Edit tour

Windows Analysis Report
adguardInstaller.exe

Overview

General Information

Sample name:	adguardInstaller.exe
Analysis ID:	1583758
MD5:	a74538fcb6491c24a788b008128dc41b
SHA1:	71934871c0dfc9f5148a44c3302c40a44d8355ab
SHA256:	49061dfd5e40ed59c68e5e6e6be5b920b3dedb9f951e62bdd2bcb54cbb93c400
Infos:

Detection

PureLog Stealer

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Suricata IDS alerts for network traffic

Yara detected PureLog Stealer

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

adguardInstaller.exe (PID: 3000 cmdline: "C:\Users\user\Desktop\adguardInstaller.exe" MD5: A74538FCB6491C24A788B008128DC41B)

setup.exe (PID: 2264 cmdline: C:\Users\user\AppData\Local\Temp\adguard\setup.exe AID=18673_page_en_welcome MD5: 9EFF4EA678EA4A1F9F7802B8FC4AD702)

setup.exe (PID: 4364 cmdline: "C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=716 -burn.filehandle.self=732 AID=18673_page_en_welcome MD5: 44876B0645D1BDFDCDD7C5133B2EAD8E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
6.2.setup.exe.7260000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.setup.exe.6e80000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.setup.exe.76a0000.7.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.setup.exe.76a0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:39:00.444613+0100	2020826	1	A Network Trojan was detected	192.168.2.6	49712	37.19.203.49	80	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-03T14:39:00.444613+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49712	37.19.203.49	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B69F8F DecryptFileW,	5_2_00B69F8F
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B8F340 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	5_2_00B8F340
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B69D74 DecryptFileW,DecryptFileW,	5_2_00B69D74
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CF9F8F DecryptFileW,	6_2_00CF9F8F
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D1F340 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	6_2_00D1F340
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CF9D74 DecryptFileW,DecryptFileW,	6_2_00CF9D74

Compliance

Uses 32bit PE files

Source: adguardInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 37.19.203.49:443 -> 192.168.2.6:49957 version: TLS 1.0

PE / OLE file has a valid certificate

Source: adguardInstaller.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 37.19.203.49:443 -> 192.168.2.6:49713 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: adguardInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: AdGuard.Utils.Base.pdb source: setup.exe, setup.exe, 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr
Source:	Binary string: AdGuard.Utils.pdb source: setup.exe, setup.exe, 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr
Source:	Binary string: C:\raven\build\obj\Release\net45\SharpRaven.pdb source: setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr
Source:	Binary string: AdGuard.Utils.UI.pdb source: setup.exe, setup.exe, 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BR12-JOB1\adguard\Installer\Adguard.Burn\obj\Release\Adguard.Burn.pdb source: setup.exe, setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: AdGuard.Utils.pdb8Y source: setup.exe, 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BR12-JOB1\adguard\Installer\Adguard.Burn\obj\Release\Adguard.Burn.pdbX source: setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: setup.exe, 00000006.00000002.3374282807.000000006FCC4000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BWU-JOB1\AdGuard.Commons\build\obj\Release\AdGuard.Utils.Installer\AdGuard.Utils.Installer.pdb source: setup.exe, setup.exe, 00000006.00000002.3364119445.0000000006B52000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: setup.exe, 00000005.00000000.2515262039.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe, 00000006.00000000.2519056452.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe.5.dr, setup[1].exe.0.dr
Source:	Binary string: indows\dll\System.pdb source: setup.exe, 00000006.00000002.3364896469.0000000006FD1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2833123507.0000000006FD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: setup.exe, setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\raven\build\obj\Release\net45\SharpRaven.pdbSHA256 source: setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B87437 FindFirstFileExW,	5_2_00B87437
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B69A1D FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00B69A1D
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B93C72 FindFirstFileW,FindClose,	5_2_00B93C72
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B53D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_00B53D4E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D17437 FindFirstFileExW,	6_2_00D17437
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CF9A1D FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00CF9A1D
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D23C72 FindFirstFileW,FindClose,	6_2_00D23C72
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CE3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_00CE3D4E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCBBF0F FindFirstFileExA,	6_2_6FCBBF0F

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2020826 - Severity 1 - ET MALWARE Potential Dridex.Maldoc Minimal Executable Request : 192.168.2.6:49712 -> 37.19.203.49:80

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.setup.exe.76a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /installer.v1.0.json HTTP/1.1Host: static.adguard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /installer.v1.0.json HTTP/1.1Host: static.adguard.comConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49712 -> 37.19.203.49:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 37.19.203.49:443 -> 192.168.2.6:49957 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: 0_2_00EC8E34 GetLastError,InternetOpenW,InternetOpenUrlW,HttpQueryInfoA,InternetReadFile,WriteFile,HeapFree,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,CloseHandle,

0_2_00EC8E34

Source: global traffic	HTTP traffic detected: GET /windows/setup.exe HTTP/1.1User-Agent: AdGuard Web InstallerHost: static.adtidy.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /installer.v1.0.json HTTP/1.1Host: static.adguard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /windows/setup.exe HTTP/1.1User-Agent: AdGuard Web InstallerHost: static.adtidy.org
Source: global traffic	HTTP traffic detected: GET /installer.v1.0.json HTTP/1.1Host: static.adguard.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: static.adtidy.org
Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: static.adguard.com

Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.adguard.com/FDefault
Source: setup.exe	String found in binary or memory: http://api.adguard.org
Source: setup.exe	String found in binary or memory: http://api.adguard.org/api/1.0/register.html
Source: setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://api.adguard.org/api/1.0/register.htmlsemail=
Source: setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.adguard.org/api/1.0/register.htmlt
Source: setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://api.adguard.org/uninstall.html
Source: setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://api.adguard.orgremail=
Source: setup.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: setup.exe, 00000005.00000000.2515262039.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe, 00000006.00000000.2519056452.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: adguardInstaller.exe, 00000000.00000002.2519044071.0000000001670000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2516720026.0000000001652000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2517008031.000000000166F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSign
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: setup.exe, 00000006.00000002.3359300348.00000000048CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Adguard.Burn;component/Resources/Colors.xamld
Source: setup.exe, 00000006.00000002.3359300348.00000000048CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/Adguard.Burn;component/Resources/Images.xamld
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: adguardInstaller.exe, BootstrapperCore.dll.6.dr, setup.exe.5.dr, mbapreq.dll.6.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr, Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0P
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: adguardInstaller.exe, setup.exe.5.dr, Newtonsoft.Json.dll.6.dr, SharpRaven.dll.6.dr, setup[1].exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: setup.exe, setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://schemas.openxps.org/oxps/v1.0
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://schemas.openxps.org/oxps/v1.0$
Source: setup.exe, 00000006.00000002.3359300348.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	String found in binary or memory: http://sentry-dsn.invalid
Source: setup.exe, setup.exe, 00000006.00000002.3359300348.0000000004621000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://static.adguard.com/installer.v1.0.json
Source: setup.exe, 00000006.00000002.3364119445.0000000006B52000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://static.adguard.com/installer.v1.0.json=args
Source: setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2530425433.0000000001296000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/WindowsInstaller-KB893803-v2-x86.exe
Source: setup.exe, 00000005.00000002.3354178761.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2516710742.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2517013274.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/WindowsInstaller-KB893803-v2-x86.exe/
Source: adguardInstaller.exe	String found in binary or memory: http://static.adtidy.org/windows/setup.exe
Source: adguardInstaller.exe, 00000000.00000002.2519044071.0000000001670000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2516720026.0000000001652000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2517008031.000000000166F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/windows/setup.exe2
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/windows/setup.exeF
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/windows/setup.exed
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://static.adtidy.org/windows/setup.exef
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://wixtoolset.org
Source: setup.exe	String found in binary or memory: http://wixtoolset.org/
Source: setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: setup.exe, setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: setup.exe	String found in binary or memory: http://wixtoolset.org/releases/
Source: setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: mbapreq.thm.6.dr	String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: setup.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SharpRaven.dll.6.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://adguard.app/
Source: setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000002.3354178761.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://adguard.app/kb/
Source: setup.exe, 00000005.00000002.3354178761.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://adguard.app/y
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://adguard.com
Source: setup.exe, setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip
Source: setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip5Reinstall
Source: setup.exe, 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dev.adguard.com&https://adguard.com
Source: setup.exe, 00000006.00000002.3359300348.000000000463B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://error.c.cdn77.org/
Source: setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: setup.exe	String found in binary or memory: https://link.adtidy.org
Source: setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: https://link.adtidy.org/
Source: setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s10.adtidy.org:443/api/55/store/
Source: setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s10.adtidy.org:443/api/embed/error-page/
Source: adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: setup.exe, 00000006.00000002.3359300348.000000000463B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adguard.com
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adtidy.org/
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adtidy.org/v
Source: adguardInstaller.exe	String found in binary or memory: https://static.adtidy.org/windows/setup.exe
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adtidy.org/windows/setup.exeL
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.adtidy.org/windows/setup.exex
Source: BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr, SharpRaven.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	String found in binary or memory: https://www.getsentry.com
Source: setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	String found in binary or memory: https://www.getsentry.com.
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.6.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 37.19.203.49:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC5010	0_2_00EC5010
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC3D60	0_2_00EC3D60
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7C01F	5_2_00B7C01F
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B8A28E	5_2_00B8A28E
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B562CC	5_2_00B562CC
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B82413	5_2_00B82413
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B82642	5_2_00B82642
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B8E73C	5_2_00B8E73C
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7F8C3	5_2_00B7F8C3
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B89DE0	5_2_00B89DE0
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B73F71	5_2_00B73F71
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0C01F	6_2_00D0C01F
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CE62CC	6_2_00CE62CC
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D1A28E	6_2_00D1A28E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D12413	6_2_00D12413
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D12642	6_2_00D12642
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D1E73C	6_2_00D1E73C
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0F8C3	6_2_00D0F8C3
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D19DE0	6_2_00D19DE0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D03F71	6_2_00D03F71
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06BF4261	6_2_06BF4261
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06BF2050	6_2_06BF2050
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06BF2445	6_2_06BF2445
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731C722	6_2_0731C722
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731EA67	6_2_0731EA67
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07317043	6_2_07317043
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07315483	6_2_07315483
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731D083	6_2_0731D083
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731E8E1	6_2_0731E8E1
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07E33276	6_2_07E33276
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07E333B9	6_2_07E333B9
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07E36998	6_2_07E36998
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB6EE8	6_2_6FCB6EE8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCC2918	6_2_6FCC2918
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB7117	6_2_6FCB7117
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCBDD2E	6_2_6FCBDD2E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCBD880	6_2_6FCBD880
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0446DA98	6_2_0446DA98
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0446295F	6_2_0446295F
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_04462988	6_2_04462988
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_04462998	6_2_04462998
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E26630	6_2_06E26630
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2C2C8	6_2_06E2C2C8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E20D90	6_2_06E20D90
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2ED20	6_2_06E2ED20
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E219E8	6_2_06E219E8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E26623	6_2_06E26623
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2ED20	6_2_06E2ED20
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2ED19	6_2_06E2ED19
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E219D8	6_2_06E219D8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_071E0448	6_2_071E0448
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_071EA328	6_2_071EA328
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_071E0437	6_2_071E0437
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DC448	6_2_074DC448
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DD300	6_2_074DD300
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D6558	6_2_074D6558
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D6568	6_2_074D6568
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D6568	6_2_074D6568
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DC438	6_2_074DC438
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DC48F	6_2_074DC48F
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DB270	6_2_074DB270
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DA202	6_2_074DA202
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DA210	6_2_074DA210
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074DD2E0	6_2_074DD2E0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D99C8	6_2_074D99C8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07666568	6_2_07666568
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_076671C0	6_2_076671C0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0766B6ED	6_2_0766B6ED
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07668551	6_2_07668551
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0766B5C0	6_2_0766B5C0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0766B5D0	6_2_0766B5D0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07662AF3	6_2_07662AF3
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0769E8D8	6_2_0769E8D8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0769AFE0	6_2_0769AFE0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_085F89E8	6_2_085F89E8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_085F2A80	6_2_085F2A80
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07313339	6_2_07313339
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_07E35D9D	6_2_07E35D9D

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: String function: 00B92B5D appears 79 times
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: String function: 00B52022 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: String function: 00B538BA appears 501 times
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: String function: 00B8FFF0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: String function: 00B8FB09 appears 681 times
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: String function: 00D22B5D appears 79 times
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: String function: 00D1FFF0 appears 34 times
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: String function: 00CE38BA appears 501 times
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: String function: 00D1FB09 appears 681 times
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: String function: 00CE2022 appears 54 times

Uses 32bit PE files

Source: adguardInstaller.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal45.troj.evad.winEXE@5/78@3/1

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B52078 FormatMessageW,GetLastError,LocalFree,

5_2_00B52078

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B54639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		5_2_00B54639
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CE4639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		6_2_00CE4639

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B928BD GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

5_2_00B928BD

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: 0_2_00EC9998 GetModuleHandleW,FindResourceW,SizeofResource,LoadResource,LockResource,

0_2_00EC9998

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B768EE ChangeServiceConfigW,GetLastError,

5_2_00B768EE

Source: C:\Users\user\Desktop\adguardInstaller.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\setup[1].htm

Jump to behavior

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Mutant created: NULL
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\AdguardInstaller_F23CB6CB-327E-4BB5-B9DF-7062501506B8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\AdguardBurn_UI_F23CB6CB-C5F8-47BA-B854-DB660C1500BB

Source: C:\Users\user\Desktop\adguardInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\adguard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: cabinet.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: msi.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: version.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: wininet.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: comres.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: clbcatq.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: msasn1.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: crypt32.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: feclient.dll	5_2_00B51070
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Command line argument: cabinet.dll	5_2_00B51070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: cabinet.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: msi.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: version.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: wininet.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: comres.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: clbcatq.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: msasn1.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: crypt32.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: feclient.dll	6_2_00CE1070
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Command line argument: cabinet.dll	6_2_00CE1070

Source: adguardInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\adguardInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE [__preferences] ( [key] TEXT NOT NULL, [type] TEXT NOT NULL, [value] >, PRIMARY KEY ([key], [type]));
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table' AND name='__preferences';LPreference table exists, doing nothingdThe database schema has been successfully verified

Source: setup.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: setup.exe	String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: setup.exe	String found in binary or memory: http://static.adguard.com/installer.v1.0.json
Source: setup.exe	String found in binary or memory: views/installsetting.baml
Source: setup.exe	String found in binary or memory: views/installprogress.baml
Source: setup.exe	String found in binary or memory: /reinstall
Source: setup.exe	String found in binary or memory: 8F2E2C32-2DF5-40B8-ADD4-79A7894C8CA0}
Source: setup.exe	String found in binary or memory: {8F2E2C32-2DF5-40B8-ADD4-79A7894C8CA0}
Source: setup.exe	String found in binary or memory: images/installer-background-corner.png
Source: setup.exe	String found in binary or memory: /Adguard.Burn;component/views/installsetting.xaml
Source: setup.exe	String found in binary or memory: /Adguard.Burn;component/views/installprogress.xaml
Source: setup.exe	String found in binary or memory: t in-addr.arpa in-the-band.net in.na in.net in.rs in.th in.ua in.us ina.ibaraki.jp ina.nagano.jp ina.saitama.jp inabe.mie.jp inagawa.hyogo.jp inagi.tokyo.jp inami.toyama.jp inami.wakayama.jp inashiki.ibaraki.jp inatsuki.fukuoka.jp inawashiro

Source: unknown	Process created: C:\Users\user\Desktop\adguardInstaller.exe "C:\Users\user\Desktop\adguardInstaller.exe"
Source: C:\Users\user\Desktop\adguardInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\adguard\setup.exe C:\Users\user\AppData\Local\Temp\adguard\setup.exe AID=18673_page_en_welcome
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Process created: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe "C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=716 -burn.filehandle.self=732 AID=18673_page_en_welcome
Source: C:\Users\user\Desktop\adguardInstaller.exe	Process created: C:\Users\user\AppData\Local\Temp\adguard\setup.exe C:\Users\user\AppData\Local\Temp\adguard\setup.exe AID=18673_page_en_welcome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Process created: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe "C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=716 -burn.filehandle.self=732 AID=18673_page_en_welcome	Jump to behavior

Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\adguardInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: adguardInstaller.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: adguardInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: AdGuard.Utils.Base.pdb source: setup.exe, setup.exe, 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr
Source:	Binary string: AdGuard.Utils.pdb source: setup.exe, setup.exe, 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr
Source:	Binary string: C:\raven\build\obj\Release\net45\SharpRaven.pdb source: setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr
Source:	Binary string: AdGuard.Utils.UI.pdb source: setup.exe, setup.exe, 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BR12-JOB1\adguard\Installer\Adguard.Burn\obj\Release\Adguard.Burn.pdb source: setup.exe, setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: AdGuard.Utils.pdb8Y source: setup.exe, 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BR12-JOB1\adguard\Installer\Adguard.Burn\obj\Release\Adguard.Burn.pdbX source: setup.exe, 00000006.00000002.3364240293.0000000006C6B000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: setup.exe, 00000006.00000002.3374282807.000000006FCC4000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\Bamboo\bamboo-agent-home\xml-data\build-dir\WIN-BWU-JOB1\AdGuard.Commons\build\obj\Release\AdGuard.Utils.Installer\AdGuard.Utils.Installer.pdb source: setup.exe, setup.exe, 00000006.00000002.3364119445.0000000006B52000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: setup.exe, 00000005.00000000.2515262039.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe, 00000006.00000000.2519056452.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe.5.dr, setup[1].exe.0.dr
Source:	Binary string: indows\dll\System.pdb source: setup.exe, 00000006.00000002.3364896469.0000000006FD1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2833123507.0000000006FD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: setup.exe, setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\raven\build\obj\Release\net45\SharpRaven.pdbSHA256 source: setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Data Obfuscation

Binary contains a suspicious time stamp

Source: AdGuard.Utils.dll.6.dr

Static PE information: 0xE86CB2A4 [Sun Jul 26 09:08:52 2093 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: 0_2_00EC14F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EC14F0

PE file contains sections with non-standard names

Source: adguardInstaller.exe	Static PE information: section name: .eh_fram
Source: setup[1].exe.0.dr	Static PE information: section name: .wixburn
Source: setup.exe.0.dr	Static PE information: section name: .wixburn
Source: setup.exe.5.dr	Static PE information: section name: .wixburn

