of subcall function 000001C7396E0E88: RaiseException.KERNEL32 ref: 000001C7396E0F19

Strings

quote was opened but not closed., xrefs: 000001C739689236, 000001C7396892AB
Unexpected eof, xrefs: 000001C7396891E2
*, xrefs: 000001C739687EFE
unexpected '}', xrefs: 000001C739689413
key opened, but never closed, xrefs: 000001C7396893BF
/, xrefs: 000001C739687ED3
unexpected key without object, xrefs: 000001C7396892EA
key declared, but no value, xrefs: 000001C73968925D, 000001C739689284, 000001C739689398
No closed word, xrefs: 000001C739689317, 000001C73968933E
#base, xrefs: 000001C739688696
word wasnt properly ended, xrefs: 000001C739689365, 000001C7396893EC
object is not closed with '}', xrefs: 000001C73968920F
#include, xrefs: 000001C73968866A
", xrefs: 000001C7396880D3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$ExceptionFileHeaderRaise__std_exception_copy
String ID: "$#base$#include$*$/$No closed word$Unexpected eof$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 145623376-3561477107
Opcode ID: d74d352c751d444e1a94676d183c71f0ed2a32b298481f513aa138981f836526
Instruction ID: c100b808f6261bc2dd92913b19dc4e386928098212a2248ec1f3ec50ecd7bac0
Opcode Fuzzy Hash: d74d352c751d444e1a94676d183c71f0ed2a32b298481f513aa138981f836526
Instruction Fuzzy Hash: F9D28C7238AAC4C9FB709F24D894BED63A1F744788F446112DA5D0BAD9DFB4C685EB00

Function 000001C739635DB0 Relevance: 25.2, Strings: 20, Instructions: 202COMMON

Download Yara Rule

Strings

PerfLogs, xrefs: 000001C739635F34
Program Files, xrefs: 000001C7396360D2
ntldr, xrefs: 000001C739636016
bootmgr, xrefs: 000001C7396360A3
All users, xrefs: 000001C739636074
$winreagent, xrefs: 000001C739635F5D
$windows.~ws, xrefs: 000001C739635F89
System Volume Information, xrefs: 000001C739635E76
ProgramData, xrefs: 000001C739636045
config.msi, xrefs: 000001C739635EC2
$recycle.bin, xrefs: 000001C739635DD8
$windows.~bt, xrefs: 000001C739635F0E
Windows.~bt, xrefs: 000001C739635FB8
AppData, xrefs: 000001C739635FE7
Boot, xrefs: 000001C739635E50
Application Data, xrefs: 000001C739635E9C
Program Files (x86), xrefs: 000001C739636101
#recycle, xrefs: 000001C739635E29
Windows.old, xrefs: 000001C739635EE8
Windows, xrefs: 000001C739635E01

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: #recycle$$recycle.bin$$windows.~bt$$windows.~ws$$winreagent$All users$AppData$Application Data$Boot$PerfLogs$Program Files$Program Files (x86)$ProgramData$System Volume Information$Windows$Windows.old$Windows.~bt$bootmgr$config.msi$ntldr
API String ID: 118556049-2722463023
Opcode ID: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction ID: 778115717d9f9731fe759266b14f5200cbde318f85903883580150e9a256e3e3
Opcode Fuzzy Hash: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction Fuzzy Hash: 1CA18672EA4FC984F711DB35D8827E95361F7EA344F507306B98862896EBE4E2C4D740

Function 000001C7396B9D30 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 351nativelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001C7396B9D76
GetProcAddress.KERNEL32 ref: 000001C7396B9D86
OpenProcess.KERNEL32 ref: 000001C7396B9DB8
NtQuerySystemInformation.NTDLL ref: 000001C7396B9DE0
NtQuerySystemInformation.NTDLL ref: 000001C7396B9E0E
GetCurrentProcess.KERNEL32 ref: 000001C7396B9ED3
NtQueryObject.NTDLL ref: 000001C7396B9F19
GetFinalPathNameByHandleA.KERNEL32 ref: 000001C7396BA00D
CloseHandle.KERNEL32 ref: 000001C7396BA128
CloseHandle.KERNEL32 ref: 000001C7396BA1B8

Strings

ntdll.dll, xrefs: 000001C7396B9D6F
File, xrefs: 000001C7396B9F4A
NtDuplicateObject, xrefs: 000001C7396B9D7F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Handle$Query$CloseInformationProcessSystem$AddressCurrentFinalModuleNameObjectOpenPathProc
String ID: File$NtDuplicateObject$ntdll.dll
API String ID: 2729825427-3955674919
Opcode ID: 5595fe45689cfa17c087c9c4c769a2190341afca7d98ec67c6bd0621ec17da3c
Instruction ID: f96b95191a030452089ee94cf8f04e53673a39707e605d2c32aeb3ef7f8f3b2a
Opcode Fuzzy Hash: 5595fe45689cfa17c087c9c4c769a2190341afca7d98ec67c6bd0621ec17da3c
Instruction Fuzzy Hash: C8E1CF72B5AAC0C9FB00CB66D8147ED27A1F745B88F40A111DE5D17BD9EEB8C549EB00

Function 000001C7396A4D40 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000001C7396A4D9F

Strings

@, xrefs: 000001C7396A4F26

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Initialize
String ID: @
API String ID: 2538663250-2766056989
Opcode ID: 9c6563557f9671a4dfc65ba646c2024ee018d1ded172854ab3a063d36669e394
Instruction ID: 59e6594739daa99352cbfec8bb029572d1412942cab2d7a463fd4501dac33508
Opcode Fuzzy Hash: 9c6563557f9671a4dfc65ba646c2024ee018d1ded172854ab3a063d36669e394
Instruction Fuzzy Hash: 5DA17BB2B48AC08AF720CB35E814BDD77B2F788B88F006215DE5A52BD5DBB8C154D744

Function 000001C7396AB420 Relevance: 21.5, APIs: 1, Strings: 11, Instructions: 465COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000001C7396AB9A7

Strings

ios_base::eofbit set, xrefs: 000001C7396ABBCC
ios_base::failbit set, xrefs: 000001C7396ABBC5
runas, xrefs: 000001C7396AB926
.vbs, xrefs: 000001C7396AB512
.cmd, xrefs: 000001C7396AB4E3
.ps1, xrefs: 000001C7396AB4B4
ios_base::badbit set, xrefs: 000001C7396ABBBA
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;', xrefs: 000001C7396AB5B4
.exe, xrefs: 000001C7396AB56D
open, xrefs: 000001C7396AB91D
.exe, xrefs: 000001C7396AB485

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: .cmd$.exe$.exe$.ps1$.vbs$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+=-&^%$#@!(){}[},.;'$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open$runas
API String ID: 587946157-4093014531
Opcode ID: a81ac7c5b5281aa72e86c5d1db3c813581a55ab4a453fab15c3194e1eda2ced0
Instruction ID: fbe5f15a9beeb9b8e7dc1eeb67e14129659cae57e139a74f87ece6f9e80475ae
Opcode Fuzzy Hash: a81ac7c5b5281aa72e86c5d1db3c813581a55ab4a453fab15c3194e1eda2ced0
Instruction Fuzzy Hash: DD229BB2B65BC0C9EB10DF38E8847DD67A0F784798F506216EA5D03AE9DBB4C584DB40

Function 000001C7396DA3C8 Relevance: 20.4, APIs: 8, Strings: 3, Instructions: 1156COMMON

Download Yara Rule

Strings

s, xrefs: 000001C7396DB3F1
s, xrefs: 000001C7396DB4D2
W$, xrefs: 000001C7396DA530

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: s$s$W$
API String ID: 3215553584-4165748295
Opcode ID: eb5e4ab2d029c7cfbb461b4b388c5eb7e7ed560b990af95f7b2538d60182e05f
Instruction ID: dc8a495602ea37fb4b87b6fef8d42c883b2fe43cf4a0c9bb44ad299870dabd7f
Opcode Fuzzy Hash: eb5e4ab2d029c7cfbb461b4b388c5eb7e7ed560b990af95f7b2538d60182e05f
Instruction Fuzzy Hash: 0AA2BC73B5A2D1CBF7658E68D940BED37A1F344388F406119DA269BAC8D7B4DA10EF40

Function 000001C7396BA780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 839stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396BA430: RtlAcquirePebLock.NTDLL ref: 000001C7396BA473
Part of subcall function 000001C7396BA430: NtAllocateVirtualMemory.NTDLL ref: 000001C7396BA4AB
Part of subcall function 000001C7396BA430: lstrcpyW.KERNEL32 ref: 000001C7396BA50D
Part of subcall function 000001C7396BA430: lstrcatW.KERNEL32 ref: 000001C7396BA5C2

CoInitializeEx.OLE32 ref: 000001C7396BA7EA
lstrcpyW.KERNEL32 ref: 000001C7396BA9C9
lstrcatW.KERNEL32 ref: 000001C7396BABCE
CoGetObject.OLE32 ref: 000001C7396BABEC
lstrcpyW.KERNEL32 ref: 000001C7396BB269
lstrcatW.KERNEL32 ref: 000001C7396BB48C
CoGetObject.OLE32 ref: 000001C7396BB4AA
CoUninitialize.OLE32 ref: 000001C7396BB972

Strings

0, xrefs: 000001C7396BB0AA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy$Object$AcquireAllocateInitializeLockMemoryUninitializeVirtual
String ID: 0
API String ID: 3636535045-4108050209
Opcode ID: 95548f2807c2a30324248dd01e2a8a94cc58c51ccd784f2019bbca1f9dcb7ca7
Instruction ID: 7c7a7990a7b171b676f6a98761e76188148b9dacba043172c0d8878c86fdbbb2
Opcode Fuzzy Hash: 95548f2807c2a30324248dd01e2a8a94cc58c51ccd784f2019bbca1f9dcb7ca7
Instruction Fuzzy Hash: B8B2893662AFD88AD7808F69F88165EB3B5F788B88B106215FECD57B18EB74C154C740

Function 000001C7396B0E90 Relevance: 13.2, APIs: 2, Strings: 4, Instructions: 2698COMMON

Download Yara Rule

Strings

cannot compare iterators of different containers, xrefs: 000001C7396B447F, 000001C7396B452F, 000001C7396B465F
cannot use push_back() with , xrefs: 000001C7396B43D3
value, xrefs: 000001C7396B16C8
type must be string, but is , xrefs: 000001C7396B443D, 000001C7396B44ED, 000001C7396B45B1, 000001C7396B460B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: cannot compare iterators of different containers$cannot use push_back() with $type must be string, but is $value
API String ID: 118556049-2711811579
Opcode ID: 7f80bed89c04e09c969b45b1dc1433bbcd0b8089d8a15f5b1f9da2c66398618f
Instruction ID: f1bfbbd14db91e028e33f23de9854d5a8e790745923dbdf25bc84ca48c2ede77
Opcode Fuzzy Hash: 7f80bed89c04e09c969b45b1dc1433bbcd0b8089d8a15f5b1f9da2c66398618f
Instruction Fuzzy Hash: 3053897264ABC4C9EB709F25D8807DD33A4F744798F40A216DA9D5BADAEFB0C284D700