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC9998 push edx; mov dword ptr [esp], eax	0_2_00EC99FC
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC8170 push ecx; mov dword ptr [esp], ebx	0_2_00EC88F8
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC8170 push eax; mov dword ptr [esp], ebx	0_2_00EC8947
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00ECB55C push eax; mov dword ptr [esp], ebx	0_2_00ECB597
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00ECB6A8 push ecx; mov dword ptr [esp], eax	0_2_00ECBA6C
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00ECB6A8 push ebx; mov dword ptr [esp], 00000005h	0_2_00ECBE95
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00ECB6A8 push edx; mov dword ptr [esp], eax	0_2_00ECBF78
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC8E34 push edx; mov dword ptr [esp], edi	0_2_00EC90EE
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00ECF8E2 push ecx; ret	0_2_00ECF8E3
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7E806 push ecx; ret	5_2_00B7E819
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0E806 push ecx; ret	6_2_00D0E819
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06BF4261 push es; retf 0000h	6_2_06BF44CC
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06BFA1F7 push es; ret	6_2_06BFA2C2
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731E625 push cs; retf	6_2_0731E626
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731EA5F push ss; retf	6_2_0731EA64
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731E14D push es; retf	6_2_0731E164
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731DFA9 push es; retf	6_2_0731E164
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0731E5ED push cs; retf	6_2_0731E5F0
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_076A511B push es; ret	6_2_076A5127
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB4476 push ecx; ret	6_2_6FCB4489
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_04466F9C push dword ptr [ebp-48000000h]; retn 0000h	6_2_04466FA2
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2769F push es; ret	6_2_06E28A64
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E2877D push es; ret	6_2_06E28A64
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E28AC9 push es; ret	6_2_06E28AD4
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E28A20 push es; ret	6_2_06E28A64
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_06E289F1 push es; ret	6_2_06E28A64
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074B3157 push cs; iretd	6_2_074B315A
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D62F0 pushad ; retf	6_2_074D62FD
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D7169 push esp; retf	6_2_074D719D
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_074D6992 pushfd ; retf	6_2_074D699D
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_0766D6AD pushfd ; iretd	6_2_0766D6B1

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hy\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ko\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\da\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\he\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\no\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\de\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\tr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\nl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\adguardInstaller.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\setup[1].exe	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh-TW\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ru\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-PT\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\vi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\es\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fa\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\it\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\id\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\be\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\adguardInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\uk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ar\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\cs\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hu\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	File created: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\bg\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ja\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\el\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-BR\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\be\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hy\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\uk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ko\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ar\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\cs\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\da\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\he\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hu\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	File created: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\no\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\bg\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\de\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\tr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\nl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh-TW\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ru\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-PT\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ja\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\vi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\es\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\el\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fa\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\it\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\id\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-BR\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	File created: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\adguardInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\adguardInstaller.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Memory allocated: 4310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Memory allocated: 4590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Memory allocated: 4350000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86400000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399891	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399781	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399669	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399248	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399125	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399016	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398906	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398782	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398656	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398547	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398437	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398328	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398219	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398109	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397890	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397765	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397656	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397547	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599446	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599316	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597818	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596809	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596697	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596578	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Window / User API: threadDelayed 2672			Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Window / User API: threadDelayed 7111			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\be\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hy\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\uk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ko\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ar\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\da\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\cs\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\he\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hu\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\no\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\bg\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\de\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\tr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\nl\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mk\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh-TW\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-PT\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ru\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ja\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\vi\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\el\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fa\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\es\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\it\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\id\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sr\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-BR\Adguard.Burn.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found evasive API chain checking for process token information

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

API coverage: 9.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86400000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399891s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399781s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399669s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399248s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399125s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86399016s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398906s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398782s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398656s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398547s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398437s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398328s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398219s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398109s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86398000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86397890s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86397765s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86397656s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -86397547s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599446s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599316s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -599031s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598921s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598812s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598484s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598375s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598265s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598155s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -598046s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597937s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597818s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597468s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597249s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -597029s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -596921s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -596809s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -596697s >= -30000s	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe TID: 4052	Thread sleep time: -596578s >= -30000s	Jump to behavior

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B8F79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00B8F839h	5_2_00B8F79E
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B8F79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00B8F832h	5_2_00B8F79E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D1F79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D1F839h	6_2_00D1F79E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D1F79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D1F832h	6_2_00D1F79E

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B87437 FindFirstFileExW,	5_2_00B87437
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B69A1D FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	5_2_00B69A1D
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B93C72 FindFirstFileW,FindClose,	5_2_00B93C72
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B53D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_00B53D4E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D17437 FindFirstFileExW,	6_2_00D17437
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CF9A1D FindFirstFileW,lstrlenW,FindNextFileW,FindClose,	6_2_00CF9A1D
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D23C72 FindFirstFileW,FindClose,	6_2_00D23C72
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00CE3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_00CE3D4E
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCBBF0F FindFirstFileExA,	6_2_6FCBBF0F

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B98EF4 VirtualQuery,GetSystemInfo,

5_2_00B98EF4

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86400000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399891	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399781	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399669	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399248	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399125	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86399016	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398906	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398782	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398656	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398547	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398437	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398328	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398219	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398109	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86398000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397890	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397765	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397656	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 86397547	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599446	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599316	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 599031	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598921	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598812	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598484	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598375	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598265	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598155	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 598046	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597937	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597818	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 597029	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596809	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596697	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Thread delayed: delay time: 596578	Jump to behavior

Source: setup.exe, 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: xsiRdTDvmcIIMvOpgp8
Source: adguardInstaller.exe, 00000000.00000002.2519149562.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2516331277.00000000016B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: setup.exe, 00000006.00000002.3354310497.000000000131D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: setup.exe, setup.exe, 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: kWbVqemugZDagFxQSqH
Source: setup.exe, 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: xDVRv7dfmVmCiRj7YVe

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B834A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00B834A2

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: 0_2_00EC14F0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EC14F0

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B84104 mov eax, dword ptr fs:[00000030h]	5_2_00B84104
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D14104 mov eax, dword ptr fs:[00000030h]	6_2_00D14104
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB8FD6 mov eax, dword ptr fs:[00000030h]	6_2_6FCB8FD6

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: 0_2_00EC8170 GetProcessHeap,strlen,HeapAlloc,memchr,memchr,memchr,memchr,HeapAlloc,HeapFree,GetLastError,HeapAlloc,GdiplusStartup,GetCurrentThreadId,GetDC,GetDeviceCaps,ReleaseDC,SystemParametersInfoW,GetModuleHandleW,LoadIconW,LoadCursorW,RegisterClassExW,SendMessageW,SendMessageW,SendMessageW,GetWindowLongW,SetWindowLongW,KiUserCallbackDispatcher,ShowWindow,GetLastError,CreateThread,KiUserCallbackDispatcher,GetParent,TranslateAcceleratorW,TranslateMessage,DispatchMessageW,WaitForSingleObject,GetExitCodeThread,CloseHandle,DeleteObject,DeleteObject,DeleteObject,GdiplusShutdown,GetModuleHandleW,UnregisterClassW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_00EC8170

Enables debug privileges

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC117C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	0_2_00EC117C
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC11B3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00EC11B3
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC1170 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	0_2_00EC1170
Source: C:\Users\user\Desktop\adguardInstaller.exe	Code function: 0_2_00EC13D1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	0_2_00EC13D1
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7E0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00B7E0A8
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B834A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B834A2
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7E574 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00B7E574
Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe	Code function: 5_2_00B7E707 SetUnhandledExceptionFilter,	5_2_00B7E707
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0E0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00D0E0A8
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D134A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00D134A2
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0E574 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00D0E574
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_00D0E707 SetUnhandledExceptionFilter,	6_2_00D0E707
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB7F77 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6FCB7F77
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB42B6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6FCB42B6
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Code function: 6_2_6FCB448C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6FCB448C

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Process created: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe "C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=716 -burn.filehandle.self=732 AID=18673_page_en_welcome

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B90FA6 InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,

5_2_00B90FA6

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B932B9 AllocateAndInitializeSid,CheckTokenMembership,

5_2_00B932B9

Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B7E937 cpuid

5_2_00B7E937

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\adguardInstaller.exe

Code function: GetLocaleInfoW,GetWindowLongW,SetWindowLongW,ShowWindow,SendMessageW,SendMessageW,SendMessageW,CreateFontIndirectW,CreateSolidBrush,LoadImageW,SendMessageW,ShowWindow,ShowWindow,strlen,ShowWindow,LoadCursorW,SetWindowLongW,CreateFontIndirectW,SendMessageW,strlen,ShowWindow,

0_2_00EC93D8

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B64E6A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

5_2_00B64E6A

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B5605F GetSystemTime,GetDateFormatW,GetLastError,GetLastError,GetDateFormatW,GetLastError,

5_2_00B5605F

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B56203 GetUserNameW,GetLastError,

5_2_00B56203

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B98039 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

5_2_00B98039

Source: C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Code function: 5_2_00B551D2 GetModuleHandleW,CoInitializeEx,GetVersionExW,GetLastError,CoUninitialize,

5_2_00B551D2

Source: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bdagent.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgrsx.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKService.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dwservice.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKProxy.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKTray.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgcsrvx.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dwuser.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: avgui.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ufnavi.exe
Source: setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mbam.exe

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.setup.exe.7260000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.setup.exe.6e80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.setup.exe.76a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll, type: DROPPED

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 6.2.setup.exe.7260000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.setup.exe.6e80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.setup.exe.76a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	13 Process Injection	1 Timestomp	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	31 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	13 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
adguardInstaller.exe	0%	Virustotal		Browse
adguardInstaller.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\setup[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\adguard\setup.exe	0%	ReversingLabs
C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Data.SQLite.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Runtime.InteropServices.RuntimeInformation.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ar\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\be\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\bg\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\cs\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\da\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\de\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\el\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\es\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fa\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fi\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fr\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\he\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hr\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hu\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hy\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\id\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\it\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ja\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ko\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbahost.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mk\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\nl\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\no\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pl\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-BR\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-PT\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ru\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sl\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sr\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\tr\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\uk\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\vi\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh-TW\Adguard.Burn.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh\Adguard.Burn.resources.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://adguard.app/	0%	Avira URL Cloud	safe
https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip5Reinstall	0%	Avira URL Cloud	safe
http://wixtoolset.org/releases/SCreating	0%	Avira URL Cloud	safe
http://static.adguard.com/installer.v1.0.json=args	0%	Avira URL Cloud	safe
http://appsyndication.org/2006/appsynapplicationc:	0%	Avira URL Cloud	safe
https://static.adguard.com	0%	Avira URL Cloud	safe
http://static.adguard.com/installer.v1.0.json	0%	Avira URL Cloud	safe
https://www.getsentry.com.	0%	Avira URL Cloud	safe
https://adguard.app/y	0%	Avira URL Cloud	safe
https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip	0%	Avira URL Cloud	safe
https://dev.adguard.com&https://adguard.com	0%	Avira URL Cloud	safe
https://s10.adtidy.org:443/api/embed/error-page/	0%	Avira URL Cloud	safe
http://defaultcontainer/Adguard.Burn;component/Resources/Images.xamld	0%	Avira URL Cloud	safe
https://adguard.app/kb/	0%	Avira URL Cloud	safe
http://defaultcontainer/Adguard.Burn;component/Resources/Colors.xamld	0%	Avira URL Cloud	safe
http://sentry-dsn.invalid	0%	Avira URL Cloud	safe
http://wixtoolset.org/	0%	Avira URL Cloud	safe
https://s10.adtidy.org:443/api/55/store/	0%	Avira URL Cloud	safe
http://wixtoolset.org/telemetry/v	0%	Avira URL Cloud	safe
https://www.getsentry.com	0%	Avira URL Cloud	safe
http://api.adguard.orgremail=	0%	Avira URL Cloud	safe
https://static.adguard.com/installer.v1.0.json	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
1625341327.rsc.cdn77.org	37.19.203.49	true	false	high
static.adguard.com	unknown	unknown	false	unknown
time.windows.com	unknown	unknown	false	high
static.adtidy.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://static.adtidy.org/windows/setup.exe	false		high
http://static.adguard.com/installer.v1.0.json	true	Avira URL Cloud: safe	unknown
https://static.adguard.com/installer.v1.0.json	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://static.adtidy.org/windows/setup.exed	adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://static.adtidy.org/windows/setup.exef	adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://adguard.app/	setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
http://ocsp.sectigo.com0	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
http://wixtoolset.org/schemas/thmutil/2010	mbapreq.thm.6.dr	false		high
https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip5Reinstall	setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/json	Newtonsoft.Json.dll.6.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
http://wixtoolset.org/news/	setup.exe, setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	false		high
http://api.adguard.org/api/1.0/register.html	setup.exe	false		high
http://api.adguard.org/api/1.0/register.htmlt	setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wixtoolset.org/releases/SCreating	setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://static.adtidy.org/windows/setup.exeF	adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsynapplicationc:	setup.exe, 00000005.00000000.2515262039.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe, 00000006.00000000.2519056452.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmp, setup.exe.5.dr, setup[1].exe.0.dr	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org	BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	false		high
http://static.adguard.com/installer.v1.0.json=args	setup.exe, 00000006.00000002.3364119445.0000000006B52000.00000002.00000001.01000000.0000000F.sdmp	false	Avira URL Cloud: safe	unknown
https://link.adtidy.org	setup.exe	false		high
http://static.adtidy.org/WindowsInstaller-KB893803-v2-x86.exe	setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000006.00000003.2530425433.0000000001296000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.adguard.org	setup.exe	false		high
https://static.adguard.com	setup.exe, 00000006.00000002.3359300348.000000000463B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.getsentry.com.	setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	false	Avira URL Cloud: safe	unknown
https://adguard.app/y	setup.exe, 00000005.00000002.3354178761.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	setup.exe, 00000006.00000002.3359300348.0000000004621000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.adtidy.org/distr/windows/Uninstall_Utility.zip	setup.exe, setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSign	adguardInstaller.exe, 00000000.00000002.2519044071.0000000001670000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2516720026.0000000001652000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2517008031.000000000166F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://link.adtidy.org/	setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false		high
https://static.adtidy.org/v	adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
https://s10.adtidy.org:443/api/embed/error-page/	setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/Adguard.Burn;component/Resources/Images.xamld	setup.exe, 00000006.00000002.3359300348.00000000048CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.adguard.com&https://adguard.com	setup.exe, 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp	false	Avira URL Cloud: safe	unknown
https://adguard.app/kb/	setup.exe, 00000005.00000002.3355164103.0000000003050000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000005.00000002.3354178761.0000000000DDA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3354310497.000000000126B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000006.00000002.3356731833.0000000003610000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	setup.exe, 00000006.00000002.3363151676.0000000006712000.00000002.00000001.01000000.0000000E.sdmp, BootstrapperCore.dll.6.dr	false		high
https://error.c.cdn77.org/	setup.exe, 00000006.00000002.3359300348.000000000463B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
https://static.adtidy.org/	adguardInstaller.exe, 00000000.00000003.2516331277.000000000169A000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000169A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://api.adguard.org/api/1.0/register.htmlsemail=	setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false		high
http://static.adtidy.org/windows/setup.exe2	adguardInstaller.exe, 00000000.00000002.2519044071.0000000001670000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2516720026.0000000001652000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000003.2517008031.000000000166F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	Newtonsoft.Json.dll.6.dr	false		high
https://static.adtidy.org/windows/setup.exex	adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/Adguard.Burn;component/Resources/Colors.xamld	setup.exe, 00000006.00000002.3359300348.00000000048CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/releases/	setup.exe	false		high
http://sentry-dsn.invalid	setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	adguardInstaller.exe, setup.exe.5.dr, setup[1].exe.0.dr	false		high
https://www.getsentry.com	setup.exe, setup.exe, 00000006.00000002.3365875627.0000000007312000.00000002.00000001.01000000.00000014.sdmp, SharpRaven.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://api.adguard.org/uninstall.html	setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false		high
http://static.adtidy.org/WindowsInstaller-KB893803-v2-x86.exe/	setup.exe, 00000005.00000002.3354178761.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2516710742.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000005.00000003.2517013274.0000000000E2B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	Newtonsoft.Json.dll.6.dr	false		high
http://wixtoolset.org/	setup.exe	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/telemetry/v	setup.exe	false	Avira URL Cloud: safe	unknown
https://static.adtidy.org/windows/setup.exeL	adguardInstaller.exe, 00000000.00000003.2516331277.000000000167C000.00000004.00000020.00020000.00000000.sdmp, adguardInstaller.exe, 00000000.00000002.2519068427.000000000167C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s10.adtidy.org:443/api/55/store/	setup.exe, 00000006.00000002.3359300348.00000000045BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	setup.exe, setup.exe, 00000006.00000002.3367349019.0000000007E32000.00000002.00000001.01000000.00000015.sdmp, Newtonsoft.Json.dll.6.dr	false		high
http://api.adguard.orgremail=	setup.exe, 00000006.00000002.3364240293.0000000006BF2000.00000002.00000001.01000000.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://static.adtidy.org/windows/setup.exe	adguardInstaller.exe	false		high
https://adguard.com	setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.adguard.com/FDefault	setup.exe, 00000006.00000002.3359300348.0000000004658000.00000004.00000800.00020000.00000000.sdmp	false		high
http://appsyndication.org/2006/appsyn	setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.19.203.49	1625341327.rsc.cdn77.org	Ukraine		31343	INTERTELECOMUA	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583758
Start date and time:	2025-01-03 14:38:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	adguardInstaller.exe
Detection:	MAL
Classification:	mal45.troj.evad.winEXE@5/78@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 111 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.40.149.189, 13.107.246.45, 20.12.23.50, 184.28.90.27
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:39:41	API Interceptor	249184x Sleep call for process: setup.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1625341327.rsc.cdn77.org	SecuriteInfo.com.TrojanPSW.Purelog.21832.24487.exe	Get hash	malicious	PureLog Stealer	Browse	156.146.33.138
	SecuriteInfo.com.TrojanPSW.Purelog.21832.24487.exe	Get hash	malicious	PureLog Stealer	Browse	212.102.56.179
	__.exe	Get hash	malicious	PureLog Stealer	Browse	156.146.33.15
	__.exe	Get hash	malicious	PureLog Stealer	Browse	195.181.170.18
	TsU2RShnl7.exe	Get hash	malicious	PureLog Stealer	Browse	156.146.36.23

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERTELECOMUA	adguardVPNInstaller.exe	Get hash	malicious	Unknown	Browse	37.19.203.48
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	37.19.194.80
	http://knoxoms.com	Get hash	malicious	Unknown	Browse	37.19.194.80
	armv5l.elf	Get hash	malicious	Unknown	Browse	37.19.194.163
	1.elf	Get hash	malicious	Unknown	Browse	37.19.165.31
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	93.180.197.77
	https://google.com.mx//url?ob=pglnk4shsljbM2dWBuuV7ic1KFgH&aw=f_rand_string_lowercase(8)n9QXkBk0w4OyBDvUpuk&sa=t&whi=f_rand_string_lowercase(8)zOPGXNRztppHiTbPIt5f&url=amp%2Fbraverygray.com/.dd/Kcxz0m1anE-SUREDANN-Y3NoYW5ub25Ac2tvcmJ1cmdjb21wYW55LmNvbQ==	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse	37.19.194.80
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	93.180.197.89
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	130.180.209.215
	Setup.exe	Get hash	malicious	Unknown	Browse	37.19.194.80

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	37.19.203.49
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	37.19.203.49
	PO_B2W984.com	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	37.19.203.49
	file.exe	Get hash	malicious	Snake Keylogger	Browse	37.19.203.49
	file.exe	Get hash	malicious	Snake Keylogger	Browse	37.19.203.49
	file.exe	Get hash	malicious	Snake Keylogger	Browse	37.19.203.49
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	37.19.203.49
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	37.19.203.49
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	37.19.203.49
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	37.19.203.49
37f463bf4616ecd445d4a1937da06e19	RisingStrip.exe	Get hash	malicious	Vidar	Browse	37.19.203.49
	adguardVPNInstaller.exe	Get hash	malicious	Unknown	Browse	37.19.203.49
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	37.19.203.49
	Setup.msi	Get hash	malicious	Unknown	Browse	37.19.203.49
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	37.19.203.49
	file.exe	Get hash	malicious	XRed	Browse	37.19.203.49
	file.exe	Get hash	malicious	XRed	Browse	37.19.203.49
	file.exe	Get hash	malicious	XRed	Browse	37.19.203.49
	file.exe	Get hash	malicious	XRed	Browse	37.19.203.49
	file.exe	Get hash	malicious	XRed	Browse	37.19.203.49

Process:	C:\Users\user\Desktop\adguardInstaller.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	777
Entropy (8bit):	4.812853348194197
Encrypted:	false
SSDEEP:	12:hSn2O6Qclfhxts9FQ60hFP4xs4uXRLdJFQNVly/tb:hSfspxts9qHbBXRhXQNVWR
MD5:	566C9F568337B3AE48041017D6B8EFD3
SHA1:	2CA98F8834491FB8AB60DDB4FB785E14638E19E8
SHA-256:	EF0AC46BCF8A974BF7B72434F3D4F9AB9E80873EC212A6E8714F5CCABA19D939
SHA-512:	E91CD181B64EF4B983B47A9F29180CD21BD399B1210094093B1B4F660DF720D90A232DB1F7227F2D0F85A28E0A55538EE550B9DBE50F06B3ED98F340240822DB
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>.<head>. <base href="https://error.c.cdn77.org/" target="_blank">. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. <meta name="author" content="(c) 2023 CDN77">. <meta name="viewport" content="width=device-width, initial-scale=1">. <link rel="stylesheet" href="css/main.css">. <link rel="shortcut icon" href="img/favicon.ico" />.. <title>Moved Permanently</title>.</head>.<body style="background-color: #0d5284; color: #fff;" class="Header-wrap">. <h1>. <small class="Header-errorNumber">. 301 Redirect</small><br>. Moved Permanently. </h1>. <p class="Header-description"tion">. This resource has been permanently moved to a new location.</p>.</body>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\setup[1].exe

Download File

Process:	C:\Users\user\Desktop\adguardInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51932240
Entropy (8bit):	7.99603605204137
Encrypted:	true
SSDEEP:	1572864:+FANKCdm+4rvFGrowzUO/te6cFAzCt5oLL+ndJwiI:tKC8GhYUzCtU
MD5:	9EFF4EA678EA4A1F9F7802B8FC4AD702
SHA1:	293BDDD205D9C724040B880DEC975CB503DF2F49
SHA-256:	520A7E1083744C33D69A6325643EC3E2F923823E35AC7C0E3322AD94A1E735A6
SHA-512:	B7AF72B52D9013F3C2C20CAA28B9B76CFBAC677408102F48B31AB257FFE209AA219EA6A4B8EE4774A5573B3DFC53024029D7C0A9C66DAB430557434F72347919
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.o.}k..}k..}k.....wk......k.....ek../...nk../...ik../...Vk..t...xk..t...lk..}k..(j......6k......\|k..}k...k......\|k..Rich}k..........PE..L...2p.].....................x......q.............@..........................P......4c....@.............................................L4..........8<...0.......=..0p..T....................p.......j..@...................4\|.......................text............................... ..`.rdata..`...........................@..@.data...............................@....wixburn8...........................@..@.rsrc...L4.......6..................@..@.reloc...=.......>..................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\adguard\Adguard_20250103083939.log

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	ASCII text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	15298
Entropy (8bit):	5.4296039042951785
Encrypted:	false
SSDEEP:	384:YpgrH9BULNnqZqtrZVKJCdahFdvIMTbJWQXBPs+t7GZ7/++GdQZV5Vz32e:2Uo
MD5:	80D72E33D1F74EC35D8BAC2861677BCA
SHA1:	85D28BE6DD2CB8FD8886A9C00602E75F7FABF36E
SHA-256:	EB51B9F5C57448BE3DC25254B4820C1ABE249D02A2D46B8B6179A332C77E4A82
SHA-512:	752997B7050EF28DB96DE88B293F89CED8151C86C130231F47ACC99BCA2EB62A69C10FBC1B0B55D6056A1C313A5E7295F7052C8897C4F15D828C4AB22210AEC6
Malicious:	false
Reputation:	low
Preview:	[110C:1934][2025-01-03T08:39:38]i001: Burn v3.11.2.4516, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'AID' to value ''..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'CID' to value ''..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'REMOVE_SETTINGS' to value 'NO'..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'SHOW_UNINSTALL_PAGE' to value 'YES'..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'NORUN' to value 'NO'..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'INSTALLDESKTOPSHORTCUT' to value ''..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'INSTALLLOCATION' to value ''..[110C:1934][2025-01-03T08:39:38]i000: Initializing string variable 'BUNDLE_KEY' to value '[WixBundleProviderKey]'..[110C:1934][2025-01-03T08:39:38]i000:

C:\Users\user\AppData\Local\Temp\adguard\setup.exe

Download File

Process:	C:\Users\user\Desktop\adguardInstaller.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51932240
Entropy (8bit):	7.99603605204137
Encrypted:	true
SSDEEP:	1572864:+FANKCdm+4rvFGrowzUO/te6cFAzCt5oLL+ndJwiI:tKC8GhYUzCtU
MD5:	9EFF4EA678EA4A1F9F7802B8FC4AD702
SHA1:	293BDDD205D9C724040B880DEC975CB503DF2F49
SHA-256:	520A7E1083744C33D69A6325643EC3E2F923823E35AC7C0E3322AD94A1E735A6
SHA-512:	B7AF72B52D9013F3C2C20CAA28B9B76CFBAC677408102F48B31AB257FFE209AA219EA6A4B8EE4774A5573B3DFC53024029D7C0A9C66DAB430557434F72347919
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.o.}k..}k..}k.....wk......k.....ek../...nk../...ik../...Vk..t...xk..t...lk..}k..(j......6k......\|k..}k...k......\|k..Rich}k..........PE..L...2p.].....................x......q.............@..........................P......4c....@.............................................L4..........8<...0.......=..0p..T....................p.......j..@...................4\|.......................text............................... ..`.rdata..`...........................@..@.data...............................@....wixburn8...........................@..@.rsrc...L4.......6..................@..@.reloc...=.......>..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\adguard\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3347128
Entropy (8bit):	7.6913933620573465
Encrypted:	false
SSDEEP:	49152:WT2pZ1x98nD47SF54sSMKBukolw1gB4mlvJdjFdBOu/YCGCt28uhQNmw0B:WT0J98nyS74sSMKB39KBFpJd5mCuS25
MD5:	44876B0645D1BDFDCDD7C5133B2EAD8E
SHA1:	B0C7E70F3530520A8D810A1F4FDCFF78A56A45E5
SHA-256:	BB4630C36C78D2E1EBD404D6EB622EF4C6150A40B6BF3F667BDB08C94E3CBA34
SHA-512:	F97917FF1B74FF544D79E9EB48FC29DEBF89635B076492A2BCB6303BA850B6548D1369F219C23941A505D477B1B4C9C53A6C47EA7CE47F219B0B57C9DFFE3C4F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.o.}k..}k..}k.....wk......k.....ek../...nk../...ik../...Vk..t...xk..t...lk..}k..(j......6k......\|k..}k...k......\|k..Rich}k..........PE..L...2p.].....................x......q.............@..........................P........3...@.............................................L4............2..0.......=..0p..T....................p.......j..@...................4\|.......................text............................... ..`.rdata..`...........................@..@.data...............................@....wixburn8...........................@..@.rsrc...L4.......6..................@..@.reloc...=.......>..................@..B........................................................................................................................................................................................................................................................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1028\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2025
Entropy (8bit):	6.231406644010833
Encrypted:	false
SSDEEP:	48:cxX7DTAT8tMBCus9T3FVWmHdniarRFeOrw8Nhv2VyfN3mKNWFP44SBWWW1GyfiPq:8L4T2RJhfHP8+VYuTmQUc2mE
MD5:	1D4B831F77EFEC96FFBC70BC4B59B8B5
SHA1:	1B3ED82655AEC8A52DAEC60F8674BC7E07F8CFEB
SHA-256:	1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
SHA-512:	C6CCB188281F161DEBF02DCDDE24B77D8D14943DEED8852E77E5AFB18F3F62683AB1AE06DCEB1E09D53804A76DF6400A360712D8E7E228B7F971054BB4FB2496
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="zh-tw" Language="1028" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName] ...... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/passive \| /quiet - ...... UI ............ UI ... ........... UI ........../norestart - ................UI ............./log log.txt - ............ %TEMP% ......</String>.. <Stri

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1029\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2458
Entropy (8bit):	5.36165936198009
Encrypted:	false
SSDEEP:	48:cxX7DTZT8u9cktosM6re4mSTcIIyfI7sh/DMNwIHWAoN3mepNRfKPnWZ0hqAQZfC:8LxTK23f33AwIViRrRynRuZfiMS
MD5:	CC8C6D04DC707B38E0F0C08BA16FE49B
SHA1:	95EA7F570677AEA52393D02FDB21CEBB218A7343
SHA-256:	DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
SHA-512:	A4B19EBC8BB0D88ABA7D3D5783E28F8B6E0960582A540059BC71076B1203BF43BCA15EA726272D15395C7B4E431046ADA1CBB9D55072BBC5DBE7729C4599F0E0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="cs-cz" Language="1029" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalace produktu [WixBundleName]</String>.. <String Id="Title">Pro instalaci produktu [WixBundleName] je vy.adov.no rozhran. Microsoft .NET Framework.</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da k instalaci</String>.. <String Id="HelpText">/passive \| /quiet - Zobraz. minim.ln. u.ivatelsk. rozhran. bez jak.chkoli.. v.zev, nebo nezobraz. ..dn. u.ivatelsk. rozhran. ani ..dn. v.zvy. Ve v.choz.m.. nastaven. se jak u.ivatelsk. rozhran., tak i v.echny v.zvy zobrazuj....../norestart - Potla.. jak.koli p

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1030\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2286
Entropy (8bit):	5.061915970731254
Encrypted:	false
SSDEEP:	48:cxX7DCrT81tbzjamsjFq7LhzqGgdRDJNbqoN3mpN+ELPnfyOwYxPyzraXnAF:8LaTOkaEOiGd/BwF
MD5:	7C6E4CE87870B3B5E71D3EF4555500F8
SHA1:	E831E8978A48BEAFA04AAD52A564B7EADED4311D
SHA-256:	CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
SHA-512:	2A02415A3E5F073F4530FD87C97B685D95B8C0E1B15EFD185CC5CB046FCF1D0DCE28DB9889AD52588B96FE01841A7A61F6B7D6D2F669EAB10A8926C46B8E93D1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="da-dk" Language="1030" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installation af [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework skal v.re installeret i forbindelse med Installationen af [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Er du sikker p., at du vil annullere?</String>.. <String Id="HelpHeader">Hj.lp til installation</String>.. <String Id="HelpText">/passive \| /quiet - viser en minimal brugergr.nseflade uden prompter eller.. viser ingen brugergr.nseflade og ingen prompter... Brugergr.nsefladen og alle prompter vises som standard...../norestart - skjuler fors.g p. genstart. Der vises som standard en.. foresp.rgse

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1031\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2442
Entropy (8bit):	5.094465051245675
Encrypted:	false
SSDEEP:	48:cxX7DASTcCwit/soJy9hkVByUZN+29N3mfN65PS9CvZwZi7uuASD:8LxT8itGeVB97+gyC9BdaSD
MD5:	C8E7E0B4E63B3076047B7F49C76D56E1
SHA1:	4E44E656A0D552B2FFD65911CB45245364E5DBF3
SHA-256:	631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
SHA-512:	FD7E8896F9414F0DB7A88F926F55EE24E0591DA676F330200BC6BB829EB32648D90D3094E0011BFE36C7BA8BE41DFD74B12D444AFEA0D2866801258DA4FA16E8
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="de-de" Language="1031" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <UI Control="InstallButton" Width="180" />.. .. <String Id="Caption">[WixBundleName]-Setup</String>.. <String Id="Title">F.r das [WixBundleName]-Setup ist Microsoft .NET Framework erforderlich.</String>.. <String Id="ConfirmCancelMessage">Sind Sie sicher, dass Sie den Vorgang abbrechen m.chten?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/passive \| /quiet - zeigt eine minimale Benutzeroberfl.che ohne.. Eingabeaufforderungen oder keine Benutzeroberfl.che und keine.. Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und.. alle Eingabeaufforderungen angezeigt...../no

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1032\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3400
Entropy (8bit):	5.279888750092028
Encrypted:	false
SSDEEP:	48:cxX7D8jVT8dUk9Ug/usOo2pNSBIbESvR2drdESPzghC76DeN2hL0eLoN3mOLSNIx:8L45TCyop5riGzH7xgJit8IqSsBwqk
MD5:	074D5921AF07E6126049CB45814246ED
SHA1:	91D4BDDA8D2B703879CFE2C28550E0A46074FA57
SHA-256:	B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5
SHA-512:	28DAC36516BCC76BCC598C6E7ABDE359695F85AB7A830D6ADBC844EB240D9FA372CB5A5CE4DBE21E250408C6B246D371D3CDD656D2178FB0EC22DAC7D39CBD9F
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="el-gr" Language="1032" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">........... ... [WixBundleName]</String>.. <String Id="Title">... ... ........... ... [WixBundleName] .......... .. Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">..... ....... ... ...... .. ..... .......;</String>.. <String Id="HelpHeader">....... ... ... ...........</String>.. <String Id="HelpText">/passive \| /quiet - ......... ........ ........... ... ............. .......... ...... ..... ........ . ... ..

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1035\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2235
Entropy (8bit):	5.142592159444541
Encrypted:	false
SSDEEP:	48:cxX7DE+T8Z+bm5snwETMAoQEATN27uNBDReq4N3mJeNHNP64NsFKJJem4vyAs:8LZTDkZ7+2IBCht6J8neHs
MD5:	E338408F1101499EB22507A3451F7B06
SHA1:	83B42F9D7307265A108FC339D0460D36B66A8B94
SHA-256:	B7D9528F29761C82C3D926EFE5E0D5036A0E0D83EB4CCA7282846C86A9D6F9F3
SHA-512:	F7BE923DC2856E0941D0669E2DE5A5C307C98DC7EBA0A1B68728EB29C95B4625145C2AD3AC6F6B6D82F062887EA349E2187F1F91785DDE5A5083BC1150E56326
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="fi-fi" Language="1035" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] -asennus</String>.. <String Id="Title">Microsoft .NET Framework tarvitaan [WixBundleName] -asennusta varten</String>.. <String Id="ConfirmCancelMessage">Haluatko varmasti peruuttaa?</String>.. <String Id="HelpHeader">Asennusohjelman ohje</String>.. <String Id="HelpText">/passive \| /quiet - n.ytt.. mahdollisimman v.h.n k.ytt.liittym.st.; ei.. kehotteita tai ei k.ytt.liittym.. ja kehotteita. Oletusarvoisesti.. k.ytt.liittym. ja kaikki kehotteet n.ytet..n...../norestart - est.. uudelleenk.ynnistysyritykset. Oletusarvoisesti.. k.ytt.liittym. kysyy ennen uudelleenk.yn

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1036\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2306
Entropy (8bit):	5.076293283609686
Encrypted:	false
SSDEEP:	48:cxX7DyBT81BbKBswAL1xV1wjRcDSNwDXoN3mSZfNhkLPkQpznsdMEodAY:8LwTK5KHsijmEXY
MD5:	AA32A059AADD42431F7837CB1BE7257F
SHA1:	4CD21661E341080FB8C2DEFD9F32F134561FC3BA
SHA-256:	88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
SHA-512:	78E201F369E65535E25722DFC0EFE99EDF641F7C14EFF1526DC1CC047FF11640079F1E3D25C9072CF25F4804195891BE006FC5ED313063AFCB91FB5700120B88
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="fr-fr" Language="1036" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework requis pour l'installation de [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.tes-vous s.r de vouloir annuler.?</String>.. <String Id="HelpHeader">Aide de l'installation</String>.. <String Id="HelpText">/passive \| /quiet - affiche une interface minimale sans invites ou n'affiche.. aucune interface ni aucune invite. Par d.faut, l'interface et toutes les.. invites sont affich.es...../norestart - annule toute tentative de red.marrage. Par d.faut, l'interface.. affiche une invite avant de red.marrer..