Function 000001C7396A8440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 000001C7396A84D8
BCryptSetProperty.BCRYPT ref: 000001C7396A8502
BCryptGenerateSymmetricKey.BCRYPT ref: 000001C7396A853B
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396A8661

Strings

ChainingModeGCM, xrefs: 000001C7396A84F0
ChainingMode, xrefs: 000001C7396A84F7
AES, xrefs: 000001C7396A84CD

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmConcurrency::cancel_current_taskGenerateOpenPropertyProviderSymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 2222192889-1213888626
Opcode ID: 2efae06bd358d2dd66473e97cef9578bb6225c89794f084aa8c048aa4555aeab
Instruction ID: 0585d273ec08e5fd4f6631466ec48079e37a691daa79bde2a4fc8cb8a3e616a0
Opcode Fuzzy Hash: 2efae06bd358d2dd66473e97cef9578bb6225c89794f084aa8c048aa4555aeab
Instruction Fuzzy Hash: 096104B274A7C4C6FB149F25E940BD96360F784BE4F146721AEA807BD6DBB8C4919B00

Function 000001C7396D8C04 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

TranslateName.LIBCMT ref: 000001C7396D8C6E
TranslateName.LIBCMT ref: 000001C7396D8CA9
GetACP.KERNEL32 ref: 000001C7396D8CF0
IsValidCodePage.KERNEL32 ref: 000001C7396D8D28
GetLocaleInfoW.KERNEL32 ref: 000001C7396D8EE5

Strings

utf8, xrefs: 000001C7396D8E0C

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction ID: c1bc598d50288331ab7edc0dafa2bfcc9155f2a9f06e2b3eb811ba2aca705891
Opcode Fuzzy Hash: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction Fuzzy Hash: EE919D3338A7C0C5FB649F22D409BD923A4F784B80F4471219A68477E5DBB8C961EF40

Function 000001C7396D964C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F31

GetUserDefaultLCID.KERNEL32 ref: 000001C7396D97BC

Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F5E
Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F6F
Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F80

EnumSystemLocalesW.KERNEL32 ref: 000001C7396D97A3
ProcessCodePage.LIBCMT ref: 000001C7396D97E6
IsValidCodePage.KERNEL32 ref: 000001C7396D97F8
IsValidLocale.KERNEL32 ref: 000001C7396D980E
GetLocaleInfoW.KERNEL32 ref: 000001C7396D986A
GetLocaleInfoW.KERNEL32 ref: 000001C7396D9886

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction ID: 71c835132813d5b83381935ce65126b87631fe2d14f6a5230831473176aff656
Opcode Fuzzy Hash: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction Fuzzy Hash: F071AC3374A6C0C9FB509F61D840FEC33B4BB48B88F4464258A29537C5EBB8C965EB51

Function 000001C7396A02C0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 000001C7396A0474
__std_exception_destroy.LIBVCRUNTIME ref: 000001C7396A0482
__std_exception_destroy.LIBVCRUNTIME ref: 000001C7396A0705
__std_exception_destroy.LIBVCRUNTIME ref: 000001C7396A0713

Strings

value, xrefs: 000001C7396A039A, 000001C7396A0633

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy
String ID: value
API String ID: 2453523683-494360628
Opcode ID: b5fc035d0a31599273e36ce815e8c7c3cffe1eeaac2be8b1a3b229376dce3244
Instruction ID: 63f025d1b9ce8acd61f579ad70d86b9ea30d36651821194a8d786fac138bf9d8
Opcode Fuzzy Hash: b5fc035d0a31599273e36ce815e8c7c3cffe1eeaac2be8b1a3b229376dce3244
Instruction Fuzzy Hash: 02029172B5ABC0C5FB40CB74E4847ED6761F7867A4F106206FA9D02ADADBB8C185DB40

Function 000001C73966ADD0 Relevance: 8.4, Strings: 6, Instructions: 919COMMON

Download Yara Rule

Strings

filename, xrefs: 000001C73966B939
directory_iterator::directory_iterator, xrefs: 000001C73966BF24
files, xrefs: 000001C73966BC35
content, xrefs: 000001C73966BAB2
key, xrefs: 000001C73966B33D, 000001C73966B51D
exists, xrefs: 000001C73966BEB7, 000001C73966BED2

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: content$directory_iterator::directory_iterator$exists$filename$files$key
API String ID: 0-2980817763
Opcode ID: d7770c977cfd7bebd9b65eae9e69830366ac9260aa5e895dbe0ec1532ffe9d24
Instruction ID: d6d800ac7df60a08d28b7aaf24eed09db20243bba5d6906d832af9ec0ba0b486
Opcode Fuzzy Hash: d7770c977cfd7bebd9b65eae9e69830366ac9260aa5e895dbe0ec1532ffe9d24
Instruction Fuzzy Hash: 68A27B7265ABC5D9EB218F34D8847DD33A0F789798F406616EA980BBD9DFB4C280D740

Function 000001C739663A30 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 699COMMON

Download Yara Rule

Strings

filename, xrefs: 000001C739664624
content, xrefs: 000001C739664749
ios_base::badbit set, xrefs: 000001C739664A48, 000001C739664A8C

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Crypt$AlgorithmProvider$CloseGenerateOpenPropertySymmetric
String ID: content$filename$ios_base::badbit set
API String ID: 4024084497-879919306
Opcode ID: b533193e28815f21182ac1b90e95e7e721ec3efa77a2b4629d352bfe286857a0
Instruction ID: 5567d4a4a17e257c6cead8da6f7c73d54b651984912c804faed1205fc2dba6a1
Opcode Fuzzy Hash: b533193e28815f21182ac1b90e95e7e721ec3efa77a2b4629d352bfe286857a0
Instruction Fuzzy Hash: A682037225EBC595E6B18B14F8807DAB3A4F7C9340F506226DACD42BA9EF78C594DF00

Function 000001C7396698CD Relevance: 7.4, Strings: 5, Instructions: 1142COMMON

Download Yara Rule

Strings

filename, xrefs: 000001C739669B46, 000001C739669ECE, 000001C73966A762
content, xrefs: 000001C739669B9F, 000001C739669F27, 000001C73966A844
config, xrefs: 000001C739669CDD
status, xrefs: 000001C73966AD67
users, xrefs: 000001C73966A262

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: config$content$filename$status$users
API String ID: 0-2677590375
Opcode ID: ea956052f13d077582bdf1b46eb7a47468374c676c533bac5f9a4d7cac467203
Instruction ID: 7afcd68b912fed6c79a30e85feac768ca7be35c93be2d4e43f19b5b29255f5f8
Opcode Fuzzy Hash: ea956052f13d077582bdf1b46eb7a47468374c676c533bac5f9a4d7cac467203
Instruction Fuzzy Hash: 5DC27B72796BC0C9EB309F34D8807DD63A1F785798F406212DA9D4AADAEFB4C684D740

Function 000001C7396ED804 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001C7396ED865
IsDebuggerPresent.KERNEL32 ref: 000001C7396ED87D
OutputDebugStringW.KERNEL32 ref: 000001C7396ED88E

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 000001C7396ED887

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction ID: 1d10eedcaef14d2c9420866abe9f1522b61596d24c186bbbaa0d1d1746cad317
Opcode Fuzzy Hash: 9ee4415ca50324c33a3d5a57874f9cc99ad178eb9645fb895110d63af1d9e2c1
Instruction Fuzzy Hash: 0811A032358BC0E7F7448B36EA987E933A0FB04384F40A124C64982AD1EFB9D0B4DB10

Function 000001C739660E80 Relevance: 7.0, Strings: 5, Instructions: 747COMMON

Download Yara Rule

Strings

filename, xrefs: 000001C73966142E
directory_iterator::directory_iterator, xrefs: 000001C739661AE2, 000001C739661B32
content, xrefs: 000001C7396614E6
status, xrefs: 000001C739661AF8, 000001C739661B0E
exists, xrefs: 000001C739661AC6

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 3645842244-3429737954
Opcode ID: f30eec152143fa0412340cf40cf541fdb62fc3ec70d76ca43c29547f108ae1f6
Instruction ID: 81feaf1244ef6db6fad36e1da27a46d9dc98e188652da8f3162e451f29a816f3
Opcode Fuzzy Hash: f30eec152143fa0412340cf40cf541fdb62fc3ec70d76ca43c29547f108ae1f6
Instruction Fuzzy Hash: 8A727072746BC0D9EB219F35D8807EE6360F789798F046212DA9D47AD9EFB4C684DB00

Function 000001C7396DA44F Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

1#SNAN, xrefs: 000001C7396DA4C2
1#INF, xrefs: 000001C7396DA4DB
W$, xrefs: 000001C7396DA530
1#QNAN, xrefs: 000001C7396DA4CB
1#IND, xrefs: 000001C7396DA49F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$W$
API String ID: 3215553584-4287779413
Opcode ID: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction ID: 8a21a840319e1e393905c6ff16ef7c9dc9fda9884e96692314690c9c9960011b
Opcode Fuzzy Hash: e914ef83dae64b72f50003c00f300a4745ddd1fbbdf1c541f482026cce5ebf66
Instruction Fuzzy Hash: 6B71167376E2C1CBF7608F78D944FED72A1B380394F0467259A298AAC5DABCD554AF00

Function 000001C7396C9038 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000001C7396C908F
GetSystemInfo.KERNEL32 ref: 000001C7396C90A8
VirtualAlloc.KERNEL32 ref: 000001C7396C9116
VirtualProtect.KERNEL32 ref: 000001C7396C9131

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction ID: cd93ab03a155d514ace3dda96126c67e6d75b2192886f99522612fe57eaf1f9c
Opcode Fuzzy Hash: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction Fuzzy Hash: D8315A32355AC0DEEB60CF32D858BD933A5F748B88F945025AA4D47B88DF78D645DB40

Function 000001C7396D36A8 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396D3ADE
_get_daylight.LIBCMT ref: 000001C7396D3B79
_get_daylight.LIBCMT ref: 000001C7396D3B92

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction ID: 434f1c4ecf1d6020e89df916d0a77ef7b0f0314a6886107f774d3664d5a6f285
Opcode Fuzzy Hash: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction Fuzzy Hash: 6692E03334A6C0C6F7648F249950FEA77A1F785788F14A116EB9907BD4DBB9C920EB00

Function 000001C7396EB170 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32 ref: 000001C7396EB196
FormatMessageA.KERNEL32 ref: 000001C7396EB1C9

Strings

!x-sys-default-locale, xrefs: 000001C7396EB189

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction ID: 5ceff45626b221d8ec3c18a801aeaf3f7ee54c592de8182e8378923d4b84e1c1
Opcode Fuzzy Hash: e9313e5009c165bfc27bb14f9f63cf4f23352891cc12b2974ad7925588fd8796
Instruction Fuzzy Hash: 6B01C072B597C5C2F7118B23B944BEA67A2F3847D4F549019DA8546BD8CBBCC505DF00

Function 000001C7396C3150 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 000001C7396C31B6
memcpy_s.LIBCPMT ref: 000001C7396C31E1

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction ID: ca730110d4698019266289fc6b67dbb7a41e5b5f6e0c16b2818f7f9d23b264f3
Opcode Fuzzy Hash: eb07a1fe8bff8429000d82fc6708e1dd14e73367c47fa60bb37c8b50ad77a0f3
Instruction Fuzzy Hash: 89C1F67235A6C5C7EB24CF19A184FAAB791F3D4B84F44A125EB8A43784DB79E801DF40

Function 000001C7396D90C8 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F31

GetLocaleInfoW.KERNEL32 ref: 000001C7396D9134

Part of subcall function 000001C7396BFBA0: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396BFBBD

GetLocaleInfoW.KERNEL32 ref: 000001C7396D917D

Part of subcall function 000001C7396BFBA0: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396BFC16

GetLocaleInfoW.KERNEL32 ref: 000001C7396D9245

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction ID: f08f8623a71c7bb56a2645b76036ef7a995ec76260fc39f26a08cfc4f5e2f95a
Opcode Fuzzy Hash: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction Fuzzy Hash: 0561E43335A5C1CAFB389F11E450BD973A0F785744F40A125CBAA936D1DBB8C960EB40

Function 000001C7396A63A6 Relevance: 4.4, Strings: 3, Instructions: 653COMMON

Download Yara Rule

Strings

port, xrefs: 000001C7396A705F
J6KaSE6Y5swJBj5qyqZERIJmoo+GSB9PlnEIJmv6IIw=, xrefs: 000001C7396A6449
9CFB+Po9DpY=, xrefs: 000001C7396A64D1

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: 9CFB+Po9DpY=$J6KaSE6Y5swJBj5qyqZERIJmoo+GSB9PlnEIJmv6IIw=$port
API String ID: 0-725166717
Opcode ID: f316646787d667b8072cdd7a8fcb79ee19e466cfe6a9efe0cddc3a82f20fcf11
Instruction ID: 82363edb3fce3921b1e26e9f457a5ab4502aef02e59a6b20ae0755085d60e657
Opcode Fuzzy Hash: f316646787d667b8072cdd7a8fcb79ee19e466cfe6a9efe0cddc3a82f20fcf11
Instruction Fuzzy Hash: 78725CB2A69BC485EA60CB25E4807DEB3A4F7D9784F106215EBDD13B99DF78C194CB00

Function 000001C739667E70 Relevance: 3.9, Strings: 2, Instructions: 1357COMMON

Download Yara Rule

Strings

Software, xrefs: 000001C7396682ED, 000001C7396684BB
exists, xrefs: 000001C739669441

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: Software$exists
API String ID: 0-2364128853
Opcode ID: daf6997a3a81bd7575cafc7705065caf9c66920104c211eaf9b93bae9b824f10
Instruction ID: 29debb2c2d193f7b29e2e8e44daf06711e8ffa5f19e2e3329d52957c548fe60c
Opcode Fuzzy Hash: daf6997a3a81bd7575cafc7705065caf9c66920104c211eaf9b93bae9b824f10
Instruction Fuzzy Hash: F7D27B72A56BC4CAEB208F39D8807DD63B0F789798F106216EA9D17BD9DBB4C580D740

Function 000001C739681AF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001C739681D4E

Strings

parse_error, xrefs: 000001C739681B7E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_exception_copy
String ID: parse_error
API String ID: 592178966-3903021949
Opcode ID: 653ba6b9aa7c75b26e90525dd8df4df141d6623977199b8b16f0a9420aade07e
Instruction ID: fd11c0449800d143f6696b2974801137d07999a4d21e20e6ba373c2232032cee
Opcode Fuzzy Hash: 653ba6b9aa7c75b26e90525dd8df4df141d6623977199b8b16f0a9420aade07e
Instruction Fuzzy Hash: 64A1B073B59BC0C9FB10CB74E8447ED6361F749798F106601EAAC16ADADBB8C190D740

Function 000001C7396CE020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 000001C7396CE094

Strings

GetLocaleInfoEx, xrefs: 000001C7396CE03C, 000001C7396CE04D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction ID: b652e49724500457bbab9fbfe5fcfc4beb0f2965bf2fd5005c79944ba92e6e6c
Opcode Fuzzy Hash: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction Fuzzy Hash: 8701DB313487C0C5FB849B66B804BCAA760F784BC0F545026EE49037D9CE78C901DF80

Function 000001C7396AC8E0 Relevance: 3.4, APIs: 2, Instructions: 391COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000001C7396AC943
ShellExecuteW.SHELL32 ref: 000001C7396ACF8A

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ExecuteFileModuleNameShell
String ID:
API String ID: 1703432166-0
Opcode ID: 53ba8509922fbb2302b2420265a5629d0185c4f01961b16a63050ef51b8b9187
Instruction ID: fa87b60c75ce63617cc05ddd4b447a5fa85611b8542f39a3ca8989dd2e88c84e
Opcode Fuzzy Hash: 53ba8509922fbb2302b2420265a5629d0185c4f01961b16a63050ef51b8b9187
Instruction Fuzzy Hash: 8A122B72629FC48AEB408F29E88069EB3B5F788794F506215FEDD57B59EB78C150CB00

Function 000001C7396A8020 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

APIs

BCryptDecrypt.BCRYPT ref: 000001C7396A81E0

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CryptDecrypt
String ID:
API String ID: 2620231605-0
Opcode ID: ffb90c0deaadf8fab460160718a8add39ec1a0efb173911a83ea7fb66f1e1482
Instruction ID: 83b6319f75d81f5a58e48cfb574eb86cd76296ecc6f8578dd6505ff430a33249
Opcode Fuzzy Hash: ffb90c0deaadf8fab460160718a8add39ec1a0efb173911a83ea7fb66f1e1482
Instruction Fuzzy Hash: 3AB18CB2B49BC0DAF710CBA1E4547AD37B1F354788F00A216DE4807B99DBB9C599EB40

Function 000001C7396D14E4 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001C7396D1733
RaiseException.KERNEL32 ref: 000001C7396D1744

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction ID: 7faf8149410e8a7167833b3eddd8e41d1ced37d72d5b31d2eab4a289681a509c
Opcode Fuzzy Hash: 7fa2203b5ce5cf4252278981a869295bf258e597fb1a3e488d01a74adacce12a
Instruction Fuzzy Hash: 96B15C73605BC8CBEB19CF29C8467997BA0F344B48F1A9911DB69837A4CBB9C461DB00

Function 000001C7396DC128 Relevance: 3.2, APIs: 2, Instructions: 208COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001C7396DC1CD
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396DC38F

Part of subcall function 000001C7396CDA30: HeapAlloc.KERNEL32 ref: 000001C7396CDA85

Part of subcall function 000001C7396CD3C8: HeapFree.KERNEL32 ref: 000001C7396CD3DE
Part of subcall function 000001C7396CD3C8: GetLastError.KERNEL32 ref: 000001C7396CD3E8

Part of subcall function 000001C7396DD894: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396DD8C7

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast_invalid_parameter_noinfo$AllocFree
String ID:
API String ID: 749460637-0
Opcode ID: 27640a1b4452658f619c330b6942f42c57ed7cbddb1e0b5935f25c2a2fe2ad05
Instruction ID: c5a144c1dfa81fd4d5ed79478592582ec4e198bc2b4c122325b4c628d63fa35e
Opcode Fuzzy Hash: 27640a1b4452658f619c330b6942f42c57ed7cbddb1e0b5935f25c2a2fe2ad05
Instruction Fuzzy Hash: 1061273334A7C582F7219FA6A811FDEB291BB89BC0F446126AE59477C5EE7CC411AF00

Function 000001C7396B6540 Relevance: 3.2, APIs: 2, Instructions: 187COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 000001C7396B6657
EnumDisplayDevicesW.USER32 ref: 000001C7396B66FB

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: DevicesDisplayEnum
String ID:
API String ID: 2211661463-0
Opcode ID: 827fb27ad816d797e1777e452a125aeabd65cc05f21a4bf75e642c7f391f34f0
Instruction ID: 102dc38a890dd41c46fc06a4e736dbe85a48e20b78014e85267c659b0b8abacb
Opcode Fuzzy Hash: 827fb27ad816d797e1777e452a125aeabd65cc05f21a4bf75e642c7f391f34f0
Instruction Fuzzy Hash: 8281BF32659BC486F720CF25E844B9E77A5F388798F506215EE9C17B99EFB8C180DB00

Function 000001C739667C20 Relevance: 3.1, APIs: 2, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 000001C739667CAD
LocalFree.KERNEL32 ref: 000001C739667D3F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: e5ab141507f50c8ebdb7aa3974e8257db878963fbb0c327beb84f8c8041dff33
Instruction ID: 86458088b32adb337f94e25295bb05f4c3f857f69c087a4f4ec90330b8879e9b
Opcode Fuzzy Hash: e5ab141507f50c8ebdb7aa3974e8257db878963fbb0c327beb84f8c8041dff33
Instruction Fuzzy Hash: D5617672B59BC0CAF7109F78E4407DC73B1F74878CF00A215EA8916ACADBB8D5A4A740

Function 000001C7396A7EC0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32 ref: 000001C7396A7F18
LocalFree.KERNEL32 ref: 000001C7396A7FAA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalProtect
String ID:
API String ID: 2714945720-0
Opcode ID: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction ID: 1d3da02e3fade8fe3748f2301ffccd32d738ff5aca3500c6566262be891aa8ee
Opcode Fuzzy Hash: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction Fuzzy Hash: 21414733758BC0CAF3208F34E4407DD37A4F75978CF045229AA8906E8ADBB9C6A4D744

Function 000001C7396A8B00 Relevance: 3.0, Strings: 2, Instructions: 529COMMON

Download Yara Rule

Strings

+, xrefs: 000001C7396A917F
%, xrefs: 000001C7396A9164

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: %$+
API String ID: 0-2626897407
Opcode ID: 86d806df11e77f488857027665d1a15b4006e6d835af8d49869e33f857c79efe
Instruction ID: e21c32ec205160c9af7fe896a57a1911a747a5fcd5168e5e93aaecbab3baeb8f
Opcode Fuzzy Hash: 86d806df11e77f488857027665d1a15b4006e6d835af8d49869e33f857c79efe
Instruction Fuzzy Hash: 3F2255B3B59AC0CAFB20CB65E4407ED67A2F754788F046225EE4917BC9DB78C845DB40

Function 000001C7396D46E4 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

am/pm, xrefs: 000001C7396D4993
a/p, xrefs: 000001C7396D49FE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: 3aa2d18b96f53096dafde024e84d8e74b450cb229927da4525f6c74ea8e41481
Instruction ID: 305096078e0bb2481308f97da10b0d203a9f3394ea6afb6b3449e6ce21fb00de
Opcode Fuzzy Hash: 3aa2d18b96f53096dafde024e84d8e74b450cb229927da4525f6c74ea8e41481
Instruction Fuzzy Hash: BEE1CF3378E2C0C3F7648F269194FE9A3A4F765784F556102EA6907AC4DBB9CD60EB00