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1038\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2392
Entropy (8bit):	5.293225307744296
Encrypted:	false
SSDEEP:	48:cxX7DwzT8cSwvs48mF7GD/g1v0wH7N3wwJxL99oN3m/ZNRUYPBZRT1XESW3o/ULG:8LQT2wpFGbgT3wMN2QRj/y/LKr
MD5:	17FB605A2F02DA203DF06F714D1CC6DE
SHA1:	3A71D13D4CCA06116B111625C90DD1C451EA9228
SHA-256:	55CF62D54EFB79801A9D94B24B3C9BA221C2465417A068950D40A67C52BA66EF
SHA-512:	D05008D37143A1CC031F4B6268490A5A10FBB686C86984D20DB94843BDC4624EF9651D158DCB5B660FC239C3C3E8D087EB5D23FFFB8C4681910CBC376148F0F0
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="hu-hu" Language="1038" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] telep.t.</String>.. <String Id="Title">A(z) [WixBundleName] telep.t.s.hez Microsoft .NET-keretrendszer sz.ks.ges</String>.. <String Id="ConfirmCancelMessage">Biztosan megszak.tja?</String>.. <String Id="HelpHeader">A telep.t. s.g.ja</String>.. <String Id="HelpText">/passive \| /quiet - Minim.lis felhaszn.l.i fel.let megjelen.t.se k.rd.sek.. n.lk.l, illetve felhaszn.l.i fel.let .s k.rd.sek megjelen.t.se n.lk.li.. telep.t.s. Alapesetben a felhaszn.l.i fel.let .s minden k.rd.s megjelenik...../norestart - Az .jraind.t.si k.r.sek elrejt.se. Alapeset

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1040\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2304
Entropy (8bit):	4.985260685429469
Encrypted:	false
SSDEEP:	48:cxX7DQyT81ebRcesyB+lY25ukVpkXJM2DJNXhpXZoN3mMhNTM+POYO/n1YxXlcI5:8LFTzLtkfwWKXHZi37MIDp
MD5:	50261379B89457B1980FF19CFABE6A08
SHA1:	F80B1F416539D33206CE3C24BA3B14B799A84813
SHA-256:	A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
SHA-512:	BBD9794181EEC95D6BE7A1B7BA83FD61AF2B2DF61D9DA8DDA2788B61BEC53C30FCEFE5222EDF134166532B36D3AB6CE8996F2D670DC6907C1864AF881A21EA40
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="it-it" Language="1040" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">Microsoft .NET Framework necessario per l'installazione di [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida dell'installazione</String>.. <String Id="HelpText">/passive \| /quiet - visualizza l'interfaccia utente minima senza istruzioni.. oppure non visualizza n. l'interfaccia utente n. le istruzioni. Per.. impostazione predefinita vengono visualizzate interfaccia utente e.. istruzioni...../norestart - elimina eventuali tentativi di riavvio. Per impostazione.. predefinita l'int

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1041\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2545
Entropy (8bit):	5.923292576429967
Encrypted:	false
SSDEEP:	48:cxX7DpcYT86WyscLpTIFw6tnOUjsj/D3NIgHcQN3mKN/WPOhT0SXsDay+z8QZEcE:8L1TccOFw6tnOUjsjpICnlOO934apWz
MD5:	DB0F5BAB42403FD67C0A18E35E6880EC
SHA1:	C0A18C8C5BCD7B88C384B5304B56EEB85A0DA3DC
SHA-256:	CCDCDB111EFA152C5F9FF4930033698B843390A549699AE802098D87431F16FE
SHA-512:	589522BD4A26BF54CCF3564E392E41BBBA4E7B3FD1ED74E7F4F6AD6F2E65CDE11FFF32D0C5F3BCD09052FE5110FDC361D1926E220FD0BAD2D38CAC21BBE93211
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ja-jp" Language="1041" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ......</String>.. <String Id="Title">[WixBundleName] ........ Microsoft .NET Framework .....</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/passive \| /quiet - ... UI ....................UI.. .............. .....UI ....................../norestart - ........................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1042\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2236
Entropy (8bit):	5.97627825234954
Encrypted:	false
SSDEEP:	48:cxX7D3sT8ZeusKOwOWGyKCstFmhENI2Y+kN3mp4iNmi6IPa0dDaoIunvZqIHU5UH:8LQTXvRFhIzl44wmgko04U5TY
MD5:	442F8463EF5CA42B99B2EFACA696BD01
SHA1:	67496DB91CBAA85AC0727B12FC2D35E990537DAC
SHA-256:	D22F6ADA97DBFFC1E7548E52163807F982B30B11A2A5109E71F42985102CCCBD
SHA-512:	A350EAF9E7AEAFAB1163D7C0B8D014AFE07EE98BAE3915CBDD3C26282E345A0838E853C89BAE8943474758DCBCFD0BB0724A0C75CBF969F321FAB4944E8704FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ko-kr" Language="1042" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName] ... ... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/passive \| /quiet - ... .. .. UI. ..... UI. .... .... .... ..... ..... UI . .. .... ........../norestart - .. ..... ... ...... ..... UI. .. .... .. .... ......../log log.txt - .

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1043\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2312
Entropy (8bit):	4.965432037520827
Encrypted:	false
SSDEEP:	48:cxX7DK1T8u7hbU7Asd7MqpSwzCcHGFN9OsNN3mvoNBC7hPFtO7+xw7t0Yza2Al:8LcTtpGLFSwJHmPnnKhEBtsl
MD5:	67F28BCDB3BA6774CD66AA198B06FF38
SHA1:	85D843B7248A5E1173FF9BD59CB73BB505F69B66
SHA-256:	226B778604236931B4AE45F6F272586C884A11517444A34BF45CD5CAE49BE62E
SHA-512:	7BC7D3E6E19ECF865B2CABFC46C75D516561D5A8A81A8ED55B4EDBA41A13A7110F474473740200AFB035B9597A2511D08C2A2E7A9ADE2C2AB4D3F168944B8328
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="nl-nl" Language="1043" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installatie</String>.. <String Id="Title">Microsoft .NET Framework is vereist voor installatie [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Weet u zeker dat u de installatie wilt annuleren?</String>.. <String Id="HelpHeader">Help bij Setup</String>.. <String Id="HelpText">/passive \| /quiet - geeft een minimale gebruikersinterface weer zonder prompts.. of geeft geen gebruikersinterface en geen prompts weer. Gebruikersinterface.. en alle prompts worden standaard weergegeven...../norestart - pogingen tot opnieuw opstarten onderdrukken... Gebruikersinterface vraagt standaard al

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1044\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2171
Entropy (8bit):	5.089922193759582
Encrypted:	false
SSDEEP:	48:cxX7DTeT8uUbnFdsLnFHv+Gpm1qL5DQNDDaoN3mpZfN15dPnfuOOg5wZ5uAq8fAS:8L+Tec1x8Siule4S
MD5:	5454F724C9CDAB8172678A1CC7057220
SHA1:	241A57018ACE1210881583A9CF646E7D2E51412F
SHA-256:	41545AC1247B61C3C3E2A7E4659D9FAD2BCCA8347C69F2EB7B9D0CF5FC31E113
SHA-512:	40E311EADA299996E32A7D35223CA678A03C869D63C023D59BC97A7B2049B0252AA9D0A7EC8558D5ACB73BD14C7BFA913097E65ABEE7455658DB7E35BBDA8AE1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="nb-no" Language="1044" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Installasjonsprogram</String>.. <String Id="Title">Microsoft .NET Framework kreves for [WixBundleName]-installasjon</String>.. <String Id="ConfirmCancelMessage">Er du sikker p. at du vil avbryte?</String>.. <String Id="HelpHeader">Installasjonshjelp</String>.. <String Id="HelpText">/passive \| /quiet - viser minimalt brukergrensesnitt uten ledetekster, eller.. ikke noe brukergrensesnitt og ingen ledetekster. Som standard vises.. brukergrensesnitt og alle ledetekster...../norestart - undertrykker alle fors.k p. omstart. Som standard sp.r.. brukergrensesnittet f.r omstart.../log log.txt

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1045\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2368
Entropy (8bit):	5.270514043715206
Encrypted:	false
SSDEEP:	48:cxX7Du4OT82gXusarwkfpYrKD8DTNkbNuoN3mjbsNniIPh8ynN1NYd4iYuffAL:8LKTsXgpYr2IyoiiOffpT3L
MD5:	96ACAAA5AEF7798E9048BAFF4C3FA8D3
SHA1:	E76629973F6C1CFC06F60BA64FE9F237B2DB9698
SHA-256:	F4AA983E39FB29C95E3306082F034B3A43E1D26489C997B8E6697B6A3B2F9F3C
SHA-512:	964F73E572BDCB1AD946C770E6A2FB4A1CE54AF4B5BB072F64256083BA27A223F4DAD4A95B9D2A646180806D1F977726147970B06AAC35EED75AEC6CA89ED337
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pl-pl" Language="1045" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalator programu [WixBundleName]</String>.. <String Id="Title">Do zainstalowania programu [WixBundleName] jest wymagany program Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Pomoc instalatora</String>.. <String Id="HelpText">/passive \| /quiet - wy.wietla minimalny interfejs u.ytkownika bez monit.w.. lub nie wy.wietla interfejsu u.ytkownika ani monit.w. Domy.lnie jest.. wy.wietlany interfejs u.ytkownika i wszystkie monity...../norestart - pomija wszelkie pr.by ponownego uruchomienia. Domy.lnie.. interf

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1046\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2147
Entropy (8bit):	5.130635342194656
Encrypted:	false
SSDEEP:	48:cxX7DuoT85b0s/4TDoYDj4NF5j2hN3mMNYskPDXKIMaKcP9A5g:8L1TmBHjs59M8r6
MD5:	BD39ADB6B872163FD2D570028E9F3213
SHA1:	688B8A109688D3EA483548F29DE2E57A8A56C868
SHA-256:	ECB5C22E6C2423CAF07AEBE69F4FAF22450164EEE9587B64EF45A2D7F658CA15
SHA-512:	F2826BE203E767D09FF0D7677E1CF5B13113B773D529166DAE02A1F5DB2DC58E0856A34901DF70011EBABB6E964FAB7ACF38590E650BD629D4E4DC4CB36C8D45
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pt-br" Language="1046" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">Microsoft .NET Framework . necess.rio para instala..o do [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/passive \| /quiet - exibe UI m.nima sem avisos ou exibe sem UI e.. sem avisos. Por padr.o a UI e todos avisos s.o exibidos...../norestart - suprime qualquer tentativa de reinicializa..o. Por padr.o a UI.. ir. solicitar antes de reiniciar.../log log.txt - logs para um arquivo espec.fico. Por padr.

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1049\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2880
Entropy (8bit):	5.408094213063887
Encrypted:	false
SSDEEP:	48:cxX7DkTT8fjtEeusogrohY2Ar7DHNnjTh53oN3miRMNKrdPin+/uYcbSkuEIcOvG:8LYT8EeHMMJRNi1Ruwi3OwL
MD5:	DAF167AF4031EF47E562056A7D51AA73
SHA1:	0156B230CADD6169AC2820865E3C031ED79785EF
SHA-256:	C91C9E87AB4A6DB078F1991F4A2CDC726B58A40E47BCE49D39168A8F8F151C3B
SHA-512:	5E87EE3838E3595ADBD7EABA6E3E33CDFEA5E15ED716FBCCDBD55235B3E53E1E41EA5A907F425E96C35167543C7F75AC5214B5AEE177D299FC2464A68B22851E
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="ru-ru" Language="1049" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">......... [WixBundleName]</String>.. <String Id="Title">... ......... [WixBundleName] ......... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.. ............. ...... ........ ........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/passive \| /quiet - ........... ............ .. ... ........ ... ...... ... .. .. . ............ .. ......... ............ .. . ... ......

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1051\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2334
Entropy (8bit):	5.397882326481071
Encrypted:	false
SSDEEP:	48:cxX7D+cT8muPusz2qs1u+Vh1TqDINHZJoN3m8fN0vPp3OAwa2ywSODAm:8L1TuPdKNzfifFmcatm
MD5:	016C278E515F87F589AD22C856B201F7
SHA1:	F20C7DB38B3161B143DEC4E578CE71D7F585F436
SHA-256:	4A7FDF4A9033FE05C31F565ED3AE5B8C67D324B7AEADB737CE95DBB416D46868
SHA-512:	310C85B27E1ECF4C6729E88051037150CFBA0234A0138666C26662B3D665FF38B74E95ABCADDEEF6CBEBB23E3357FAC487E6EE5EB8FE158C269D77672191B042
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sk-sk" Language="1051" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] . in.tal.cia</String>.. <String Id="Title">Na in.tal.ciu aplik.cie [WixBundleName] sa vy.aduje s..as. Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">Naozaj chcete zru.i. oper.ciu?</String>.. <String Id="HelpHeader">Pomocn.k pre in.tal.ciu</String>.. <String Id="HelpText">/passive \| /quiet . zobraz. minim.lne pou..vate.sk. rozhranie bez v.ziev alebo.. nezobraz. .iadne pou..vate.sk. rozhranie ani v.zvy. Predvolene sa.. zobrazuje pou..vate.sk. rozhranie aj v.etky v.zvy...../norestart . zru.. v.etky pokusy o re.tart. Pou..vate

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1053\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2132
Entropy (8bit):	5.1255014007111495
Encrypted:	false
SSDEEP:	48:cxX7DviT8NFLbu9sM2vECjf26axBZYXcqADCNKTbkoN3maT6NWOjEXPauOOKYnhf:8LmTAcRnQXFPK0iHMsfb2Ws3M
MD5:	D95E81164C57B6FD75E7C3022454192E
SHA1:	5D5ACBC56E7078AF4D04C45B78C0FF090C02EE6A
SHA-256:	6DD61CC6B87B53EAF28430068A2A459730FD4B2BCF876CCDF040212D04C4FE7D
SHA-512:	9E4BA81A145574818DD6A1F1D0EC38EA1629C7771919C35923F440E31EA9912E1630D94FCDB82B71104EBD61D0321DCDF935BA20D69988EE6E9B22259186AF0C
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sv-se" Language="1053" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName]-installation</String>.. <String Id="Title">Microsoft .NET Framework kr.vs f.r installation av [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Vill du avbryta?</String>.. <String Id="HelpHeader">Installationshj.lp</String>.. <String Id="HelpText">/passive \| /quiet - visar ett minimalt anv.ndargr.nssnitt utan prompter,.. alternativt inget anv.ndargr.nssnitt och inga prompter. Som standard visas.. anv.ndargr.nssnitt och samtliga prompter...../norestart - hejdar omstart. Som standard visar anv.ndargr.nssnittet en.. prompt f.re omstart.../log log.txt - skapar logg till

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1055\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2303
Entropy (8bit):	5.2754753523795275
Encrypted:	false
SSDEEP:	48:cxX7DNcYT8anOSMsHEqGpcBztpvrJlrs2ZmNI2+Yo6irN3m22NFcPc+4Trzrdgc7:8LZHTE7APaTI9sq6yEbgg
MD5:	01B200E06BA600A4EF00C00F7AAC5CE4
SHA1:	22234426C42637E069A46217019551E4434A4AB6
SHA-256:	06BFB6DFBC38105C699DEA226A029DF3EF673C33E4B8928DC4EC7FB8F761487D
SHA-512:	8BDCF7533A6BCFA231B42A7EF845A70C7535FBF607D62FF6404928D5941BA6AFBF139450A1A1B58C65FACF88DC0785AEC4ABEFBCC803466A58B1930F7C468CDD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="tr-tr" Language="1055" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName] kurulumu i.in Microsoft .NET Framework gerekir</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/passive \| /quiet - komut istemi olmayan olabildi.ince k...k bir UI.. g.r.nt.ler veya komut istemi ve UI g.r.nt.lemez. Varsay.lan olarak UI.. ve t.m komut istemleri g.r.nt.lenir...../norestart - yeniden ba.latma denemelerini engeller. Varsay.lan.. olarak UI yeniden ba.latmadan .nce komut isteyecekt

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1060\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2200
Entropy (8bit):	5.1485120966265
Encrypted:	false
SSDEEP:	48:cxX7DZ0T8obZsw9g5gS56K97D7NCt2VoN3mQXNJPOhP58vqc1qwueo3RAL:8LyTLlS9h9hCtsihdxOh+NL
MD5:	5836F0C655BDD97093F68AAF69AB2BAB
SHA1:	B6842E816F9E0DCC559A5692E4D26101D10B4B16
SHA-256:	C015247D022BDC108B4FFCAE89CB55D1E313034D7E6EED18744C1BB55F108F8C
SHA-512:	640A79D6A756E591AD02DDCCC53BC43F855C5148B8CBB5CE6C1CAF5419CA02F7B2AFF89CCA4C056356814D3899EF79BF038B4E8B4B79EB85138A3CEDCCE93E5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="sl-si" Language="1060" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Namestitev</String>.. <String Id="Title">Microsoft .NET Framework, potreben za namestitev paketa [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Ali ste prepri.ani, da .elite preklicati?</String>.. <String Id="HelpHeader">Pomo. za namestitev</String>.. <String Id="HelpText">/passive \| /quiet - prika.e minimalni uporabni.ki vmesnik brez pozivov ali ne prika.e.. uporabni.kega vmesnika in pozivov. Privzeto so prikazani uporabni.ki vmesnik in.. vsi pozivi...../norestart - skrije vse mo.nosti za vnovicni zagon. Privzeto uporabni.ki vmesnik.. prika.e poziv pred ponovnim zag

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\2052\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	1980
Entropy (8bit):	6.189594519053644
Encrypted:	false
SSDEEP:	48:cxX7DjQT8tOBousi+zq+frUR2ropNV2rfN3msNUqPPT9T+DwZ9f5wDTAV:8L4TGUGw3V8N3RykV
MD5:	A34DCF7771198C779648B89156483E83
SHA1:	A6E0FA91CD50048511C7BEF1BE3A8D32B42B6D1F
SHA-256:	89C559C6765F8D643469E3C8F4AA93023F09369B0395EA647FAD5AF3C2893EB6
SHA-512:	0F1D7BC4FD64E18EEEC488CDCE01FB6BFA5CD3BFF614A8D03E388D39F569B8341E74302946877EB25BA1EB17AEC137499189605E251FAFB6B20051744CB463B1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="zh-ch" Language="2052" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] ..</String>.. <String Id="Title">[WixBundleName] .... Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/passive \| /quiet - ..... UI .......... UI ... ........... UI ........../norestart - .............. UI ........../log log.txt - .............. %TEMP% ........</String>.. <String Id="HelpCloseButton"