Function 000001C739660A80 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

dumps, xrefs: 000001C739660AC8
emoji, xrefs: 000001C739660AF0

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: dumps$emoji
API String ID: 0-2873254224
Opcode ID: 9c1d1d90ca4f88bc8268b0322e863aaa792dfa8aa99b6ae742cb4d4f1446b717
Instruction ID: 8f1aad032a23cc3f13c6ecc9b7e2fb3bd49dd44391aaf7f3be89466683c6bdc2
Opcode Fuzzy Hash: 9c1d1d90ca4f88bc8268b0322e863aaa792dfa8aa99b6ae742cb4d4f1446b717
Instruction Fuzzy Hash: 88B10A32A69FC4C6E761CB25E88069AB7B4F799788F106315FACD13B59DB78D250CB00

Function 000001C739690AC0 Relevance: 2.0, APIs: 1, Instructions: 470COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C739690B3B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 3cbd72d19943a486e26b0a9fd66c3d9a41c0dc93c9b9484a7a8f646326bd30e0
Instruction ID: d5ea91a0e8b8ba2e2f1bb674aef29f0901621ba7cd5851e219e84266b9e54551
Opcode Fuzzy Hash: 3cbd72d19943a486e26b0a9fd66c3d9a41c0dc93c9b9484a7a8f646326bd30e0
Instruction Fuzzy Hash: CA02A97274ABC4C6FB109FA1E4407EE63A1F348B98F14A212DEAC577C9DAB4C495D780

Function 000001C7396D6A68 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000001C7396D6BB0

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 90946a6b15058c528e056b8d8cd1a92ef4f6d2102c32f556ef9c06fc4cf9f037
Instruction ID: d8619be53aad3546368cfc4714a07785e581f41ae041bcc5497f421b43dcbd1e
Opcode Fuzzy Hash: 90946a6b15058c528e056b8d8cd1a92ef4f6d2102c32f556ef9c06fc4cf9f037
Instruction Fuzzy Hash: 1012DC73A09BC0C6E751DF389414BED73A4F759788F05A226EF9883692EBB4D194DB00

Function 000001C7396D71D8 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c78c0f44f628b309bf0bf25ef07213807af04e49cf24dc8ac6838a16b865059
Instruction ID: 00f74916741fb26deca9ac3b2464cafa70f84891cbb32a02b5b6b1fd9ba02546
Opcode Fuzzy Hash: 1c78c0f44f628b309bf0bf25ef07213807af04e49cf24dc8ac6838a16b865059
Instruction Fuzzy Hash: 9DE19B33709BC486F720DB61E851AEE63A0F395788F4056229F9D53B92EFB8C255DB00

Function 000001C73968C0F0 Relevance: 1.7, APIs: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968C40B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: ba6e798b33c31b8babce7982aa7647becf1fe59b5221b68f800a875ca2996f14
Instruction ID: e2f479895337ecdd67daa4302455400664281e5d5db96483c4599f33bc2d572e
Opcode Fuzzy Hash: ba6e798b33c31b8babce7982aa7647becf1fe59b5221b68f800a875ca2996f14
Instruction Fuzzy Hash: 87A1643270ABD8CAFB008BA9D4907EC67B0F359B48F549416CF8A53B89DBB8C091D740

Function 000001C73968BAB0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968BDC4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: baf6e9e96fe520b1ae0ed223b090e5a862bb2f1c033f3b610d442a665e70a209
Instruction ID: f77fd5b983a3f4e06ae1b727799afad4cc350e67eb7b9c7ce814eea1072aece3
Opcode Fuzzy Hash: baf6e9e96fe520b1ae0ed223b090e5a862bb2f1c033f3b610d442a665e70a209
Instruction Fuzzy Hash: CDA1533271ABD9C9FB008BB9D4807ECA7B0B359B48F54941ADF9953B99DBB8C091D700

Function 000001C73968BDD0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968C0E4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5cb10daa61662d329f4250f63d098788e26d55cfe5581d75d93aa113efba7348
Instruction ID: 61abbd9788489008d6e9dea26f9082f103f0d497572860f8df371e7cb5ea1190
Opcode Fuzzy Hash: 5cb10daa61662d329f4250f63d098788e26d55cfe5581d75d93aa113efba7348
Instruction Fuzzy Hash: C2A1643271ABD9C9FB00CBA9D4807EC67B0B358B88F54941ADF8953B85DBB9C091D740

Function 000001C73968B780 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968BAA9

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: e35d31433939dc0543c08c43d2f0dc283812906ada797f849c1cd6b06b58ce4c
Instruction ID: 56d5ab4f6baf4223f509f35156e9d470213ae5c1928cab8498b62c57806408fe
Opcode Fuzzy Hash: e35d31433939dc0543c08c43d2f0dc283812906ada797f849c1cd6b06b58ce4c
Instruction Fuzzy Hash: C0A1533271ABD9C9FB008BA9E4807AC67B0F359788F54951ADF8917B99DBB8C091D700

Function 000001C73968B480 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968B778

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4b8af6986515120270ba365742b96f2dd5aa66236f7c22f50c2dfd717eb9943c
Instruction ID: 7e23b86761aa5514d3331f420d72dd38abadfa1fb34bf37412edbda24f7a2e3b
Opcode Fuzzy Hash: 4b8af6986515120270ba365742b96f2dd5aa66236f7c22f50c2dfd717eb9943c
Instruction Fuzzy Hash: A7A1427271ABD9C9FB008B69D4807ECA7B0B358B48F54941ACF9957B99DBB8C091D700

Function 000001C73968C420 Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000001C73968C718

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 92ccbd0a8e0b9bab8b316c06ea776526206f989eac8567461fb4490da54086ea
Instruction ID: df73f006d4400fb55ab876a22c7450fb5c3647b068c26bf2fbe1068693595909
Opcode Fuzzy Hash: 92ccbd0a8e0b9bab8b316c06ea776526206f989eac8567461fb4490da54086ea
Instruction Fuzzy Hash: 60A1547271ABD8C9FB008B69D4807EC67B0F359B88F54A426CF8A57B95DB78C091D740

Function 000001C7396D9310 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

Part of subcall function 000001C7396C9EEC: FlsSetValue.KERNEL32 ref: 000001C7396C9F31

GetLocaleInfoW.KERNEL32 ref: 000001C7396D9378

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction ID: 5f22c0c25334f35117ee174a939fd53e0fd0aee6e59bc0f2f061c90ab3d6e8d4
Opcode Fuzzy Hash: d3f265d93177da05e9e3079d3dae9c7822de4fa7ba26229b0f968e85ede82faf
Instruction Fuzzy Hash: 5531813234A6C1C6FB68CB26E451BDA73A0FB88784F40A1259A59C33D5DBB8DC20DF40

Function 000001C739656510 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

QN , xrefs: 000001C739656877

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: QN
API String ID: 0-3349929942
Opcode ID: 4adeaebae40e5ff169471ee5d4a8d23a557c17ee84dec89bc840266fd6fece81
Instruction ID: 2b57e73fb81c98b3a7f5def741fa8f20400ae1bb6d127d9c8b8d8b9e752bf415
Opcode Fuzzy Hash: 4adeaebae40e5ff169471ee5d4a8d23a557c17ee84dec89bc840266fd6fece81
Instruction Fuzzy Hash: 4C02C532A15FC489E7628F39E8813D977A4F7AD788F105315EACC26B59EBB4C294C740

Function 000001C7396D9518 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

GetLocaleInfoW.KERNEL32 ref: 000001C7396D954F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction ID: 03ead65ddbf0f6a713142627d0cd1b8ed05067fb8cccfec339f8f34ea4d08daf
Opcode Fuzzy Hash: 8a450860209e15821de9f16c01ed0612a725223f9a4b72f88eafb3edea00904a
Instruction Fuzzy Hash: 2011363371A6D1C3FB788725A040FAE72A0F744768F54A631E676437C4D6A6CCA1AB00

Function 000001C7396D9030 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001C7396C9EEC: GetLastError.KERNEL32 ref: 000001C7396C9EFB
Part of subcall function 000001C7396C9EEC: FlsGetValue.KERNEL32 ref: 000001C7396C9F10
Part of subcall function 000001C7396C9EEC: SetLastError.KERNEL32 ref: 000001C7396C9F9B

EnumSystemLocalesW.KERNEL32 ref: 000001C7396D90AE

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction ID: 87feebbf1e7ae0f89835ca644ec0729f603d6acb012c31dbed88cdd6529e2a90
Opcode Fuzzy Hash: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction Fuzzy Hash: 41019E73B4A2C086FB504B26F440BE976A5F740BE4F45A225D675472D8CAA5C891AB40

Function 000001C7396A83C0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

BCryptCloseAlgorithmProvider.BCRYPT ref: 000001C7396A83D9

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AlgorithmCloseCryptProvider
String ID:
API String ID: 3378198380-0
Opcode ID: 49199a7b450c9eb7a7ff019c32b2f0410d7fec76f95d2745a03cb4b994c7e0bf
Instruction ID: fc4050c30cd1e077e7ec61f0cc5e0f6db5fe68b0770a68dc2c07a065764a96f3
Opcode Fuzzy Hash: 49199a7b450c9eb7a7ff019c32b2f0410d7fec76f95d2745a03cb4b994c7e0bf
Instruction Fuzzy Hash: 4F01C2F2706BC4C1FB189F20E4487AD6361F744F88F946410DA8C066D9DFBDC894A780

Function 000001C7396A4ED0 Relevance: 1.5, APIs: 1, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 000001C7396A4EFD
CoSetProxyBlanket.OLE32 ref: 000001C7396A4F52

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: BlanketCreateInstanceProxy
String ID:
API String ID: 1899829610-0
Opcode ID: 2a748104746341ed97ab40e79a34ba82f2b1b9ea6c233eef14ea9e1a067c94f4
Instruction ID: 1dd9f572af900e147b9e63f89b9083260367eabbb2845918f2848dfcc2efaab0
Opcode Fuzzy Hash: 2a748104746341ed97ab40e79a34ba82f2b1b9ea6c233eef14ea9e1a067c94f4
Instruction Fuzzy Hash: DF01AD72B4AAC4CBFB22DB65E8017ED63A0B788758F4021168F4943A94EF78C195DB40

Function 000001C7396CDAE0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 000001C7396CDB2F

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction ID: 1a5a46ffda36352c4ab8c104c433a93df3f894add48c2ecb35f2db208ce7f3a9
Opcode Fuzzy Hash: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction Fuzzy Hash: 07F01D72348AC083F654DB25F894AD96366F798B80F54A025EA89833E5CE7CC491DB40

Function 000001C7396C840C Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001C7396C8420

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID:
API String ID: 2086374402-0
Opcode ID: 0313ca540423402b24a5e7d9dd0e4952f66ee95e8b7b4026d8869da447446bf6
Instruction ID: f300f08c353304aa0e28207534777ba7a157fca199700eb60e956e67ea031ab4
Opcode Fuzzy Hash: 0313ca540423402b24a5e7d9dd0e4952f66ee95e8b7b4026d8869da447446bf6
Instruction Fuzzy Hash: FEF0A7E1B296C843FE648756A8147949281AB5CBF4F04B321BD7D4E7D9EA6CD1509B00

Function 000001C7396C6164 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 000001C7396C6346

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction ID: 9cef7b8940bc69e640cbe3ffe05006081f53cb278321202d39f41e78a01f9950
Opcode Fuzzy Hash: d56b133698f6429a15668cf33a50c2b0452d3e907794045ce25e286071ddca93
Instruction Fuzzy Hash: DDB18C7224AAC5C5F7649F29C0507AC3BA0F349B48F28A116EA8A473D5CBB6C441EF09

Function 000001C7396583D0 Relevance: .8, Instructions: 795COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0538767b6b45461ea7b05e4291f3168d71c376be44ab5dc851c2711e80cf8c7
Instruction ID: 6032676b57e0c38d5c2dd96f5f5cac10a35f93baa5f7b81f9b6eb88a7f0b8809
Opcode Fuzzy Hash: d0538767b6b45461ea7b05e4291f3168d71c376be44ab5dc851c2711e80cf8c7
Instruction Fuzzy Hash: 47A27136615FD88AD7418FAAEC8129D73B6F748BA8B101619EECC57F18EBB4C164C740

Function 000001C739655520 Relevance: .8, Instructions: 792COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c4c7207ea6a419ef9af4ce966c2ec0be510390b1c048bb3359dfc566466103
Instruction ID: 003c8d97b7ae6ce1ded0c6f85f07bcb40d856fe51920d66043a1b4c4d48a74a9
Opcode Fuzzy Hash: b9c4c7207ea6a419ef9af4ce966c2ec0be510390b1c048bb3359dfc566466103
Instruction Fuzzy Hash: CC921832519BC88AE7718F35E8812DAB7A8F79D788F105315EACC16B59EB78C354CB04

Function 000001C739692750 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction ID: 94f8d55437dfddb863bff4878eb73bd9c69748a66628cc697df15eb4d08f5283
Opcode Fuzzy Hash: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction Fuzzy Hash: 73C1267372A6D487E756CF12DA44AA9B7A2F3D4BE4F45D121DE4B07B88C678C806DB00

Function 000001C739636610 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4fd57fe6ace2630e0dee712b945ecfd2c3c6af56c838e34914156fb33ae9af1
Instruction ID: 758580e854d6f78a0586cb4cc5395bf450b2dbcf08bc4d947bbcb03da7b476ec
Opcode Fuzzy Hash: b4fd57fe6ace2630e0dee712b945ecfd2c3c6af56c838e34914156fb33ae9af1
Instruction Fuzzy Hash: F412E932619FC889E7708F29E88179AB7A4F78D788F505315EACC57B59EB78C250CB04

Function 000001C7396A5AB0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction ID: 1a52b05a9ee9787a58b4c64f3098f1e0f08d6ac73c9935cea3a885bea3174a14
Opcode Fuzzy Hash: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction Fuzzy Hash: BAC1C3B3A146948BE355CF2DD40195D7BE0F398B84F40A629EB56C3B01E778E9A5CF80

Function 000001C7396CA924 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction ID: c77c5d72949d0b35cfdacc647bda042276a6719ea7ead139150640275e80d165
Opcode Fuzzy Hash: a2379e98abae736fe33e8b4f9fedcc0141c51f1be06055089ccb01d873b85599
Instruction Fuzzy Hash: 9FC1E27234A6C4C6FB609B62DD10BEA27A0F794788F406016FEC9876D4EBB8C545EF00

Function 000001C7396C0D14 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9192222adae4e2f0070c299c0844eec1f899de7045819fce69bb7a8004539528
Instruction ID: ed780b5e27d6a16221d1cf2417c1f6f110eb0a5b97213f2c7c8cbfbb0e600355
Opcode Fuzzy Hash: 9192222adae4e2f0070c299c0844eec1f899de7045819fce69bb7a8004539528
Instruction Fuzzy Hash: A591583639EAC4C6FF684E299050BFA2690B754784F052629FDEA877C5DAB8C445FF00

Function 000001C7396C666C Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction ID: 11ae9929738c0c84ee75cb7312c3642b0edcad3be6fcdd7a716881194b2b83aa
Opcode Fuzzy Hash: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction Fuzzy Hash: FAC1DA3274A6C2C6FB28AF29C400BAD37A0F305B4CF246215EE99176D5CBB5C845EF58

Function 000001C7396D8674 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction ID: c587a46bc093e433f2e00c9e3b01eadd7faffd98523b90c0ae2e199aad6f2f43
Opcode Fuzzy Hash: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction Fuzzy Hash: 3BB1DE3375A6C4C2FB64DB25D415FEA33A0F394B88F407221DA65836D9DBB8C961EB40

Function 000001C7396C8D50 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b2222bd4161aa0df81311004b32476a3e68bf497272c3efca11fb2e46f97a06
Instruction ID: 6530b1e43f059ff1fe350ac44e028a1fca8a617c1c18a08a732f8732eb28628e
Opcode Fuzzy Hash: 6b2222bd4161aa0df81311004b32476a3e68bf497272c3efca11fb2e46f97a06
Instruction Fuzzy Hash: FD819D32346AD0C6FB608E25D491BAD23A0F784BD8F546626EEAE877C5CF74C4519B40

Function 000001C739684720 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction ID: 93eca722809c6087115eddf7978457c9839348895c39330c9e4e159420c059bf
Opcode Fuzzy Hash: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction Fuzzy Hash: EE61F372759BC8C2EE20CF29E0416E9A361F3597D4F54A211EB9D47B88EBB8D180C740

Function 000001C7396CF7E6 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction ID: 51a377a5b1578cbe17181980d8970e5b62577469463bb720aceba94520a63b59
Opcode Fuzzy Hash: afd72482e03d17e0c267891211c2a08fffdf3b2de236a6c27577c882ac387638
Instruction Fuzzy Hash: C251E3727496C0C6FB74CB29A540BAAB6A4F346794F146226EADA43BD9D77CC500AF00

Function 000001C7396AE2F0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7793566db381314eb546dc80bc8305fe5b686d60ab428f09fdab42e14c231baf
Instruction ID: 479bd535c5b46ed893bf8c9262cf30cecfe9033a6f6f12ac0796da6894b1c403
Opcode Fuzzy Hash: 7793566db381314eb546dc80bc8305fe5b686d60ab428f09fdab42e14c231baf
Instruction Fuzzy Hash: 785104A3B056C443DB248B59F842B96F7A5FB987C5F00A126EE8D57B68EB3CD580C700

Function 000001C7396C5394 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction ID: f5d10fd4ab42bbb0a73c1d656f52613785917d75e95c5c19fbe384d90b4e4e5e
Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction Fuzzy Hash: DD51A03636E6D0C6F7248B29C860B9937A1F344B58F64A111EEC8477D4C7B2D852EF80

Function 000001C7396C5598 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: 9d3a39ea30eac40e863cadc18536f81f5926d57441e36c165a6c9ee0cfe5b757
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: 2C51A23635E6D0C6F7248B29C964BA937A1F348B58F246111EE89477E4C7B6DC42EF80

Function 000001C7396C579C Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction ID: 65202fd72eb9b5b59e0a3fedef42706ac53bac6ea7eaabf01e036cb08e3ad942
Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction Fuzzy Hash: 8F516F3676E6E0C6F7248B29C460BA937A0F345B58F24A111EE89577D5C776C843EF80

Function 000001C7396DBB90 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d05f01d9c7e6d1227e296b3139dc3c4d5665c446069bb1063acdd8e7d0dd9ca1
Instruction ID: 8d1abfd599cdc4959ef0067658021c43bad51c33a0eefc14d45bcc9cc767133c
Opcode Fuzzy Hash: d05f01d9c7e6d1227e296b3139dc3c4d5665c446069bb1063acdd8e7d0dd9ca1
Instruction Fuzzy Hash: 9D41D373315AD482FF14CF3AE9546A963A1B348FC0F19A026EE1D87B98DF79C0519700

Function 000001C739705008 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
Instruction ID: 07d9d046c8f4a8e347cc0179f336805a1d82a10fcbed1067a44677152464bcd5
Opcode Fuzzy Hash: 65fcb47a17adf94f373ff647ddafb07328eb1c747429ddd71517b78256354565
Instruction Fuzzy Hash: 0DF0FFE7E9D6D45AF39256351C7E7CC1FA1E393B62F4D504A8A80837C390868816AA83

Function 000001C739705100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca1e8b853f7558f9595e94e5ddecf88201e89c45e97ce19a5b62bf64d57d316
Instruction ID: a22944963be9923283c43175e2aced03e8b17a450a219aa4e4ebdaa83d968c80
Opcode Fuzzy Hash: cca1e8b853f7558f9595e94e5ddecf88201e89c45e97ce19a5b62bf64d57d316
Instruction Fuzzy Hash: A6F01DE7EEDEC416FBE292251CAEAA41F80E3B2744F5D50898A41573D378C989075A42

Function 000001C7397052E0 Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53a79903260b7a4f0e6c71e7ffc168a0f2adb2b336afcda935cdf6e025e0c2f
Instruction ID: f75de79b73e823c7685ff61d2ffd62e1ffbf04bbb28456d5e630536034016fe9
Opcode Fuzzy Hash: d53a79903260b7a4f0e6c71e7ffc168a0f2adb2b336afcda935cdf6e025e0c2f
Instruction Fuzzy Hash: 09F0FFE7A9FED005F3E295351D3EA882ED1F7B1749B1D504A8B49033C3A4C1AC046B12

Function 000001C739705720 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8237b216de9d9a066abcd393a2c4069bfa76417ce4e254e20f0625e9b59a03dd
Instruction ID: d152a04f41bc5900a07a2b0b9dd38be59fc0175114b62e3565afae8252749ff9
Opcode Fuzzy Hash: 8237b216de9d9a066abcd393a2c4069bfa76417ce4e254e20f0625e9b59a03dd
Instruction Fuzzy Hash: 82E0925765E7D09EF3934A351C2D54C2FB0A7D2E9074E9097C780833C3D58D4C09AB22

Function 000001C7397053A0 Relevance: .0, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2580bbaa354115e7f20c0c041466b1133d77912a340e4dfa20e2b14a994162f
Instruction ID: dec61d348d876ac6587c3f73b5023902b0c5a359d518b5f576d28dab6ae8fc6d
Opcode Fuzzy Hash: c2580bbaa354115e7f20c0c041466b1133d77912a340e4dfa20e2b14a994162f
Instruction Fuzzy Hash: 8CE04FD7A8EBC419F39642701C3FA486ED16772B15B4CA08E8741037D3B4C86C00A712