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\2070\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2211
Entropy (8bit):	5.1155097909395035
Encrypted:	false
SSDEEP:	48:cxX7DbT8QGls54nK3znI5zKDj4NLkdoN3mMNYsEPbpK2Aegeu9A5g:8LXTUasJnYdi59som6
MD5:	8A278E519EF81B2847490EFB070219BC
SHA1:	7365EDF6E4F9E66B6CEE47933B6C70FF0B9ECFF8
SHA-256:	E2BFDB2CF3BEAE2E988827C52C58006D7EEAD4ABA5312B5EAE1F6CCF3863C385
SHA-512:	88275C1136FFB15AB04D315E8601BE2DE77387F3E00F17E9807E415A9DFC4A73E2CD3B5710E4CA58006F91E18180D7CFAEEF4E8319C624E1B81397F9CB9ECA92
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="pt-pt" Language="2070" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Configura..o do [WixBundleName]</String>.. <String Id="Title">O Microsoft .NET Framework . necess.rio para a configura..o do [WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem a certeza de que pretende cancelar?</String>.. <String Id="HelpHeader">Ajuda da Configura..o</String>.. <String Id="HelpText">/passive \| /quiet - apresenta IU m.nima sem mensagens ou n.o apresenta IU nem.. mensagens. Por predefini..o, s.o apresentadas a IU e todas as mensagens...../norestart - suprimir qualquer tentativa de rein.cio. Por predefini..o, a IU.. avisar. antes de reiniciar.../log log.txt - r

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\3082\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2400
Entropy (8bit):	4.992567587099768
Encrypted:	false
SSDEEP:	48:cxX7DLT8/OusS2V8j4Lq+7dKzCLdqaaD6NJaXFoN3mRNLo3PWKWnRcsB9A8:8LfTz+8EPqKqTJiFikUgk8
MD5:	1024AA88AE01BC7BA797193CC6023375
SHA1:	9252A309C1CB32573F4D58A595A78660FDF54B2F
SHA-256:	B884C4ABB8867553C1FFADD6721C2135EC5F9F1455C3F668D711CCEA65363D1A
SHA-512:	77E6DD332104C0461B7C5A08469161AF3F1DC51D3B55585D39DD9FC9E2088DA036BDF2278CFB96CA702FD26CE073C6C6F66611313270700B9E7A76600C1C8E38
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="es-es" Language="3082" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">La instalaci.n de [WixBundleName] requiere Microsoft .NET Framework</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar?</String>.. <String Id="HelpHeader">Ayuda del programa de instalaci.n</String>.. <String Id="HelpText">/passive \| /quiet - muestra una interfaz de usuario m.nima y no realiza.. preguntas, o bien no muestra interfaz de usuario y no realiza preguntas... De manera predeterminada se muestra la interfaz de usuario completa y se.. realizan todas las preguntas necesarias...../norestart - suprime cu

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	915488
Entropy (8bit):	6.182064914671662
Encrypted:	false
SSDEEP:	12288:qL1QnG9V3PjKmxf3PVj4U+ccnnt5S9fMZbOFxR:PnsBdPj+cwnt5vZbKR
MD5:	9F2C33EF712E6E903004E641BD412045
SHA1:	68A289B1FD6987EB4776260488E86B8C6371B7F6
SHA-256:	30F4226341A773838B10FBF9E261C9C343241A2D439C434AFB59BD3283469958
SHA-512:	B55D0EBB4C83CA1DEF0081569679846FDBD8F078F03750F1D101A5E0DF8DA5206D3A57DDA3F06D2657D6201AF0BE3539B88CC800C6EBB73A325D6133CD31C9EC
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Base.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-.f...........!..0.................. ........@.. ....................... .......(....`.....................................K....................... 0.......................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@....reloc..............................@..B........................H...........T...........$...;..........................................."+.(@D1N...B(....(....(.......:+.(.ln.(.....:+.(..=J.(......(....(............(............................8.....(.... ....~....{>...:....& ....8....8........E................8......}.... ........8......}.... ....~....{....:....& ....8...............{.............{.........*.......................8........E............C...R.......n...........8.... ... ..b.a .q34a~....{....a(..........%...(.

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.Installer.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	60448
Entropy (8bit):	6.059789362360412
Encrypted:	false
SSDEEP:	1536:k9slrVMSJMCLn9LuoDP17XCfM8wpXxEQT:k9slrlnRLfDt7XC08wpX
MD5:	7633477809EC8FC66F63C21293050E42
SHA1:	99BE917975BC61ADDD82930660993B6567E1323A
SHA-256:	1BB177A19712CEC261A35622D53BF9715A0F25EAD1F2D1A3F8878D2CED7ACDBC
SHA-512:	50441304D6A9A0689A9594B756A846DD54BD5431A391055477EC930E993762F9049FE614EC1DBB18D29E919D198749D62BC1335006753AD83FCC4AD4C5832C58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3v8..........." ..0.............2.... ........... ....................... .......;....`.....................................O....................... 0..............8............................................ ............... ..H............text...8.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........F......................x.........................................{...."..}....2. `...(....:.(......(........0............(......,...(....o.........0..w........(....,....i.r...po....,8.r...p.o.........Yo....(.....r...p......%...P....(....+..(..........r;..p......%...(..................\\......:.( .....(......{...."..}.....r...p......%...%...(.....(....o!...o".....o#.......0..P.......r...p......%...(.....(....o!...o"....o$.....!.r...p......%...%...(....~%....

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	707104
Entropy (8bit):	6.130451228407615
Encrypted:	false
SSDEEP:	12288:i9b1x8G9Z8OXQii08+m++eOc+fGfpc5TDPCEcsVtySpsG:64O80FzOVSsTDPTcsVtySpsG
MD5:	14A4B0B27021F87299C415CFBE3A4F7E
SHA1:	70065D633A3FD78EE874EBB230038A7EFC44406C
SHA-256:	B433E53D249DB3290A03A9C4A6727C278E79F78CA5EDC1AD8E4D4051918BFDE2
SHA-512:	4ADF4331FDDB4324B02F9037D478580F9C575D22A07F6A598B5AB72CDEB350943DBABF0DC7004D16E77B5C88CFFF9414F0CC0A573B46C7EDD42F8966BA8E431F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.UI.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~f...........!..0.................. ........@.. ....................................`....................................K....................... 0..........}................................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@....reloc..............................@..B........................H........'..@............$..U..........................................."+.(X,=H...B(Z...(....(.......:+.(..`N.(P............{................................8........E....,.......+...8'.....}.... ....~A...{}...9....& ....8..... .w6. ....c ;v\.a~A...{]...a(....~....(.... ....~A...{a...:....& ....8x.................................8........E............8....* .... .t.X 5...a~A...{;...a(..........%..(.....~....(.... ....~A...{c...:....& ....8...........*...............

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1930272
Entropy (8bit):	6.1256488268923475
Encrypted:	false
SSDEEP:	24576:e7eU1QSa8eNZqtVlYgQ8r2UfDufxht7yJUL:eN6/YvQU26Qb7yi
MD5:	4647654EA9ECCBC18C98B49DD7A8DCC1
SHA1:	44A7F42CBD7E979D500995A3934009EE410532E6
SHA-256:	302C891D873D86967B590E4695BBF2DB2C42317B00F941E560940EA3180CF181
SHA-512:	53C3109C285B4FB2273BC1C63F9192847E5B28976E40361452C2081ECC13F234E92F46BD14EB646D16AE02BC3048393A6D3D8F00B8E39E06D30EDA5E73B65EA7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\AdGuard.Utils.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....l............!..0..:..........^Y... ...`....@.. ....................................`..................................Y..K....`..t............D.. 0...........X............................................... ............... ..H............text...d9... ...:.................. ..`.rsrc...t....`.......<..............@....reloc...............B..............@..B................@Y......H.......hc..............t.......;X......................................"+.(.o.;...B(\...(....(.......:+.(..I>.(R....:+.(G".b.(.............{.............{.........................}......}.................................8........E........R...,...........8.......;.... ....~....{....9....& ....8......9r... ....~....{....:....& ....8....(.....{......{....o....97... ....~....{....9e...& ....8Z...(.....{......{....o.......u...... ....8,..........*...................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Adguard.Burn.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	578560
Entropy (8bit):	4.433180209308801
Encrypted:	false
SSDEEP:	3072:4gjp3D0NNPC7AV7EXyQt35NUEIGm1zyaeXauH4lG1xA0+rp9s8:4oMpC7A5yU1zyaeXauH4lG1xA0+rp9
MD5:	21210BE0F38555265CDE8E5556C70EA0
SHA1:	717A4D2B185361767E3585E548735FD3D1B23BC9
SHA-256:	FD539D42544AFBCA68ED539D1C84F0C01642A80DB5831979AA1E49CF512B7E26
SHA-512:	891895F693DC840F3BFFBC779A97400092A86E782C48FB092037F6230AC3094416744A22A73F02A8E7AE2DC411A79AA1DD76C3A1762278DF88573688FE114BCA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..g.........." ..0.................. ........... .......................@............`.................................0...O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................d.......H........l..0...........0q...w..........................................>. 4......(....2......o....:........o ....0..,........o!...r...p $...........%...%....o"...t....&...o#.....($....r!..p^rQ..p~....o%.....(&...Br...pr...p(....Br...pr...p(....Br...pr...p(....n~..........s'...s(.........0..!.......(....r...p().....(...-..(+...&.J.#(,...r...p()...B(....r...p()...B(....r...p()...B(....rK..p()....rs..p(-...B(....r...p()...V(....o/...r...p()...*F.(....r...p()

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperApplicationData.xml

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (516), with CRLF line terminators
Category:	dropped
Size (bytes):	8360
Entropy (8bit):	3.7767979596788117
Encrypted:	false
SSDEEP:	192:XWUOnYfaeuvvy6D48Pv7vrR8Y/3AQT0snTQO:Xwv6W
MD5:	F5D0FE6AB8C717F08E22DED94CCEAB16
SHA1:	0BE9519DEC3B0AAD14DAB51081C674A973D1D0C6
SHA-256:	D7ECEECC29AEB3A982A0D21A980C6D4F1C4573334D6F49EFDF300817B83B964D
SHA-512:	F1D2AB6F997EAC0CE916E8C828FE68068D991DF6B0DEF67689E8DE6EBBDCA44681DDB286FED09660021017C57C5D46CD10EAD77BED45286C7585144BB1E4A01B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".A.d.G.u.a.r.d.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".n.o.". .I.d.=.".{.7.0.9.5.5.7.6.5.-.7.a.f.e.-.4.0.0.4.-.9.8.8.0.-.5.e.4.8.e.b.c.7.b.4.f.a.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.8.C.A.5.8.1.B.3.-.9.B.F.1.-.2.9.4.2.-.8.D.8.6.-.3.B.7.A.5.D.C.D.F.5.F.E.}.". .P.e.r.M.a.c.h.i.n.e.=.".y.e.s.". ./.>..... . .<.W.i.x.M.b.a.P.r.e.r.e.q.I.n.f.o.r.m.a.t.i.o.n. .P.a.c.k.a.g.e.I.d.=.".N.e.t.F.x.4.5.R.e.d.i.s.t.". .L.i.c.e.n.s.e.U.r.l.=.".h.t.t.p.:././.g.o...m.i.c.r.o.s.o.f.t...c.o.m./.f.w.l.i.n.k./.?.L.i.n.k.I.D.=.2.6.0.8.6.7.". ./.>..... . .<.W.i.x.P.a.c.k.a.g.e.P.r.o.p.e.r.t.i.e.s. .P.a.c.

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.config

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	dropped
Size (bytes):	1071
Entropy (8bit):	5.029769946737034
Encrypted:	false
SSDEEP:	24:JdRt7RtYr49itYQsKmhDrdHDpshqRQNF7yYhOXrSl2/uo+/tO2:3fRt0Kit0vlrhpQD7e71uo47
MD5:	898C2A320BEA0580F37BEECCDA8F2378
SHA1:	ECCAB214A148E6A7A9535BF1C83B714C756DABF2
SHA-256:	4440270EFC95C694150A665B62CA89B8B93B1271DFB2757E8DD1A68EF2705498
SHA-512:	E4608AAB984C6E97B00E80D2635A283392F1EB24BDB65F5FCE92851EB63AD474E5050AC46E5CAFE2DBD438DD026269253BD4EC427F08B2A09788D6B1D49BCC84
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <configSections>. <sectionGroup name="wix.bootstrapper" type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.BootstrapperSectionGroup, BootstrapperCore">. <section name="host" type="Microsoft.Tools.WindowsInstallerXml.Bootstrapper.HostSection, BootstrapperCore" />. </sectionGroup>. </configSections>. <startup useLegacyV2RuntimeActivationPolicy="true">. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />. </startup>. <wix.bootstrapper>. <host assemblyName="Adguard.Burn">. <supportedFramework version="v4\Full" />. <supportedFramework version="v4\Client" />. </host>. </wix.bootstrapper>. <runtime>. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">. <dependentAssembly>. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />. <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0" />. </d

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\BootstrapperCore.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90032
Entropy (8bit):	5.688550211341784
Encrypted:	false
SSDEEP:	768:9BgPxZlx0MBps+j7ejaab0Y6OwE7v10WHSp5fh06iG27N9k+6ybJ1ErEgtCmYjhm:HHMBp/GRbgi5ofpiG2pq+51EogsmYI
MD5:	B0D10A2A622A322788780E7A3CBB85F3
SHA1:	04D90B16FA7B47A545C1133D5C0CA9E490F54633
SHA-256:	F2C2B3CE2DF70A3206F3111391FFC7B791B32505FA97AEF22C0C2DBF6F3B0426
SHA-512:	62B0AA09234067E67969C5F785736D92CD7907F1F680A07F6B44A1CAF43BFEB2DF96F29034016F3345C4580C6C9BC1B04BEA932D06E53621DA4FCF7B8C0A489F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Mp.].........." ..0...... ........... ...@....... ..............................N.....@.................................`...O....@...............@.......`......(-............................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\Newtonsoft.Json.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	711952
Entropy (8bit):	5.967185619483575
Encrypted:	false
SSDEEP:	12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
MD5:	195FFB7167DB3219B217C4FD439EEDD6
SHA1:	1E76E6099570EDE620B76ED47CF8D03A936D49F8
SHA-256:	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
SHA-512:	56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{\|....3...{{......(....,...{{.....{}.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\SharpRaven.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	117080
Entropy (8bit):	6.406215603644869
Encrypted:	false
SSDEEP:	1536:WKKw4TfSgLOwanNdGzV9P23rl0LnITwa8yNpgwoIhAm7lPxHPxS:WKKBrbanrp0k38yNumrZxvxS
MD5:	89A2762F19597B82D5C501366E5B2F29
SHA1:	F5DF7962015164E4BFED0AE361F988C1E581677E
SHA-256:	A236377DB9EE299087C4F8FA6E345765AC4A25AA5D7FABFD8B724F1889324167
SHA-512:	BD2A4AB78835092ABB0CF3CAE0850C8B2AA344247F6479CFD59D52BBA60C4B605ADA4BF885E1AB0B86D4FAB138A9084900B954E62E6384D794F2CE61C999CB13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~..........." ..0..x..........N.... ........... ...............................I....`.....................................O.......................XI..........8...T............................................ ............... ..H............text...\|v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B................/.......H.......,................................................................0............r...p( ...t;....+.....0...........~.....+..".(!....Vr...p("...u............0..T........(#......(......,.r...ps$...z....s%...}......{....(....}......{....(....%-.&r...pr...ps&...z}......{....o'...}......{....(....}......{....(....}....rQ..p......%..{....o(....%..{....o)....%..(.....q....%..(.....%..(.....(......s%...}....r...p......%..{....o(....%..{....o)....%..(.....q....%..(.....(...

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Data.SQLite.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	364376
Entropy (8bit):	6.108576409953374
Encrypted:	false
SSDEEP:	6144:D4xtlRVuJ4v4pFNFaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cb8:6ljdv4pFNFaFeFOFwcGF6cmFWc0FWc8z
MD5:	8F922199D5C10A98FC99138678698268
SHA1:	BF8D41C15E8F26EC6085DBC8C808F9FDB606DD81
SHA-256:	08E9AAAAAF2C05CC92033B0B801C808C5AC57A251ADDFD0367C598187DB97AC7
SHA-512:	1C3890F0E934958257E956651631F3110789DA661BB5FEE4A533FECBBE90AFEF7E93109974407563310D6300E8A694AB67A0CA72F43834EE98C6BF64868124CF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I..Y...........!.....<..........^[... ...`....... ..............................p.....`..................................[..W....`.. ............F..XI...........Y............................................... ............... ..H............text...d;... ...<.................. ..`.rsrc... ....`.......>..............@..@.reloc...............D..............@..B................@[......H...........8...................P ......................................1.9v'.J..b.r.4.t...,9.p\|.A.....a.....tl..........i\z9......Q.uo.x...O...a.#..I........h.#.\.3f._QA8No....YR..J.S.w..O. ..1:.(......}......{....:.(......}......{....r.(......}......}......}......0..5........-..~.....o.....X...r....~.......o......o .........6..(....(...."..(.....0..T........~!...("...-..-.~#...../....+...X....($...-..-.~#.....r........(%...~.......o&...Z.~....2..~.........

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\System.Runtime.InteropServices.RuntimeInformation.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33256
Entropy (8bit):	6.470050941710262
Encrypted:	false
SSDEEP:	768:vn1VM0JrpNWDcIh6leOiDFIFBYp1+ziBEBMf:vnvXYcIh6yFIFBYpczyEBMf
MD5:	82DEB78891F430007E871A35CE28FAC4
SHA1:	4E490D7EC139A6CDE53E3932D3122A48AA379904
SHA-256:	2F141B72A2AF0458993E27559395D8A8CDB0B752D79B1703541A61E728B55237
SHA-512:	E47F741AA9153CFAFC5F6BE39987D7C7D8FB745566C4D9A4525B9F30CBE6DF450D27BCDF8998DEC7AF824A7BE0F5E9EECAD2A39072B956A6320D23D94A0DA71A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B...?..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~.......0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(...........%...(.....(....,.r...p......%...%...%...(...........%...%...(......0..A.......(....,!r...p......%...%...%...%...(...........%...%...%...(....2r...p.(..........(....2(.....(....^~....-.(.........~....*..0..........~..........(

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ar\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	4.865507455215444
Encrypted:	false
SSDEEP:	192:DzszgonF/LLR3wDXRD9iy2k7P9Ue8dUn9sPKSC3k:D4EoFTLGDBRiy16e8dUn9CSk
MD5:	C3755399F6408DCA8D644838CE9FC590
SHA1:	9B080E90E0925CD7CD255E3375CD896C313728DD
SHA-256:	E79018FA459107E1D286BD9EC5DD7AF4FDA13C3EADAF5FAAB709104E3AD9E42C
SHA-512:	71BB829F3AFA18200FE15846CB960757FC87B10ABB634EA7C807875CBC2917E4D88C42AD20E5137FFCE01A9277C94D939FA7AE40C43D1F13A89B72979F69C43D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....2...........P... ...`....... ....................................@..................................O..W....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................O......H.......`L..T...........P ...,...........................................,.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\be\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	4.980770946663823
Encrypted:	false
SSDEEP:	192:fzszgojSCdTvYBSAoDQK70iFwr0mTOSkadB1k1DWhTcZS0zhMeyvStSicfD+gfD9:f4EoOFPoclH0mq8dY1DWhYFytRfdfp
MD5:	C5F941FE5A1B5A7010E71E019FE79DE8
SHA1:	5B2585375CEDE8821873F9D2E8047DFD788B2E8B
SHA-256:	59C508F5F9304EBB6E0BB16BFFCF203AC47503F8CF6B51752560A3A45297F732
SHA-512:	957395E4666CDF40333F836470041116B9835AB4E3D74285E34362886B7E3CD2B068F4470FEB629F81BD198D69ED7F86C55AE8774AACC7151073848667BCA062
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....6...........T... ...`....... ....................................@..................................T..K....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H.......<Q..T...........P ...0...........................................0.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\bg\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	4.794367968078548
Encrypted:	false
SSDEEP:	192:csFmDQQ7I5LZympXlmk4Z2WJbOXrbu84bC4:cv/Ac3JIu8Y
MD5:	84624EB369685A8114275D74E6120997
SHA1:	359A2E0727BF5CDB70D4E5DCC5AC2DC3E231ECCE
SHA-256:	7C9CE5DA3E676967724B2272D8022022267731A52BAFD520CA5E7744B3D79159
SHA-512:	091D959B90D48F65EF3FDE84FB09998BD520A76E8C7F4EC3C741F26F80DFCC4CDAFDE5FB80A0CD8C65AC55B8C2042785E24583184E3DAA4D07DFBFA07328596C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!................~=... ...@....... ....................................@.................................$=..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................`=......H........9..T...........P ..............................................{..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....-.......PADPADP......T.P.....;{..bq..a.Q...u.j.........i.b.......9..8^....#......n..d......k....>..+.....F. .Q</A..6..f8..z:..~CM.(DK..G.N.S9Y.`.#.c\.}k.S.l.[.m...s..t...t...z".\|...\| ..},.......'.......s... ...C...................s...

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\cs\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.873378700024091
Encrypted:	false
SSDEEP:	192:PzszgoZr6w8BN4IglZL+pwcc2PZ9JMfmLOCEaVdmI6c+cfCw:P4EoZi4IglZL+pxc2P3C5faVdmfc+c/
MD5:	D696A1249B6354520A6DD84497611130
SHA1:	4B6C8A7FF680DAB4E8C15E281E23D9ACDC932E60
SHA-256:	58D5B8CD931CE9FA5FBF561C83C8FCED014F66B1CDFFC7EB41C0BF39B278C97C
SHA-512:	0F008814DE928C89D8F6A9F86B71E1D810F477CD1DFA43D51E5C74E5125A7A3773FB27CE12C1EFEB0A9BF792B94E5E50AD383E4D88BBFD3DD7A82BC9807C4227
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!...............NI... ...`....... ....................................@..................................I..K....`............................................................................... ............... ..H............text...T)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................0I......H........E..T...........P ..\%..........................................X%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\da\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.660223379797153
Encrypted:	false
SSDEEP:	192:TzszgoZhZNAPSBVW3OJ8g8NuqHeXwbGC2w0svS5fTbRpEi5YcM5YLRlCw:T4EobcKC3KbPE2AvSZk1cjv
MD5:	04B08AC71BD304C3D4B120FC5EFE6F34
SHA1:	0E322011E39B83AFADDCA65CCBE8E8F81FB2067C
SHA-256:	780A05BB28E9F3F2AF5582E3F622BD023208C1A2C92E81180884A594F200B6FB
SHA-512:	8461CF44E055BCD68012B52D63CF34A2C48676DD7388B327D3ACABC20E2C53EBF572D489CD0F81898AA1F4E3F0D860B895BCE3F7AD2D6B958E08F847AA4AA1C7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....(...........G... ...`....... ....................................@.................................dG..W....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................G......H........D..T...........P ...#...........................................#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\de\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.723084680677864
Encrypted:	false
SSDEEP:	192:tzszgoFzwMne3pNJQCci1kDiMczVmudDtEmOfTSISiUdCH:t4Eo1aqiu4Y8a
MD5:	AB32213542620FCDD7DCFC2D4F864E94
SHA1:	79D1F2938769E2AE1151A8B5F1B36AD2FB0ADFCA
SHA-256:	10B8E679FBB1E32009CB2751867683B8D979BAB4B5EE46E6A8C2846AD504B2F6
SHA-512:	F496CF65ED8686371C82C2D4B33A71C4AA51ED6F5E1DDB3488EA942536681638C45C1F5E12D970B47C17AC958C84EFF5DC15632DF5F809DE0CC692EAD5078187
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....,..........~K... ...`....... ....................................@.................................0K..K....`............................................................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B................`K......H........G..T...........P ...'...........................................'.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\el\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	4.923997227781669
Encrypted:	false
SSDEEP:	384:A6/Iz7XA5STvEuYpRdhhLxmjzWr7zdQKx+2LH:D/Iz7GoChVm4dQu
MD5:	8193D04123F3A2E14ECC995E1E69C406
SHA1:	8C5B1A487613FC6849C631EBA3B113F9C820A59A
SHA-256:	D261C9C4BFE1A21F9023FB805BCC781A40E5141C7A9AB1DEFBC2027EC46402EC
SHA-512:	07FCB75CC1EB89AEEA76E3467A83840C622377D11339124BEC2CB75A54EBAFBCFC6971FA186C299C0765E7A8669740E0D254A52A09A5D7731C2F660C9DED52FF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....6...........T... ...`....... ....................................@.................................LT..O....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H........P..T...........P ...0...........................................0.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....D.......PADPADPc....94.......T.P......._...n../..;{..bq..a.Q...u.j...a.P.......i.b......m....g...Z..9...7.8^....#..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..G.N.S9Y.`.#.c.G<c.0.c...j\.}ky.$l.S.l.[.m

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\es\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.679577437294016
Encrypted:	false
SSDEEP:	192:h0zszgoAo1Lv/EjhNylp3qOHVoFqFPsqneCdz:+4Eod1D/EClp3qO1ocFPsy
MD5:	88E85984DCA9052B794D68769A35D77C
SHA1:	96BBCE2032733DFAB95CDCB0C2446CC8E8D14519
SHA-256:	8E9421BFA9FF28C2F9AEC60B49B0F2D77D51575248DE961B2440AD0E2DA28D66
SHA-512:	7FEC9031005AF8631864B2CD7A6C86D3B47A70505694EF5FC94D934798DDB09502679DDF58E4EF0DAF55D3597C25CA252E7B7165B1A47022CE7A36AED3225566
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!................I... ...`....... ....................................@..................................I..K....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................I......H.......,F..T...........P ...%...........................................%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fa\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	4.955277827298115
Encrypted:	false
SSDEEP:	192:JzszgoV2G6qVyC/7npP5AOmQf5LdaGC4:J4EoVRJ/7npP5AObhda8
MD5:	F8DEBA3C839158C4CE75762F9F73AAF0
SHA1:	B96BD1154E9DC93C3571129F950498392AC8EFC7
SHA-256:	F3C200AF3D5A30401DEFACD561BB1FE93CA56171D465129BC0E6EF6638D1D33B
SHA-512:	69D0B2B12ADFCA2D9615D665E5CAEBB152303C15D9D3BB67CDF284D25846AC6A6F636503B698949CFB59DFF31E03EBCE1133C5A7C1A26E8211DA125D6EED03B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..g...........!.....0...........N... ...`....... ....................................@..................................N..O....`............................................................................... ............... ..H............text........ ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............6..............@..B.................N......H.......8K..T...........P ...........................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fi\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.668259816164652
Encrypted:	false
SSDEEP:	192:AzszgoMlHEH/K2Cg2gWev7tlZamNnJOkWdchEY0KjNKSDahHPCC:A4EoG6Io7tT7Ek0nY0mNBu1p
MD5:	710A119270F1B14696236ECE07CF20C8
SHA1:	F83627E798826A947E72F35192E6338EA7214DD6
SHA-256:	25D12B6B58A43AD52A01CC07C71B9452B94EF63731D937A7027286659F187454
SHA-512:	FF00A97092E385D577E46499088B557876DA3A08853B7DF359A6E0852406FD0ADDFD39A6EB3F98A87BA77B1FD5CD5CB880188ACC9546D81857E4918B551DE861
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....(...........G... ...`....... ....................................@.................................dG..W....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................G......H........D..T...........P ...#...........................................#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\fr\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.673463032238922
Encrypted:	false
SSDEEP:	96:zzs8+g3yxFVDKhY+OdDLJ/yWV7lxjYmMVC1rqwoLTy5TKyhcOjy/X0CAcQdQ5L6C:zzszgojsY+VW+WsXMmt6ghFghxmOgCg
MD5:	5A86C41CF7241453C032B500D6B0C860
SHA1:	CF6F5868E0455B690A8F57A457C817D75A35E852
SHA-256:	F952F680C1A6773BE3AE5777985418230B70E9F1C41353E48BB5E2D30D980A25
SHA-512:	AB15C057D7E0D36B31CFE9658DE5C11A4C96555FC93D0CE9FE06CCEA233ECC6954CF9FBD0CA29CBCC96C7016FB8429D864E446C33B778C0B2B8CAED140E95286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!.....,...........J... ...`....... ....................................@.................................dJ..W....`............................................................................... ............... ..H............text....*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B.................J......H........G..T...........P ...&...........................................&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\he\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.642978766514834
Encrypted:	false
SSDEEP:	192:01nyV7305mXUMGweysvewQgdRVK74sZQHCR:01u+5wwvewQuKssZQS
MD5:	895E354E0CD17A6CAA77AE3E9CB09592
SHA1:	38D6AD92173A419E9EFE42E123C8A29759167724
SHA-256:	9DF52984771D75A6C794D05F82AC31CF0E164B6E6AA797F0B014CCF3641C10D0
SHA-512:	03A1004986434F4BA9ECB3E77F6C0EEE014F53F474B9045DF099272E2F6F691CE3F7110C13ED57DEC62E9A53F7AC1B04E6FCA27FCA7F790BEF67090D3DA005DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....,..........NJ... ...`....... ....................................@..................................I..S....`............................................................................... ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B................0J......H........F..T...........P ..Q&..........................................M&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....H.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j...a.P.......i.b......m....g...Z..9...7.8^....#..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c...j\.}k

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hr\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.683606446661969
Encrypted:	false
SSDEEP:	192:KzszgoU7Q1flx4pGQhCVSIzXFgYPBXC4:K4EoqQ1fltsOX5B/
MD5:	8DF2C129B2F25F464BF4CDF6670CCF51
SHA1:	96DCD8E0BDD21D8FEDB99A738107419E12C12912
SHA-256:	3ACB0AD51D6C446F7B8ADB6832FFBD58C4C535313E2E4B345B51C4C66533BD62
SHA-512:	B607A227A9E639D059D7690ABF01EF634E4F131806C6BA3D93DA50E862C42E20B16F1B170921DB2530530A4DCD20097FFB95A54F705EDF717AF4061CDFE49687
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!................H... ...`....... ....................................@..................................H..W....`............................................................................... ............... ..H............text....(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H.......0E..T...........P ...$...........................................$.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hu\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.816988112615567
Encrypted:	false
SSDEEP:	192:HzszgoYMoSaYNF2Hhid++fbLhQwjldxSW7ytCD:H4EoMSak2Hhk++fbVQwjl3S0
MD5:	45E5D6CA36AAFB3A46C0C1F2B8A296B0
SHA1:	B5882814E3A8F6A59A865DEE051A72E9EE17EDB2
SHA-256:	843D43B7386B186D467805E09F4D1A8D1096642A205A583D7C108DC9BDB56CAB
SHA-512:	EBB77317BB033973D8DADB82CC2C01A50116ABF7A90CBA7945DECA04DEA80E8120473D61B4B576E053C84C12D8AC6500915E851A8F7149DF6E2BC53EC13ECEDB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!.....,..........~J... ...`....... ....................................@.................................0J..K....`............................................................................... ............... ..H............text....*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B................`J......H........F..T...........P ...&...........................................&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\hy\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.595446729989736
Encrypted:	false
SSDEEP:	96:vmy3C9MPOxrqmjvVYDJbeybLKy/4BMQWkySqe+BZWr+mwplto72r8z:vmyy9BiWGkyTBB4ammCH
MD5:	BBF07717B37A1161D824316191B17CBF
SHA1:	39B526E7C91AA025AE80DD35382AE4EE85EA0F9E
SHA-256:	5A1A13335A140CF4BF15C04E26E44AA51821E4E6E73818AF38FA37AF8BC4FCF2
SHA-512:	A1BBBD52342B46EC3A381FCBC7AFD36974613040DD3E1C1BCA5FDE32F5BA699A3491D7DC79DFFE472714C7C33D29FA5974A690C7D809E68B26B80EAFD6116D4A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!.................6... ...@....... ....................................@.................................@6..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p6......H........2..T...........P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....".......PADPADP......T.P.;{..bq..a.Q...u.j.....i......9....#......d......k....>..+...F. .Q</..f8..z:..~CM.(DK..G.N.S9Y.`.#.c.[.m...s..t...t".\| ..}........D...............R.......................D...,...........k.......x...e...............

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\id\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.631521569783712
Encrypted:	false
SSDEEP:	192:TzszgobHnDlAi0BEu3uTxPOPTNjaW5ajgYMfDKNFqXRjCr:T4EorDAC6uTacjgYgDa
MD5:	ED7302ECE97F5A012C272282BDAE5998
SHA1:	314BCB47F58F5FF2F9B1079F739E1796A793AD31
SHA-256:	F1F9EB2290C297957FEEE8C6EEF1E0FDF3CCDA379D26DC17598BC7EE537D7D5C
SHA-512:	DE9204632AD6C50EB1B204123E6C89864418D42B0317586757A53309D0F0E6E26A954C6BD7D8AE5DED22E580D66E0FA3BFE415E584721AFE9703CD2B588D87AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....(...........G... ...`....... ....................................@..................................G..K....`............................................................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................G......H.......<D..T...........P ...#...........................................#.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\it\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.554924395225766
Encrypted:	false
SSDEEP:	192:yzszgofe/JLlXuJFU8qd04ZqQpwCopz+yzqssw8X5sgcDAdU6TVqtCO:y4Eo2/gFU8qlZqQwCopKssw8WAi60
MD5:	7BDE1E24AC860A547991675A52BB9643
SHA1:	3885297960216E3245B9E5A034A061C6451DACEE
SHA-256:	528C1E3AB4E68C9489D7955474A391F05AC33178551A0517B97766D37C3FA4B8
SHA-512:	1C2D8B9E2F3D90C8937612380962C6A4313478274352E2A063B62366C22BFDB63AD1DEBE72FF13A0B29920A001E1AD80E2E167E8FBB035997A4C5FCC07A99B80
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!.....,...........J... ...`....... ....................................@..................................I..S....`............................................................................... ............... ..H............text...$*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B.................J......H.......tF..T...........P ..!&...........................................&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ja\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.15204390917328
Encrypted:	false
SSDEEP:	192:fzszgoI9fFQEew/zAIqpo6dpayVxHY9Ny9JYZ9hiZ2oq5Kcw/gCk:f4Eoof6ca/bpQnVZ9hOqSO
MD5:	06D5DEC5841BAD5E88E83B77157ACD82
SHA1:	FF3AFFAD93CBEE0F26FBFB0F55747E07F921DEA3
SHA-256:	BE7062DB93DA86CD1230BB0B4AFBB7A5599FD2FF86CDFDB2D626DA39DA3866FB
SHA-512:	BA1D65C6FC6B65A4F4101FD595ABC404943A5958596ECC6DD43F77535DAA76C44AA4EE0B161D01EFB61C19F2EA0658E8CF788C3ABE5CCB16BCAC58F3BC18FCC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....4...........R... ...`....... ....................................@..................................Q..W....`............................................................................... ............... ..H............text...42... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............:..............@..B.................R......H........N..T...........P ..............................................*..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ko\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.220216366647869
Encrypted:	false
SSDEEP:	96:p1nD+s+93jTW1+tZ7Xjlb/jGXWdfyB8Ky7WeS0B8ribJ3Q9MoBwDOY4erUUPSbMR:p1nyVxWOfOFhKdrRSbMLg/U2Lb1nCxX
MD5:	765965C5206846D194F7B45E2B0E8903
SHA1:	E7D5BBE03A017B7A559DB1EEEDDF0000221307BD
SHA-256:	1980165D4E2ADDC8BDEB9E5D21113DA383CBB6D6B986EA827171970057027348
SHA-512:	085E7F58410938D33E45A634E2CC07267295AE8290C1B7A66214F4F75D19159C51FA75620251AB5B5C479642AB7E3281CA14CEE97E59BAADD26074B8D6E6E89B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!.....,...........J... ...`....... ....................................@..................................I..O....`............................................................................... ............... ..H............text...4*... ...,.................. ..`.rsrc........`......................@..@.reloc...............2..............@..B.................J......H........F..T...........P ..6&..........................................2&.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....H.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j...a.P.......i.b......m....g...Z..9...7.8^....#..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c...j\.}k

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbahost.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	122288
Entropy (8bit):	6.643662045821993
Encrypted:	false
SSDEEP:	3072:iyjfrCvv4JR5zsemsABCF0TPSLNegl/+b:xrrCYRsehsIX/E
MD5:	C59832217903CE88793A6C40888E3CAE
SHA1:	6D9FACABF41DCF53281897764D467696780623B8
SHA-256:	9DFA1BC5D2AB4C652304976978749141B8C312784B05CB577F338A0AA91330DB
SHA-512:	1B1F4CB2E3FA57CB481E28A967B19A6FEFA74F3C77A3F3214A6B09E11CEB20AE428D036929F000710B4EB24A2C57D5D7DFE39661D5A1F48EE69A02D83381D1A9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v........................}.......\|..............................o..............2~......2~......2~q.............2~......Rich....................PE..L...Tp.]...........!.....&..........(>.......@.......................................;....@.....................................x......................................T...........................H...@............@...............................text....%.......&.................. ..`.rdata...s...@...t...*..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	188848
Entropy (8bit):	6.598346436496911
Encrypted:	false
SSDEEP:	3072:iaVVzf0r2vM357+pwnohBIiv8+2kt2GOTALPN2obXbE7PKPU9+Wxhsz7CMD:iaLzfpIsHhBIqgGOTALFdbz7f
MD5:	FE7E0BD53F52E6630473C31299A49FDD
SHA1:	F706F45768BFB95F4C96DFA0BE36DF57AA863898
SHA-256:	2BEA14D70943A42D344E09B7C9DE5562FA7E109946E1C615DD584DA30D06CC80
SHA-512:	FEED48286B1E182996A3664F0FACDF42AAE3692D3D938EA004350C85764DB7A0BEA996DFDDF7A77149C0D4B8B776FB544E8B1CE5E9944086A5B1ED6A8A239A3C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:v.O~.c.~.c.~.c....t.c......c....f.c.,.g.n.c.,.`.l.c.,.f.a.c.wo..z.c.wo..c.c.~.b.\|.c..~f.g.c..~c...c..~....c.~.....c..~a...c.Rich~.c.........PE..L...Yp.]...........!................................................................1.....@.........................`.......L...................................`.......T...........................H...@...............\............................text............................... ..`.rdata..2...........................@..@.data...............................@....rsrc...............................@..@.reloc..`...........................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.png