Function 000001C7397052D0 Relevance: .0, Instructions: 5COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edd3a2eeda825b6b20b33a8d4304bb014d0de21dbcdcdd6f5120fd93b8e00f70
Instruction ID: 3e52525d39e57bbbd7167a3d2a5026f39e520ea7036a62e7442895414421d68b
Opcode Fuzzy Hash: edd3a2eeda825b6b20b33a8d4304bb014d0de21dbcdcdd6f5120fd93b8e00f70
Instruction Fuzzy Hash: 7DA002DBE99384ABCB1609700CE14E91F1679B2900395505EE351D33D3BC8D0A0B9522

Function 000001C739705660 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2399e545077be4c239cdb40de846485da12f3b9bab83b8262a0220d2cfdd1bc
Instruction ID: 8ce1e87cc5c7ca1878e14d3a9fd1ee2c8b6aee086471b09dfc4fcf91158af670
Opcode Fuzzy Hash: a2399e545077be4c239cdb40de846485da12f3b9bab83b8262a0220d2cfdd1bc
Instruction Fuzzy Hash:

Function 000001C7396A4A30 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000001C7396A4A86
Process32FirstW.KERNEL32 ref: 000001C7396A4ACA
Process32NextW.KERNEL32 ref: 000001C7396A4ADF
OpenProcess.KERNEL32 ref: 000001C7396A4B1B
OpenProcessToken.ADVAPI32 ref: 000001C7396A4B42
GetTokenInformation.ADVAPI32 ref: 000001C7396A4B6E
GetLastError.KERNEL32 ref: 000001C7396A4B7C
GetTokenInformation.ADVAPI32 ref: 000001C7396A4BBC
ConvertSidToStringSidA.ADVAPI32 ref: 000001C7396A4BD3
CloseHandle.KERNEL32 ref: 000001C7396A4C46
CloseHandle.KERNEL32 ref: 000001C7396A4C51
CloseHandle.KERNEL32 ref: 000001C7396A4CB6
Process32NextW.KERNEL32 ref: 000001C7396A4CC3
CloseHandle.KERNEL32 ref: 000001C7396A4CE9
CloseHandle.KERNEL32 ref: 000001C7396A4CF2
CloseHandle.KERNEL32 ref: 000001C7396A4D07

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertCreateErrorFirstLastSnapshotStringToolhelp32
String ID:
API String ID: 3925315391-0
Opcode ID: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction ID: 9da8ca38a978b50458e3ef7c11df52b59653980cd10ac4bda0f8e5c2f4866aa1
Opcode Fuzzy Hash: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction Fuzzy Hash: 3F812A72359BC082F7509B26FC48B9AA3A4F788B94F406115EE8A47BD8DFB8C505DF00

Function 000001C739687C00 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 202COMMON

Download Yara Rule

Strings

quote was opened but not closed., xrefs: 000001C739689236, 000001C7396892AB
word wasnt properly ended, xrefs: 000001C739689365, 000001C7396893EC
unexpected '}', xrefs: 000001C739689413
key opened, but never closed, xrefs: 000001C7396893BF
object is not closed with '}', xrefs: 000001C73968920F
unexpected key without object, xrefs: 000001C7396892EA
key declared, but no value, xrefs: 000001C73968925D, 000001C739689284, 000001C739689398
No closed word, xrefs: 000001C739689317, 000001C73968933E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: No closed word$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 0-2700065129
Opcode ID: 526daf54ecec6b5047c2522b19b2d73770e4dc339e8ca9595cf98e890fd6a3e8
Instruction ID: 1edd5d4924c62b0d96c0282345af46366d04ba13ef9c78b910e7c413c6cd5591
Opcode Fuzzy Hash: 526daf54ecec6b5047c2522b19b2d73770e4dc339e8ca9595cf98e890fd6a3e8
Instruction Fuzzy Hash: A9B11D72689BC5E4F760EF30ED85BD93364F754348F806516E64C069EADFA4C689DB00

Function 000001C7396C0254 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0283
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0353

Strings

0, xrefs: 000001C7396C038F
0, xrefs: 000001C7396C0325
0, xrefs: 000001C7396C037D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0
API String ID: 3215553584-3137946472
Opcode ID: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction ID: 059fbe8afd5663bd45a61dc48efe571de100a92128561fe493de3ff2e07f206c
Opcode Fuzzy Hash: 4b936a4394e80428ad7bf41d875096a3e7add69c0315c25dc0869b4c3066c4ac
Instruction Fuzzy Hash: A9E1A23278BEC5C6FF609F298290BED2795B351B84F94A012F6C5477D2C6B9C859AF00

Function 000001C7396AAEA0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396AAF1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001C7396AAF65
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396AB0E1
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396AB0F4
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396AB0FA

Strings

true, xrefs: 000001C7396AB01C
bad locale name, xrefs: 000001C7396AB0E7
false, xrefs: 000001C7396AAFED

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: b48211fe32ad20fc17acaea3bce844d76f9b993237e7e4a94a99bef8053c48bd
Instruction ID: 560a33a63a7c6caa0f7577d7345fae71bc398b9dabd7d9d5a0d6173381900aac
Opcode Fuzzy Hash: b48211fe32ad20fc17acaea3bce844d76f9b993237e7e4a94a99bef8053c48bd
Instruction Fuzzy Hash: D0716B72B4ABC0CAFB10DF75E4507EC33A5FB44748F046129AE8867ADADA74C411EB48

Function 000001C7396B9B70 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001C7396B9BA1
GetProcessId.KERNEL32 ref: 000001C7396B9BAA
RmStartSession.RSTRTMGR ref: 000001C7396B9BCA
RmRegisterResources.RSTRTMGR ref: 000001C7396B9BF5
RmGetList.RSTRTMGR ref: 000001C7396B9C2E
RmGetList.RSTRTMGR ref: 000001C7396B9C90
RmEndSession.RSTRTMGR ref: 000001C7396B9CCB
RmEndSession.RSTRTMGR ref: 000001C7396B9D02
RmEndSession.RSTRTMGR ref: 000001C7396B9D17

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Session$ListProcess$CurrentRegisterResourcesStart
String ID:
API String ID: 3299295986-0
Opcode ID: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction ID: e4e30b76f0e05f664f0ed02b0c89673f42ea34b83ac38be790aed72a0b9e3adf
Opcode Fuzzy Hash: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction Fuzzy Hash: 63515C32B49AD08AF750CFA6E454ADD33B2B748788F505129EE0A63BD4EF74C8059B40

Function 000001C7396CDB5C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001C7396CDCD8
GetProcAddress.KERNEL32 ref: 000001C7396CDCE4

Strings

api-ms-, xrefs: 000001C7396CDC22
ext-ms-, xrefs: 000001C7396CDC35

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction ID: 12551a53aa37de8001ac5697ad675504b28d8c0b01884a8103f3843b35a24b2b
Opcode Fuzzy Hash: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction Fuzzy Hash: 9341323239AAC0C1FA15CB26AC18FD623D9B704BE0F486125AC89473C5EFB8C405AF00

Function 000001C7396AB2D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 000001C7396AB33B
InternetOpenUrlA.WININET ref: 000001C7396AB370
InternetReadFile.WININET ref: 000001C7396AB391
InternetReadFile.WININET ref: 000001C7396AB3CF
InternetCloseHandle.WININET ref: 000001C7396AB3DC
InternetCloseHandle.WININET ref: 000001C7396AB3E5

Strings

File Downloader, xrefs: 000001C7396AB334

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandleOpenRead
String ID: File Downloader
API String ID: 4038090926-3631955488
Opcode ID: fa0239a5c26b26bd75527fb4038815e206ec23e7877161b0e9a47b10fcbf0dfb
Instruction ID: ffefb5b3196eec21a951846f6552f809d94652c841aa99526006597e73b8f5ad
Opcode Fuzzy Hash: fa0239a5c26b26bd75527fb4038815e206ec23e7877161b0e9a47b10fcbf0dfb
Instruction Fuzzy Hash: CF31AE727597C082F7208F26F844BDAB3A1F788BC4F54601AEE8943B94DFB8C5409B00

Function 000001C7396C38F0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C3933
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C3D20
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C3FBC

Strings

f, xrefs: 000001C7396C3A55
p, xrefs: 000001C7396C39E5
p, xrefs: 000001C7396C3A5D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction ID: 2f88e28e26dd7977d9db2a09efe36274218223cc2cfa5d080a2ba74dbcdf1e2c
Opcode Fuzzy Hash: eea83e675726579202ae46558f478e57f494447b85c4049c91ddb9471f815998
Instruction Fuzzy Hash: 6E12A07278E2C1C6FB20AB14E198FEA76A1F7C0750F886516F6D6476C4D7B9C880AF10

Function 000001C7396DC8CC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001C7396DC8FD
GetLastError.KERNEL32 ref: 000001C7396DC909
CloseHandle.KERNEL32 ref: 000001C7396DC921
CreateFileW.KERNEL32 ref: 000001C7396DC94C
WriteConsoleW.KERNEL32 ref: 000001C7396DC96B

Strings

CONOUT$, xrefs: 000001C7396DC92D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction ID: e304db324dbc9a386eb3027bbf050f1d164f7e3d3945efa146b833e2fea16421
Opcode Fuzzy Hash: 53dac6272d403f79ff27e653aa55d51cb6535fcae6368453f164039c5e4e95e8
Instruction Fuzzy Hash: E7119032358BC086F7908B23FC58B9962A0F388BE4F545214EA5D877D4DFBCC4549B44

Function 000001C7396ED42C Relevance: 9.2, APIs: 6, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000001C7396ED4D9
MultiByteToWideChar.KERNEL32 ref: 000001C7396ED575
MultiByteToWideChar.KERNEL32 ref: 000001C7396ED61E
MultiByteToWideChar.KERNEL32 ref: 000001C7396ED648
MultiByteToWideChar.KERNEL32 ref: 000001C7396ED6F0
CompareStringEx.KERNEL32 ref: 000001C7396ED73D

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$CompareInfoString
String ID:
API String ID: 2984826149-0
Opcode ID: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction ID: 2743c5e45c7f446a80ef2bf4c77b32f7e6624d2d41fe143a22105297aceccb83
Opcode Fuzzy Hash: 26eb7e015d5d110b74ff0d84bcaa31491d724dbf353ec7a17117fafe3eaea0ab
Instruction Fuzzy Hash: 90A1C373B8A7C0C6FF218F259624BED67D1F740B98F446611DA59077C6EBBAC844AB00

Function 000001C7396ED0CC Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000001C7396ED13C
MultiByteToWideChar.KERNEL32 ref: 000001C7396ED1DA
LCMapStringEx.KERNEL32 ref: 000001C7396ED243
LCMapStringEx.KERNEL32 ref: 000001C7396ED295
LCMapStringEx.KERNEL32 ref: 000001C7396ED33A
WideCharToMultiByte.KERNEL32 ref: 000001C7396ED394