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PNG image data, 63 x 63, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	797
Entropy (8bit):	7.648767094164769
Encrypted:	false
SSDEEP:	12:6v/7rW3M/jDYAlFTzdvhKZ7e/cbp4/82UNb6MjmlKPNXheD1H0oJodqSXaTbutak:lQD1lldv8Z7g04/82Y6+Pxi19mDoqt5
MD5:	A356956FD269567B8F4612A33802637B
SHA1:	75AE41181581FD6376CA9CA88147011E48BF9A30
SHA-256:	A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
SHA-512:	A0F7836AEFA1747F481C116F6B085F503B5C09B3A1DD97CD2189F7CE4E6E7EA98F1F66503CBA2E6A83E873248CC7507328710DFA670AA5763DF8AEDCC560285E
Malicious:	false
Preview:	.PNG........IHDR...?...?.....W_......sRGB.........gAMA......a.....pHYs..........+......IDAThC./W.0....P(...Db+q8$.........J...-..8.e]._..;........Y... .Y....z\........{W\|..../q..<%.....C5...0....OrU....,..^........).....2.......i.Ge..T9T..}.7..J.......}..b...S.>.%y..Fc..j.X.....y."...e.U..M(ez....4\..C....u.......w..0..J.Wo."...mM.r.h..8..q..X..k!...j..xn...l...W`..r.+.R..J........c.T.}......cz..<43..@.c..rH...\|..V.....K.mN.........k....,..4OL..5..M.tm%=.U.t-7.w....k.R.....c...-].5~..]2..5...GA..[..={.5..].=(.$}.\.9..5...MWu..[#.....F..j.F...d...,..MWu.7..3......$.......G.t.....=;N<_:[......0.,1.y.\.Z.\|..%..>}...q.s....y.#p......!-.;.6!o.KO..E.6...........<..c..9_B....y....im...b...Xn.....)t9Q...........V.WMtP. .P..Z.&..KR.ac......IEND.B`.

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.thm

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3915
Entropy (8bit):	5.15881451198739
Encrypted:	false
SSDEEP:	48:cecHddpXBT2E/zPHWgtpmAPH8TSJmBP+NPHrM/O8YpQbFUuhJ3PK7usPH4Lr:wHdHxS4Z9UG4BmNjCOhpsB3PswP
MD5:	A20778EC90A094A62A6C3A6AB2A6DC7D
SHA1:	74C131B5FD80446FFDF2AFAD723762DD36621309
SHA-256:	F8C3A03F47F0B9B3C20F0522A2481DA28C77FECDBB302F8DD8FBED87758CBAEA
SHA-512:	47F34A9F416D223DCBF071E7292A05554AF3D27CDE67FC8C161C1BED564C6E7FC448C2F482E05F33149C782E09C681BD65730CA00CF9EC68B284128214B75529
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="mbapreq.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Height="96" FontId="1" Visible="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="11" Y="112" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mbapreq.wxl

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2464
Entropy (8bit):	5.076345322304751
Encrypted:	false
SSDEEP:	48:cxX7DxMT8dbCsK19Wqq8+JIDxN3Wm2WcN3miNlLPDHXsmkaYXfXQ2BmGA7b1fABP:8LuTY1xmmmTerNR0AT1O
MD5:	4D2C8D10C5DCCA6B938B71C8F02CA8A8
SHA1:	11577021465379E9D1FF4260E607149BA5DFA6B3
SHA-256:	C63DE5F309502F9272402587A6BE22624D1BC2FEACD1BD33FB11E44CD6614B96
SHA-512:	AE791C1F05821167F1D2E1D07DBF95FE7E72B35B3E4B1E22720006C7A672B1330B748414792392B0E806F111AA4EFC1C424F4479EBDE349E3F079792DBB3BF47
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<WixLocalization Culture="en-us" Language="1033" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">Microsoft .NET Framework required for [WixBundleName] setup</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/passive \| /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. By default a log file is created in %TEMP%.</String>.. <String Id="HelpClos

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\mk\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	4.895628814168558
Encrypted:	false
SSDEEP:	192:3zszgoeh0HKdERgo2Q4Ez94+8E8SabaU6XrG1UOC7ZDUjMfwPW8mwDYI/j8CG:34Eo+0qk2CBSVitDD78RDO
MD5:	3543FF559162E0C1CFF809F464A4FD6E
SHA1:	BF77F76101CEDE072877625F28E3D3AE91F9828F
SHA-256:	DB38998F420B1982A5EBD3A5E429F96BA9833B7E08020883040273B350A37650
SHA-512:	EB559A24A74984496BBFE17DC6200899E8B5ABE11B802C6EB4E681708C5BB54980BEDF58BCA743352227F864C809DF551282A72FF4828FBFB0F034416931A4C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....8...........W... ...`....... ....................................@.................................hW..S....`............................................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B.................W......H........T..T...........P ...3...........................................3.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\nl\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.594339732002098
Encrypted:	false
SSDEEP:	192:lzszgonYUQtuaO1QqAN91JYt258bgCeuSCk:l4EoxjFlANlGS
MD5:	0C12FC3E54096E0D64D49EDDDAD5872A
SHA1:	C264931517A7CE0B6A84BE5F700E58D80CA16D7B
SHA-256:	46067B736F6F88EDEBE2AD62E2BC66820C635CE5009ABE556689E4480CC81D15
SHA-512:	265B10FD574753055997617B6C58031E029305FD3BC67DF5CFF1CC4959FCF38908076C5B62B79FF92FCAD5A4CF88BA53846790B92E61F5AB8728AC9877D17854
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!................H... ...`....... ....................................@.................................`H..K....`............................................................................... ............... ..H............text....(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H........E..T...........P ...$...........................................$.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\no\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.584614702495529
Encrypted:	false
SSDEEP:	192:JW1nyhg643+BqbK3paJXYtFNLPzy5RIDgphu9+I8XCo:Jinbu4CaWTkVphS+v
MD5:	737D3F85CDA2DF75B14912573D7C382B
SHA1:	55AC47D5BF9C1C84522BCCDC3CE8F49A18ED7680
SHA-256:	9616120A23ADE472112CB95573C03CDB94FE7830064C963B565834F829841E0A
SHA-512:	B7898A553B20696B4E68197F5DE68EF9D890B89EC8EE0E114B5BDC20EC9BF575874528EB7FC0709484EB8AF3E3DC0ADF58CF2ECD47F022CE225F8E5C6E12D09D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!.....(..........~F... ...`....... ....................................@.................................(F..S....`............................................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B................`F......H........B..T...........P ..."..........................................~".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j...a.P.......i.b......m....g...Z..9...7.8^....#..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..G.N.S9Y.`.#.c.G<c.0.c...j\.}k.,.l

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pl\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.80373699136226
Encrypted:	false
SSDEEP:	192:VzszgozwpZDz4cbmaX065Otm646K84scNMf82mbCysdUKCs:V4EoM3bmaX064E64j84sDU/b/gUs
MD5:	60CC51A98901A46B0BE8F031FCC0D9C3
SHA1:	DB67B393E4BFD9DCDB53616E163041797594F490
SHA-256:	6834A48E24A47A5EDE5D18190EFFE49C65A4D28E9B0FFEB5B18C96B92D6FF83A
SHA-512:	343092AEB9CD4238A93DFC6B22A68FFF80A910C48C7075B98107D3BFB5BFF7BAD40671F95ACA38E61CCDBBBDE4E49EDA01385801DDB2169E8A4BBBDBF2F07A17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!................H... ...`....... ....................................@.................................hH..S....`............................................................................... ............... ..H............text....(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H........E..T...........P ...$...........................................$.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-BR\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.708996616777876
Encrypted:	false
SSDEEP:	192:mzszgoc1ViMIjfISLZC6ArEb5kQxRiUz+IKwC7:m4Eoc/2ASLZC6dtk68t
MD5:	13C3F910E0A48B5181950CD88E44CEEC
SHA1:	2116E244CA878C94D2E355B1E1B5170F75208AD0
SHA-256:	2A010C245A2A1406A65F288D2C35C917B7EF0D4FD5902C515AEAFD35843CFA16
SHA-512:	343B0BA9A6F1BDD00C0A8F2B21CA6A2C6C8F3E55F2B8206517E88818F0102BE68E27FE751678EB721EEFBCB73FFF7599116D430E6FCB96D6B98E0748E262C673
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!................I... ...`....... ....................................@.................................LI..O....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................I......H........E..\...........P ...%...........................................%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\pt-PT\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.704538667984424
Encrypted:	false
SSDEEP:	192:BzszgoE7lVWpC1GnyWo0zq6s1z4uURYGcjtz+ahmCn:B4Eo+lV4Te0zq6sJ4uUeB
MD5:	C64CAA862910EB1EA829FA0D960FAA6B
SHA1:	12A18175EE0EB9F6E6AFD98629AE924FFE1754F1
SHA-256:	D00C708170A581A7186C1B4602568FF11B1206726995571B8F3D8EDE334D8A36
SHA-512:	F88AE75A1CA9AEABA4AAAEA7EC5A449FC1AC853ABBAAEDB49A80E8D876AC83C70E6214731FEC279F97567FDF2F5C142C529771BF062D961D720B477758DF4FD0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..g...........!................I... ...`....... ....................................@.................................\I..O....`............................................................................... ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................I......H........F..\...........P ...%...........................................%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\ru\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	4.943519138808667
Encrypted:	false
SSDEEP:	192:1zszgovVtG7+/lvERfYaJCddLjmh6rzXPtQVUVnDCoQS:14EovHG8vERH47Lr/tQSm
MD5:	4800DB07967C23903635CBC8D08B6338
SHA1:	84C3E550F8E9A2CEBA12C36C7E5A322BF48EAF34
SHA-256:	181F77CF4CF384338E2C0AC894CDAFD4497BB840F33DA8C859508D09C365678F
SHA-512:	35963D4DDD52F2FB9042E9763828A3F7FFC5CF6E850527D59ADE722933A5D0A758A993CB9DAA019E11A10878EABD92692F4DD55DF38E9D2ABFB0FE53AF6EB3FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g...........!.....4...........S... ...`....... ....................................@..................................R..O....`............................................................................... ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............:..............@..B.................R......H.......hO..T...........P .../.........................................../.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sl\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.639775307730053
Encrypted:	false
SSDEEP:	192:Azszgo7OGKDNnrxmgZ5RHBr25DfLNHIb3mKHXyQ0Sa0pDKuRuu2ihCL:A4EoiGQxmgZ5R925DfL0W50BN0
MD5:	157FFFF0973A3A0E6920BF45F81CE87C
SHA1:	0B9CA7EE6C9C3D2C6532933360AF010EB0C59D9A
SHA-256:	F058A16DE35CD094A8A79BDDCD5818915017798E04323F07A84A2C8304FCD13A
SHA-512:	4F4CDF455D27E2C74B17C73B60E8A979F6715707329D0D05C6587B8EF1492FB9A39C174797B68B35454FA9F9E9193E5FD54360DE8C86D13E90B2AC68624B509B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!...............NH... ...`....... ....................................@..................................G..S....`............................................................................... ............... ..H............text...T(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................0H......H........D..T...........P ..R$..........................................N$.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\sr\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.643897288538702
Encrypted:	false
SSDEEP:	192:hzszgo9aGC/e8YU0dYV0sObEQeVLJoI3FHUCO:h4Eo4+NUrRpC
MD5:	888A2C28C087C68230FC07FDFD51D9ED
SHA1:	B756C9C32DA2ED603D64101B3B6091120A0823D5
SHA-256:	E33303F889A935C62D4E341ACEDF27E68785234564C5A15AE26F1854AB29F571
SHA-512:	B88933DBA99C667B22FFD4501785A9FBE5353A3E7A8D8D364E4BE5CD9749DDE73BABBDAEB1921117B5378F607332FEBACC9A09D79862B13F6DFF869C38C6140C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..g...........!................H... ...`....... ....................................@.................................PH..K....`............................................................................... ............... ..H............text....(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H........D..T...........P ...$...........................................$.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\tr\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.801161379893102
Encrypted:	false
SSDEEP:	192:6zszgoV2+r0zxIRMA9h+wGGHwSGJsb4M/7oCj:64Eo0+rjKawSGJsX7N
MD5:	68638DBC73AEF667A3677487A28E0859
SHA1:	C7AF63EA16417B05E2D479496257CFDA886D357C
SHA-256:	5BD32C76A4D9A42D1C8A5C6B2256E7F0D5B50CFC8CB0B77C9C662DC503236AC9
SHA-512:	DADF742DA1EBD40C1E3CEFB396E51D19C7D74B0D7AB96DFDBB58664847788B1E14FD89342BF2F84607A228DE3601244AC243E044748FF4E1E92CF42C64213F91
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!...............NI... ...`....... ....................................@..................................H..O....`............................................................................... ............... ..H............text...T)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................0I......H........E..T...........P ..V%..........................................R%.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\uk\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	4.933630756827839
Encrypted:	false
SSDEEP:	192:izszgoWgaomW31MtjWBSfgOGA0Xgrl0h3uF7NYDrsYMDo2FVJedlSUlchCo:i4EoLz1MkkfgOGDAPnx7edlrl0
MD5:	705CDC7E077F1A2BD7C2B8CA36DE9A26
SHA1:	6B731CC8BF21786CA46B8356206F435A6B3680ED
SHA-256:	0EE96759CBEB5CBC1533FDA82DA910657C84BB1F873E1EF680DB5E3492A5C8C3
SHA-512:	9325E1B56815FFC572FCFB853808B30AEE98004C471A487867FC182CF6BC7B8C7A88362A6D8ABC2B76595F3826A742F113F382CF7AA25C7BDBAC77B29A72D18F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!.....6..........~T... ...`....... ....................................@.................................$T..W....`............................................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B................`T......H........P..T...........P ...0..........................................{0.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\vi\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.004635018705281
Encrypted:	false
SSDEEP:	192:HzszgoNcmP4AOJsijOUX1nuN3akEcnaaJAbCO:H4EoqmP2LFCZacAp
MD5:	DA63060B95F2CA6E6086B030DACFEAEA
SHA1:	4D385FB9B3C6D47A6F33B06AA5F8BA9280B7A4D6
SHA-256:	94D2A491894C06314FBC37DCE49539C60609E3502CCC70DEEAC591B5FE6C303C
SHA-512:	FBE58ED00F79DA11C664473D935ACD36815740832E12417CDCA23889596F05C8EE79D795C701ED91F1CACE5C41062E1664BDA09FF5B5003EA5C706C3DE7A6B6D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!................>L... ...`....... ....................................@..................................K..W....`............................................................................... ............... ..H............text...D,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B................ L......H........H..T...........P ..@(..........................................<(.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh-TW\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.295968472578108
Encrypted:	false
SSDEEP:	96:Yzs8+g3yxFVu5NJzQT9zj8Fj8yziRzXfzyI2aKyHVm7gzPaAt2HaPTQhYaJlFh9b:YzszgogN5eH1JDRQWaJl7ARNMKC3
MD5:	9CB6D4E09DE0FB03484B1FB63FCCD24E
SHA1:	78268F774D393CD5B4B7708E85DC8F75A57D45FC
SHA-256:	791E7BDA2C12103D83651BDB95E2B614EF6DE4695A8F1B40BE5B98D06ED4987B
SHA-512:	C0313E2ADE0C64C476E0B65B8F9FE8B4BD6B72CC6877E5650FD85E82A65D51882F6ACA9F2FDEE434BFF1207FE704966D32247D124DEE9B024493BA18D0C49D64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!.....(..........nF... ...`....... ....................................@..................................F..S....`............................................................................... ............... ..H............text...t&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B................PF......H........B..\...........P ..i"..........................................e".............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\zh\Adguard.Burn.resources.dll

Download File

Process:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.273389941078699
Encrypted:	false
SSDEEP:	96:jDWzs8+g3yxFVwyGM7o3E7MWjXWjBIy5gmYRdiUy5kKyr4EKZQB3lybJAQOvw8J7:jqzszgopGvGz3FuJCv9GOlfZJUNCN
MD5:	8EDA6DD7098D30823B26896F9FC96FF2
SHA1:	8DA8AF8F3DEE7A6ABB874DC155413FBA8DB6D822
SHA-256:	61753F9AE906CCC5741BAD44B26A0F55445C9C06A88FBCF5C5EBB8512D841BF7
SHA-512:	D109F3C8773C4CA1D5763FD9E54D8EE7A6BFD669ECF87342472345BA280B5E82AF71A70E51DA9A4A3F858C77E840266D00524C2BC2EDEA8EFD3378584CBBC555
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h..g...........!.....&...........D... ...`....... ....................................@..................................D..K....`............................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............,..............@..B.................D......H.......\A..T...........P ...!...........................................!.............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....J.......PADPADPc....94..........T.P......._...n../..;{..bq..a.Q...u...P.j.......a.P.......i.b......m....g...Z..9...7.8^....#.(9~..... x......n..d..........k..O?....>..+.....F. .Q</A..6..f8...9..z:..~CM.(DK..Gg..M.N.S9Y.`.#.c.G<c.0.c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.6780166478397875
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	adguardInstaller.exe
File size:	145'944 bytes
MD5:	a74538fcb6491c24a788b008128dc41b
SHA1:	71934871c0dfc9f5148a44c3302c40a44d8355ab
SHA256:	49061dfd5e40ed59c68e5e6e6be5b920b3dedb9f951e62bdd2bcb54cbb93c400
SHA512:	6af12e8960a02d880c74eac5e4c25de9808bf2d411b6ab0dea236b569deb93747be75368f2fed2c474a9e4549a3c6c1a0456db8d6647e8b97bd42568e8c6a146
SSDEEP:	3072:X4qZHnMyBV3vZhLFvGyfmKvK9MkBrf8wv7:X4qZHdV3vnvK9Mkhvv7
TLSH:	85E338D2F8D243B5E41A8F306687EA7B41E09F27C4308D7AEAF52605A73666FDB05131
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+..c...............'..........................@..........................p.......n....@... ............................

File Icon


Icon Hash:	23d04d697123970e

Static PE Info

General

Entrypoint:	0x4014b0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6390A02B [Wed Dec 7 14:16:11 2022 UTC]
TLS Callbacks:	0x401780, 0x401730
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b26a7e001a4be269742be838dadc9db9

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	13/01/2023 01:00:00 13/01/2026 00:59:59
Subject Chain	CN=Adguard Software Limited, O=Adguard Software Limited, S=Lefkosia, C=CY
Version:	3
Thumbprint MD5:	97CB1ECDC7F0BCBB54ACA397BB03E6D1
Thumbprint SHA-1:	48BAFFCE2694F647A33854183A4B817BB8A7DBEA
Thumbprint SHA-256:	453226C42EB62A278F091B0155200D76DD284A1337795B6EB37A627D414F1284
Serial:	00B138E6660DCA7CC377CB2F6F6027F616

Entrypoint Preview

Instruction
mov dword ptr [0041106Ch], 00000001h
jmp 00007FF6446F6916h
nop
mov dword ptr [0041106Ch], 00000000h
jmp 00007FF6446F6906h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FF6446FCF4Eh
test eax, eax
sete al
add esp, 1Ch
movzx eax, al
neg eax
ret
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 0040E000h
call dword ptr [004125F4h]
sub esp, 04h
test eax, eax
je 00007FF6446F6CD5h
mov ebx, eax
mov dword ptr [esp], 0040E000h
call dword ptr [00412658h]
mov edi, dword ptr [00412608h]
sub esp, 04h
mov dword ptr [00411028h], eax
mov dword ptr [esp+04h], 0040E013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 0040E029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [0040D004h], eax
sub esp, 08h
test esi, esi
je 00007FF6446F6C73h
mov dword ptr [esp+04h], 0041102Ch
mov dword ptr [esp], 0040F104h
call esi
mov dword ptr [esp], 004015A0h
call 00007FF6446F6BC3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12000	0x1d0c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0xf610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x20a00	0x3018	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x7ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xe474	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x124cc	0x3dc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb0d4	0xb200	5cce674b251f0ff6eb8b7bd87413cf33	False	0.5650456460674157	data	6.244734213129408	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xd000	0x4a4	0x600	a3d5e60323a02742e7fc12a2432c41bf	False	0.11067708333333333	data	1.1247916788515984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xe000	0xbc0	0xc00	79d1949f2d627c3c1cad1bdfe41201ec	False	0.544921875	data	5.301100318570986	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0xf000	0x1fb0	0x2000	923ae17274e756093759304ab472082f	False	0.3533935546875	data	4.933913732859542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x11000	0xa74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x12000	0x1d0c	0x1e00	7cf265bc970978cf36ffcbe8a9a610da	False	0.375	SysEx File -	5.372660458640531	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x14000	0x34	0x200	4eef9a9546f6bf89752c594cebb6c33b	False	0.06640625	data	0.2601579489546485	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x15000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x16000	0xf610	0xf610	c9110b92017325fdc1122be880a5d8e3	False	0.5313690627381255	data	6.317334742840768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x26000	0x7ac	0x800	b8cec5e153b46df8eb6be699ee49b81e	False	0.8466796875	data	6.518285308190399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x162c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.4450354609929078
RT_ICON	0x16730	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.25914634146341464
RT_ICON	0x177d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.18848547717842323
RT_ICON	0x19d80	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0	English	United States	0.14850023618327823
RT_ICON	0x1dfa8	0x330e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9949502677888293
RT_RCDATA	0x212b8	0x11c0	PNG image data, 440 x 270, 8-bit colormap, non-interlaced	English	United States	0.9619278169014085
RT_RCDATA	0x22478	0x23f4	PNG image data, 880 x 540, 8-bit colormap, non-interlaced	English	United States	0.9413298565840938
RT_RCDATA	0x24870	0xcb	PNG image data, 7 x 10, 8-bit/color RGBA, non-interlaced	English	United States	1.0344827586206897
RT_RCDATA	0x24940	0x154	PNG image data, 14 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0323529411764707
RT_GROUP_ICON	0x24a98	0x4c	data	English	United States	0.7631578947368421
RT_VERSION	0x24ae8	0x260	data	English	United States	0.4753289473684211
RT_MANIFEST	0x24d48	0x3dd	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4620829120323559

Imports

DLL	Import
COMCTL32.DLL	ImageList_Create
COMDLG32.DLL	GetOpenFileNameW, GetSaveFileNameW
GDI32.dll	CreateCompatibleDC, CreateFontIndirectW, CreateSolidBrush, DeleteDC, DeleteObject, GetDeviceCaps, GetStockObject, SelectObject, SetBkMode, SetTextColor
gdiplus.dll	GdipAlloc, GdipCloneBrush, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateFromHDC, GdipCreateHBITMAPFromBitmap, GdipCreateSolidFill, GdipDeleteBrush, GdipDeleteGraphics, GdipDisposeImage, GdipFillRectangleI, GdipFree, GdipGetImageHeight, GdipGetImageWidth, GdiplusShutdown, GdiplusStartup
KERNEL32.dll	CancelWaitableTimer, CloseHandle, ConnectNamedPipe, CreateDirectoryW, CreateEventW, CreateFileMappingW, CreateFileW, CreateHardLinkW, CreateIoCompletionPort, CreateNamedPipeW, CreateProcessW, CreateThread, CreateWaitableTimerW, DeleteCriticalSection, DeleteFileW, DisconnectNamedPipe, EnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FindFirstFileW, FindNextFileW, FindResourceW, FormatMessageW, FreeLibrary, GetCommandLineW, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetDiskFreeSpaceW, GetExitCodeProcess, GetExitCodeThread, GetFileAttributesExW, GetFileSizeEx, GetLastError, GetLocaleInfoW, GetLongPathNameW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetNumberOfConsoleInputEvents, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoA, GetSystemTimeAsFileTime, GetThreadTimes, GlobalAddAtomA, GlobalAlloc, GlobalDeleteAtom, GlobalFree, GlobalLock, GlobalUnlock, HeapAlloc, HeapFree, HeapReAlloc, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LoadResource, LockResource, MapViewOfFile, MoveFileExW, MultiByteToWideChar, PostQueuedCompletionStatus, QueryPerformanceFrequency, ReadConsoleInputW, ReadFile, RemoveDirectoryW, SetConsoleCtrlHandler, SetConsoleMode, SetDllDirectoryW, SetEndOfFile, SetEvent, SetFileAttributesW, SetFilePointerEx, SetLastError, SetUnhandledExceptionFilter, SetWaitableTimer, SizeofResource, Sleep, SwitchToThread, TlsGetValue, UnmapViewOfFile, VirtualProtect, VirtualQuery, WaitForSingleObject, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile
MSIMG32.DLL	AlphaBlend
msvcrt.dll	__getmainargs, __initenv, __lconv_init, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _daylight, _errno, _initterm, _iob, _onexit, _stricmp, _timezone, _tzset, _wcsicmp, abort, atoi, calloc, exit, fprintf, fputc, free, fwrite, localeconv, malloc, memchr, memcpy, memset, qsort, setlocale, signal, strchr, strerror, strlen, strncmp, vfprintf, wcslen
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	DragFinish, DragQueryFileW, ExtractIconExW, ILCreateFromPathW, ILFree, SHOpenFolderAndSelectItems, ShellExecuteW, Shell_NotifyIconW
USER32.dll	CallWindowProcW, CloseClipboard, CreateAcceleratorTableW, CreateWindowExW, DefWindowProcW, DestroyAcceleratorTable, DestroyWindow, DispatchMessageW, EmptyClipboard, FillRect, GetClientRect, GetCursorPos, GetDC, GetFocus, GetMessageW, GetParent, GetWindowLongW, GetWindowPlacement, GetWindowRect, IsWindowVisible, LoadCursorW, LoadIconW, LoadImageW, MessageBoxW, OpenClipboard, PostMessageW, PostQuitMessage, PostThreadMessageW, RegisterClassExW, RegisterHotKey, ReleaseDC, ScreenToClient, SendMessageTimeoutW, SendMessageW, SetClipboardData, SetCursor, SetFocus, SetForegroundWindow, SetLayeredWindowAttributes, SetWindowLongW, SetWindowPlacement, SetWindowPos, ShowWindow, SystemParametersInfoW, TrackPopupMenuEx, TranslateAcceleratorW, TranslateMessage, UnregisterClassW, UnregisterHotKey, UpdateLayeredWindow
WININET.DLL	HttpQueryInfoA, InternetCloseHandle, InternetOpenUrlW, InternetOpenW, InternetReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-03T14:39:00.444613+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49712	37.19.203.49	80	TCP
2025-01-03T14:39:00.444613+0100	2020826	ET MALWARE Potential Dridex.Maldoc Minimal Executable Request	1	192.168.2.6	49712	37.19.203.49	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2025 14:38:59.746792078 CET	49712	80	192.168.2.6	37.19.203.49
Jan 3, 2025 14:38:59.751576900 CET	80	49712	37.19.203.49	192.168.2.6
Jan 3, 2025 14:38:59.751678944 CET	49712	80	192.168.2.6	37.19.203.49
Jan 3, 2025 14:38:59.751836061 CET	49712	80	192.168.2.6	37.19.203.49
Jan 3, 2025 14:38:59.756609917 CET	80	49712	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:00.444521904 CET	80	49712	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:00.444612980 CET	49712	80	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:00.538923025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:00.538974047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:00.539040089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:00.592538118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:00.592556953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.275197029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.275289059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.331072092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.331088066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.331412077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.331470013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.334913969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.375334024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.609818935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.609837055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.609849930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.609905958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.609945059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.609955072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.610009909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.726771116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.726790905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.726882935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.726897955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.727056980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.764856100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.764873981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.764960051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.764969110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.765026093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.815789938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.815809011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.815995932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.816004038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.816144943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.855174065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.855192900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.855257034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.855262995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.855823994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.883908033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.883929014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.884017944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.884023905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.884068012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.911747932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.911766052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.911849022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.911855936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.912240028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.932526112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.932543993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.932611942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.932617903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.934947014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.950443983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.950463057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.950527906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.950534105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.950932026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.966716051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.966734886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.966819048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.966825008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.966995955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.980118990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.980139971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.980218887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.980226040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.982861996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.995470047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.995488882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.995592117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:01.995596886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:01.995639086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.010293007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.010312080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.010397911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.010402918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.011388063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.022216082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.022234917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.022306919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.022313118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.023097992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.035835028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.035852909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.035932064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.035938025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.038182020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.046024084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.046042919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.046116114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.046120882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.046169043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.057800055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.057817936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.057894945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.057900906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.057940006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.068136930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.068154097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.068217039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.068223000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.068250895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.076018095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.076035023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.076106071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.076112032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.076183081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.084860086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.084876060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.084933043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.084942102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.085001945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.092555046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.092573881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.092639923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.092647076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.092760086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.109009981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.109028101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.109105110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.109111071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.109138966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.109149933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.120311975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.120333910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.120438099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.120444059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.120481968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.132827997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.132848978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.132932901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.132940054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.135289907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.142924070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.142942905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.143003941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.143009901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.147088051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.153318882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.153338909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.153373003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.153378010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.153407097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.153425932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.162828922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.162847042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.162938118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.162945032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.167220116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.170315981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.170334101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.170386076 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.170391083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.170418024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.170433044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.179308891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.179358959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.180324078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.180330992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.182930946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.195979118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.195998907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.196074963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.196082115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.199135065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.207216024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.207235098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.207298040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.207304001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.210860968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.219772100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.219789982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.219851971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.219857931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.223170042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.229671955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.229690075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.229758024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.229764938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.231122971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.255470991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.255490065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.255577087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.255584955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.256917953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.256942987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.256968021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.256973982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.257014990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.257042885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.258488894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.258510113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.258599043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.258605003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.259001970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.265978098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.266000032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.266060114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.266066074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.266918898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.282634020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.282659054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.282728910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.282736063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.282951117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.293961048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.293978930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.294090986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.294097900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.294914007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.306437969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.306458950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.306550026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.306555033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.306704998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.316452980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.316469908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.316541910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.316548109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.319242954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.327342033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.327377081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.327405930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.327414036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.327444077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.327459097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.336594105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.336613894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.336684942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.336693048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.336730003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.344091892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.344110966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.344178915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.344186068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.344261885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.352885962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.352916956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.352956057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.352962971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.352986097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.353440046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.369421959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.369441986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.369508982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.369518995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.370999098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.380837917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.380860090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.380960941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.380970001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.382395029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.393301010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.393320084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.393387079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.393394947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.393434048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.403321981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.403337955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.403377056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.403383970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.403418064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.403438091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.413834095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.413852930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.413892031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.413898945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.413935900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.413978100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.423413992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.423443079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.423480034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.423485994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.423508883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.423531055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.430948973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.430974007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.431015968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.431022882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.431052923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.431088924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.439682007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.439732075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.439758062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.439764977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.439793110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.439811945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.456424952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.456455946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.456546068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.456562996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.456782103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.467686892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.467713118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.467761040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.467770100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.467797041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.467813015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.480277061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.480307102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.480338097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.480348110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.480372906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.480391026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.490166903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.490186930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.490356922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.490366936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.490407944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.500758886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.500787020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.500828028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.500837088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.500854015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.500873089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.510215998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.510234118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.510286093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.510293961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.510313988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.510330915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.517812967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.517844915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.517890930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.517898083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.517923117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.517940044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.526768923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.526813030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.526845932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.526854038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.526885986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.526902914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.543329954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.543348074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.543406963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.543421030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.543471098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.554626942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.554646969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.554708004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.554717064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.554898024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.567068100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.567090034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.567265034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.567291021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.567447901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.576971054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.577044964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.577069044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.577075958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.577105999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.577116966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.587539911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.587558985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.587622881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.587634087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.587675095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.597142935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.597162008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.597219944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.597228050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.597265005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.604635954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.604665995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.604720116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.604727030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.604769945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.613645077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.613662958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.613732100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.613739014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.613781929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.630191088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.630209923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.630520105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.630546093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.630598068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.641469955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.641495943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.641609907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.641618967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.641664028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.653933048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.653958082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.654051065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.654063940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.654112101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.663847923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.663870096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.663933992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.663942099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.663970947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.663991928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.674355030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.674375057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.674462080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.674469948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.674515009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.684075117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.684093952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.684164047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.684170961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.684212923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.691589117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.691607952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.691729069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.691735983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.691776037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.700491905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.700510979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.700581074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.700587988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.700625896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.717063904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.717082024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.717200041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.717207909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.717248917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.728401899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.728425980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.728552103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.728559017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.728606939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.740926027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.740947008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.741177082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.741183996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.741230011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.750822067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.750838995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.750911951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.750919104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.750960112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.761195898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.761214018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.761288881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.761296034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.761333942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.770948887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.770972013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.771034956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.771042109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.771081924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.778492928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.778512001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.778618097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.778631926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.778672934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.787425041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.787444115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.787529945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.787539959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.787579060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.808749914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.808777094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.808916092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.808926105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.808969975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.815256119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.815279007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.815372944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.815383911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.815423012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.827677011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.827694893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.827780962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.827790022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.827825069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.837574959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.837593079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.837660074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.837667942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.837702036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.848040104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.848056078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.848114014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.848121881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.848160982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.857958078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.857975960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.858036995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.858043909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.858077049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.865355968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.865370989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.865421057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.865437984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.865469933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.865492105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.874279976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.874295950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.874356985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.874366045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.874403954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.890765905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.890794039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.890889883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.890898943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.890944004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.902599096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.902616978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.902698040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.902705908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.902744055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.914607048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.914623976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.914794922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.914803028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.914848089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.924540997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.924556971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.924649954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.924658060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.924699068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.935022116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.935045958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.935115099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.935122967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.935161114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.944739103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.944756985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.944833040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.944840908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.944883108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.952339888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.952358007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.952431917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.952439070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.952480078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.961272955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.961299896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.961400986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.961409092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.961463928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.977854967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.977873087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.977993965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.978001118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.978049994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.989058971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.989077091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.989320993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:02.989329100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:02.989377975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.001775026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.001796007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.001904964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.001914978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.001956940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.011547089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.011567116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.011679888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.011687994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.011723995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.021908045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.021935940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.022030115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.022037983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.022085905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.031560898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.031579018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.031697035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.031702995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.031744957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.039127111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.039145947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.039225101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.039232969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.039272070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.048029900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.048048973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.048135042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.048144102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.048186064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.064740896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.064763069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.064898014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.064905882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.064953089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.076127052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.076144934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.076306105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.076313972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.076375008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.088871002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.088892937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.089248896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.089257002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.089308977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.098349094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.098371983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.098468065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.098493099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.098532915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.108710051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.108736992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.108808041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.108815908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.108875036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.118344069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.118365049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.118464947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.118472099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.118510962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.125972986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.125993013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.126092911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.126100063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.126138926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.134804964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.134830952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.134943962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.134955883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.134980917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.135000944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.151531935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.151556969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.151803017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.151812077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.151851892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.162892103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.162909985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.163002014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.163009882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.163053036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.180947065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.180967093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.181041956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.181050062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.181093931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.202275991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.202296019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.202372074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.202382088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.202423096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.223659039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.223678112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.223753929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.223764896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.223804951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.257813931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.257833958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.257894039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.257903099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.257937908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.260025978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.260042906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.260107994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.260114908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.260153055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.279784918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.279803991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.279876947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.279885054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.279917955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.293380022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.293397903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.293456078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.293464899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.293478966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.293505907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.297168016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.297183990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.297246933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.297255039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.297296047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.298739910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.298760891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.298819065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.298827887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.298868895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.300584078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.300602913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.300656080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.300663948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.300702095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.310528040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.310547113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.310641050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.310648918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.310694933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.344600916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.344621897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.344682932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.344703913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.344754934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.346901894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.346918106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.346972942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.346981049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.347023010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.366584063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.366604090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.366679907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.366692066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.366734028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.380228996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.380249023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.380392075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.380398989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.380