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction ID: aad7d04572833a424af04ea980149e2e77f918953ebc061675ed2c8923fd0e4e
Opcode Fuzzy Hash: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction Fuzzy Hash: 7E81AF7374A7C0C6FB608F25A950BE973A5FB44BE8F142211EA5947BC9EBB9C4009B00

Function 000001C7396C0840 Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C08B2
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C08E3
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0923
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0965
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C099A
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0A17

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction ID: 927c27bbf3337bbdfcbebbd4e4267603ab1e5edcb67de47fa0818c7fca49a4f5
Opcode Fuzzy Hash: 619b2885e3fd1682f6a864358b33df5452abb606e6c6f730ccce56a3fdc98189
Instruction Fuzzy Hash: F251503234FAC4C6FF619F2490607ED27A5B745B44F85B002E6C9573C6CAA9C846EF42

Function 000001C7396CA064 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001C7396CA073
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,000001C7396C4E71,?,?,?,?,000001C7396CD3FC), ref: 000001C7396CA0A9
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,000001C7396C4E71,?,?,?,?,000001C7396CD3FC), ref: 000001C7396CA0D6
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,000001C7396C4E71,?,?,?,?,000001C7396CD3FC), ref: 000001C7396CA0E7
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,000001C7396C4E71,?,?,?,?,000001C7396CD3FC), ref: 000001C7396CA0F8
SetLastError.KERNEL32 ref: 000001C7396CA113

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9171995ea5c336ae991c260a04bbd1332f14451c84c9f4660891b61a794840d0
Instruction ID: 86e4fece19242cfc2bb1f0e9a3e5c6e49d2ae2d0fbf66f543342bd44aeb0e323
Opcode Fuzzy Hash: 9171995ea5c336ae991c260a04bbd1332f14451c84c9f4660891b61a794840d0
Instruction Fuzzy Hash: 5411723138F2C4C2FA5863326E65BEDA1527B457F4F146714B9BA077C6EEA8C441AF00

Function 000001C73965DCE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 000001C73965DD3F

Part of subcall function 000001C7396EB260: AreFileApisANSI.KERNEL32 ref: 000001C7396EB272

__std_exception_destroy.LIBVCRUNTIME ref: 000001C73965DFE7
__std_exception_destroy.LIBVCRUNTIME ref: 000001C73965E0A1

Strings

", ", xrefs: 000001C73965DE2D
: ", xrefs: 000001C73965DDFA

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: __std_exception_destroy$ApisFile__std_fs_code_page
String ID: ", "$: "
API String ID: 741338541-747220369
Opcode ID: 459fe657a5d404b41c8d4591ae057f187feded03b5f6db692fcd58151bc05830
Instruction ID: 6c2b110c300a0137a1ade4abceac6fd4d70c3c1841f7bcccadad9d40d7fc74a1
Opcode Fuzzy Hash: 459fe657a5d404b41c8d4591ae057f187feded03b5f6db692fcd58151bc05830
Instruction Fuzzy Hash: F3B1BCB274AAC096FB00EF65E4547ED2361F744B88F40A521EA5807BDADFB8C495E780

Function 000001C7396D11C8 Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001C7396D1207
_set_statfp.LIBCMT ref: 000001C7396D1225
_set_statfp.LIBCMT ref: 000001C7396D124E
_set_statfp.LIBCMT ref: 000001C7396D148A

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 5f08648ead59062868bdd16807720c789bde270e818f8c90ef932a5b57013052
Instruction ID: ddfa6ca9219cf3c2c0da7cfb67e8918c42fe6e3420b51c51c64b95ea0de07061
Opcode Fuzzy Hash: 5f08648ead59062868bdd16807720c789bde270e818f8c90ef932a5b57013052
Instruction Fuzzy Hash: 05814733389AC4C5F37A8B35A410BEB6250BF46398F066301EDA6225E1D7F5C5E1BE00

Function 000001C7396CA12C Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001C7396C7EF7,?,?,00000000,000001C7396C8192,?,?,?,?,-2723E8D8DEBC5093,000001C7396C811E), ref: 000001C7396CA14B
FlsSetValue.KERNEL32(?,?,?,000001C7396C7EF7,?,?,00000000,000001C7396C8192,?,?,?,?,-2723E8D8DEBC5093,000001C7396C811E), ref: 000001C7396CA16A
FlsSetValue.KERNEL32(?,?,?,000001C7396C7EF7,?,?,00000000,000001C7396C8192,?,?,?,?,-2723E8D8DEBC5093,000001C7396C811E), ref: 000001C7396CA192
FlsSetValue.KERNEL32(?,?,?,000001C7396C7EF7,?,?,00000000,000001C7396C8192,?,?,?,?,-2723E8D8DEBC5093,000001C7396C811E), ref: 000001C7396CA1A3
FlsSetValue.KERNEL32(?,?,?,000001C7396C7EF7,?,?,00000000,000001C7396C8192,?,?,?,?,-2723E8D8DEBC5093,000001C7396C811E), ref: 000001C7396CA1B4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 899af4340b37942fc89d2eda1bd92b937099c6712e87118af2802e5ac3ca3c8d
Instruction ID: f621d46c7d95d244ec108e5f0bd0bd620e77fa4a992fdc783b52f18becb8a580
Opcode Fuzzy Hash: 899af4340b37942fc89d2eda1bd92b937099c6712e87118af2802e5ac3ca3c8d
Instruction Fuzzy Hash: 0811513178E2C4C1FB58A3326961FE961517B453B0F446324B9B946BD6DAA8C401EE00

Function 000001C739679990 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C739679A00
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001C739679A48
_Getcoll.LIBCPMT ref: 000001C739679A7C

Strings

bad locale name, xrefs: 000001C739679B81

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1287851536-1405518554
Opcode ID: 0e2199b354b6fa2a7fe163168432d521e28dc92d6052475606a1a3548545b2f1
Instruction ID: cac5a5f9a9c3bbdf5d3da13a01c29e03da9caebc5dc679b9b539eb384314b944
Opcode Fuzzy Hash: 0e2199b354b6fa2a7fe163168432d521e28dc92d6052475606a1a3548545b2f1
Instruction Fuzzy Hash: 8291AF72B46BC0CAFB14DFB5E4807DD33A1FB44B88F046125DE9917AC9DAB8C451AB84

Function 000001C73965CA60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C73965CACF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001C73965CB17
_Getctype.LIBCPMT ref: 000001C73965CB55

Strings

bad locale name, xrefs: 000001C73965CC0E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: f3309cd69573ee9005b0e7113b5e66912ef7be2866917512603c6b66ffbc6d9e
Instruction ID: 03bea85fe68b8154cea0bd258d92df1f748aae8ab214814dbbbe4bd6574a071f
Opcode Fuzzy Hash: f3309cd69573ee9005b0e7113b5e66912ef7be2866917512603c6b66ffbc6d9e
Instruction Fuzzy Hash: 86514832B4ABC0DAFB10DF74E490BEC33A5FB44748F046425EE8926AD5DB78C525AB44

Function 000001C7396EB210 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001C7396EB226
GetProcAddress.KERNEL32 ref: 000001C7396EB236

Strings

kernel32.dll, xrefs: 000001C7396EB21F
GetTempPath2W, xrefs: 000001C7396EB22C

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetTempPath2W$kernel32.dll
API String ID: 1646373207-1846531799
Opcode ID: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction ID: e79311ae499b539ea3cf0fa036c3b71bfbf8dfce073b61504df37be7503cf4a3
Opcode Fuzzy Hash: 85c4015c5df5ee79752990f65a767554006cfd6127e60443cb10f02faa6b2ab0
Instruction Fuzzy Hash: 11E0E5B1354AC495FE449B26FD4C9A56321BB48BC4F846025C90D073E4DEB8C4499B01

Function 000001C7396A5180 Relevance: 6.5, APIs: 4, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396A4A30: CreateToolhelp32Snapshot.KERNEL32 ref: 000001C7396A4A86
Part of subcall function 000001C7396A4A30: Process32FirstW.KERNEL32 ref: 000001C7396A4ACA
Part of subcall function 000001C7396A4A30: Process32NextW.KERNEL32 ref: 000001C7396A4ADF
Part of subcall function 000001C7396A4A30: OpenProcess.KERNEL32 ref: 000001C7396A4B1B
Part of subcall function 000001C7396A4A30: OpenProcessToken.ADVAPI32 ref: 000001C7396A4B42
Part of subcall function 000001C7396A4A30: CloseHandle.KERNEL32 ref: 000001C7396A4CB6
Part of subcall function 000001C7396A4A30: Process32NextW.KERNEL32 ref: 000001C7396A4CC3
Part of subcall function 000001C7396A4A30: CloseHandle.KERNEL32 ref: 000001C7396A4D07

ImpersonateLoggedOnUser.ADVAPI32 ref: 000001C7396A51DD
ImpersonateLoggedOnUser.ADVAPI32 ref: 000001C7396A56C8
RevertToSelf.ADVAPI32 ref: 000001C7396A56E6

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Process32$CloseHandleImpersonateLoggedNextOpenProcessUser$CreateFirstRevertSelfSnapshotTokenToolhelp32
String ID:
API String ID: 1562318730-0
Opcode ID: d627d8bcbdc459e17854ed070e413cf41df11674430976f7a2a8c53ad630327b
Instruction ID: e4f3bd011e72e9ccc5cdba6e9a2d7e61574a97eec482c34440ded959d2751986
Opcode Fuzzy Hash: d627d8bcbdc459e17854ed070e413cf41df11674430976f7a2a8c53ad630327b
Instruction Fuzzy Hash: 6422B3B279A7C0C6FB00DB69E4547DD6761F7813A4F506201EA6D07AEADFB8C480EB40

Function 000001C7396CC578 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001C7396CC5F7
WriteFile.KERNEL32 ref: 000001C7396CC8BF
WriteFile.KERNEL32 ref: 000001C7396CC905
GetLastError.KERNEL32 ref: 000001C7396CC9BB

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction ID: 9e7a63848d052cf60572244395ee614f165e4365a662ba49f1a50759afb7ded5
Opcode Fuzzy Hash: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction Fuzzy Hash: 24D1EB32B1AAC0C9F711CF69D440ADC37A1F355B98F006606EE9A97BD9CA78C406DB40

Function 000001C7396BA260 Relevance: 6.1, APIs: 4, Instructions: 123COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 000001C7396BA280
FreeEnvironmentStringsW.KERNEL32 ref: 000001C7396BA37B
RtlInitUnicodeString.NTDLL ref: 000001C7396BA3EE
RtlInitUnicodeString.NTDLL ref: 000001C7396BA3FB

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: EnvironmentInitStringStringsUnicode$Free
String ID:
API String ID: 2488768755-0
Opcode ID: a6f54e2e92f5b8a13dd2250eb9787b2622c9f74f5f67efe29f3986d4c3e1fe69
Instruction ID: 6aa87e742f3ec1f75d1ae723f86d5e6b7f9ab7996e1d4f11df73d5e5358d59a8
Opcode Fuzzy Hash: a6f54e2e92f5b8a13dd2250eb9787b2622c9f74f5f67efe29f3986d4c3e1fe69
Instruction Fuzzy Hash: 51518D72A19BC0C2FB108F26E94479D77A0F794B94F54A211EB9903B95DFB8D1E1DB00

Function 000001C739672C80 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396EC5EC: std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396EC609
Part of subcall function 000001C7396EC5EC: std::locale::_Setgloballocale.LIBCPMT ref: 000001C7396EC62C

std::_Lockit::_Lockit.LIBCPMT ref: 000001C739672CC1
std::_Lockit::_Lockit.LIBCPMT ref: 000001C739672CE6
std::_Facet_Register.LIBCPMT ref: 000001C739672D92
Concurrency::cancel_current_task.LIBCPMT ref: 000001C739672DF4

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
String ID:
API String ID: 3698853521-0
Opcode ID: 0884a8ffc1b6cb17836b1a0342e620fa616e2c9b7415b8a2fd0043477bec2773
Instruction ID: c4dc43aaa62c8d510c404fc658bf2da940773f04113d8a93913d1682c97cb3eb
Opcode Fuzzy Hash: 0884a8ffc1b6cb17836b1a0342e620fa616e2c9b7415b8a2fd0043477bec2773
Instruction Fuzzy Hash: B1418D323AABC0C1FA50DB25F444BD973A4F788B90F582511EA9A477E5DFB9C452DB00

Function 000001C7396C06FC Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0775
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C07D1
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C080C
_invalid_parameter_noinfo.LIBCMT ref: 000001C7396C0831

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction ID: 52b739a151aa456b30cd66fcfb956a02f69e5958ccf321d417441d126822fe9c
Opcode Fuzzy Hash: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction Fuzzy Hash: 43412B3224AAC4C6FF628F24C4207ED3BA4B749F84F4AD041E6C847385DA79C445DF61

Function 000001C7396778A0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396778CB
std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396778F0
std::_Facet_Register.LIBCPMT ref: 000001C73967799B
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396779E6

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction ID: 35c05f58c14a59d73e4fd84b4e8bb988dae5eb31c4ec1f1b5c53de6390f527c4
Opcode Fuzzy Hash: fce11bbf2716b712929d21612f2a8f238f427733906def6abb3c40e1e27c6ea6
Instruction Fuzzy Hash: FB415F3239ABC0C0FA15DF29E444BE96760F388BA4F582621EA8D477E5DFB8C541DB00

Function 000001C7396AAB80 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396AABAB
std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396AABD0
std::_Facet_Register.LIBCPMT ref: 000001C7396AAC7B
Concurrency::cancel_current_task.LIBCPMT ref: 000001C7396AACC6

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction ID: a7518006768ac9158f305362c19561a7ae813838aad8c0efd0bc2c5c524754a0
Opcode Fuzzy Hash: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction Fuzzy Hash: F241C171399BC0C1FB11DF25E844BD96365F384B94F482522EA4E077E5DEBDC4419B00

Function 000001C739674E10 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C739674E3B
std::_Lockit::_Lockit.LIBCPMT ref: 000001C739674E60
std::_Facet_Register.LIBCPMT ref: 000001C739674F0B
Concurrency::cancel_current_task.LIBCPMT ref: 000001C739674F56

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction ID: 5325a150d0372fffd736e4a45f53da97c2b40a93b685c8fb6b1593d059c17585
Opcode Fuzzy Hash: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction Fuzzy Hash: FA417F3639AAC0C1FA21DF25E448BD96761F388BA4F582521EA8D477E5DEB8C441DF00

Function 000001C7396EB3F4 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000001C7396EB43D
GetLastError.KERNEL32 ref: 000001C7396EB44B
WideCharToMultiByte.KERNEL32 ref: 000001C7396EB480
GetLastError.KERNEL32 ref: 000001C7396EB48E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction ID: a05b0dc2010eb6156af4660a9d609b5bf16db57d5abba5c3b64929a1a869ce27
Opcode Fuzzy Hash: b0c4d9c72fcc6461851340ae7f6c093d4e41e08a8bab11e5154c9cbc0382217d
Instruction Fuzzy Hash: 5B215E76619BC5C7F7608F22E94475EB6B4F389BD4F141128DB8957B98DB79C4018F00

Function 000001C7396EB8E0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 000001C7396EB210: GetModuleHandleW.KERNEL32 ref: 000001C7396EB226
Part of subcall function 000001C7396EB210: GetProcAddress.KERNEL32 ref: 000001C7396EB236

GetLastError.KERNEL32 ref: 000001C7396EB904

Part of subcall function 000001C7396C98B4: IsProcessorFeaturePresent.KERNEL32 ref: 000001C7396C98DA

GetFileAttributesW.KERNEL32 ref: 000001C7396EB913
__std_fs_open_handle.LIBCPMT ref: 000001C7396EB93C
CloseHandle.KERNEL32 ref: 000001C7396EB94E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: Handle$AddressAttributesCloseErrorFeatureFileLastModulePresentProcProcessor__std_fs_open_handle
String ID:
API String ID: 156590933-0
Opcode ID: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction ID: 3696c16e5f1a098362b15c520b227f8cf3e49b6939e4d1f74ce1be53fc7011be
Opcode Fuzzy Hash: 6a84e7cc61d3f6faa1a02f0b285c9e89f06a54f244136a8e8d2e5cb925bd3053
Instruction Fuzzy Hash: 4211083175F1C2C5F7504737A684BBA6260F7457F0F002608B5B6476E5CAB9C040AF40

Function 000001C7396DF908 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001C7396DF934
GetCurrentThreadId.KERNEL32 ref: 000001C7396DF942
GetCurrentProcessId.KERNEL32 ref: 000001C7396DF94E
QueryPerformanceCounter.KERNEL32 ref: 000001C7396DF95E

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction ID: 3cffdb788d0c95b3780888f7060e317853c5481aae9abb4cc878f77b1bef906a
Opcode Fuzzy Hash: 4ffc0ff1ccd2cf120a16052376350404e0c91ed7b37e0d63ec5629fc76b72274
Instruction Fuzzy Hash: 76111872754B808AFB408F71F8586E833A4F719758F442A21EA6D467E4DFB8C1648740

Function 000001C73965EBF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

[json.exception., xrefs: 000001C73965ED2B

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID:
String ID: [json.exception.
API String ID: 0-791563284
Opcode ID: db854a5c9348acf79dc317cc3397b3211d18b77a8869f4e344f22974b4e74802
Instruction ID: 7d666de56c23b341baa6ff29bc8cb590db5f333e3b766a78bd7ac8e127249830
Opcode Fuzzy Hash: db854a5c9348acf79dc317cc3397b3211d18b77a8869f4e344f22974b4e74802
Instruction Fuzzy Hash: B87110B2B55BD095FB01CF79E840BDC27A1F795B98F106215EE5817BCACBB8C081AB40

Function 000001C7396AB100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C7396AB16F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001C7396AB1B7

Strings

bad locale name, xrefs: 000001C7396AB28C

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 14fc8944abe9429430bdcdd57e97276a4710787c9a614767eb9fa93c6d11781e
Instruction ID: 17c57c32b8394e0309ecca6cc07ab1acc308dd7e5e815d7bfdbc02e5e86d928c
Opcode Fuzzy Hash: 14fc8944abe9429430bdcdd57e97276a4710787c9a614767eb9fa93c6d11781e
Instruction Fuzzy Hash: 34518C7275AAC0C9FB50DF75E490BEC33A4FB54B48F082029EE8967AD5DE74C421AB44

Function 000001C73967A600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001C73967A66F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000001C73967A6B7

Strings

bad locale name, xrefs: 000001C73967A796

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: b8865984b8349007d2158ad90dd57974622c70311bf235a09516d1c0c2a61c8a
Instruction ID: 439c71f68592bbc0e0468eaad1d555750f09beb442e35c1ebe438bdb5ece776a
Opcode Fuzzy Hash: b8865984b8349007d2158ad90dd57974622c70311bf235a09516d1c0c2a61c8a
Instruction Fuzzy Hash: 8E51673274AAC0D9FB50DFB4E890BEC33B4FB44748F046025EA8966AD5DE75C425AB44

Function 000001C7396D2D58 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001C7396D8138: _invalid_parameter_noinfo.LIBCMT ref: 000001C7396D816B

_get_daylight.LIBCMT ref: 000001C7396D2E70
_get_daylight.LIBCMT ref: 000001C7396D2E81

Strings

?, xrefs: 000001C7396D2E01

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 9cb3a800b4e5433171cdfee83524aba1d0ffe5a917aa16eb1e5a6d3dafcd7e64
Instruction ID: 44eadd3e1416240e8cad489ab241f8a3806b44ff25991cf6687469af87c25ff0
Opcode Fuzzy Hash: 9cb3a800b4e5433171cdfee83524aba1d0ffe5a917aa16eb1e5a6d3dafcd7e64
Instruction Fuzzy Hash: 8341293330A7C0C6FB649B25E811BEA6660F780BA4F145225EEA946BD5DB78C4A1DF00

Function 000001C7396CCC10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001C7396CCD27
GetLastError.KERNEL32 ref: 000001C7396CCD49

Strings

U, xrefs: 000001C7396CCCD3

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction ID: 08ad40e6837a392d10e848914a0e573d645b9872873743988661cd019bfc5d49
Opcode Fuzzy Hash: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction Fuzzy Hash: 3E419F72319AC0C2EB608F25E844BEA67A1F398B94F445521EE8D877D4EBBCC441DF40

Function 000001C7396E0E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 000001C7396E0ED8
RaiseException.KERNEL32 ref: 000001C7396E0F19

Strings

csm, xrefs: 000001C7396E0F06

Memory Dump Source

Source File: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C739630000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c739630000_utkin.jbxd

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction ID: 53796456d3282f6d0738c53923e593447a9133fa09fef2a09b72b89da8d33ffe
Opcode Fuzzy Hash: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction Fuzzy Hash: CC115B32649BC082EB608B25F544799B7E4F788B88F985224EA8D07B94DF79C9519B00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report utkin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
utkin.exe

Function 000001C7396B5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Function 000001C7396EB5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Function 000001C73966D570 Relevance: 20.1, APIs: 8, Strings: 3, Instructions: 862
libraryloaderCOMMON

Function 000001C739695970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Function 000001C7396AC600 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 173
synchronizationCOMMON

Function 000001C739662CA0 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 789
registryCOMMON

Function 000001C7396D2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMONLIBRARYCODE

Function 000001C7396B5240 Relevance: 13.9, APIs: 9, Instructions: 408
networkfileCOMMON

Function 000001C7396F0658 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 000001C739696350 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1136
COMMON

Function 000001C7396620B0 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 684
registryCOMMON

Function 000001C7396AF020 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 451
fileCOMMON

Function 000001C7396AEBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Function 000001C7396AFCA0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 226
networkCOMMON

Function 000001C7396D092C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre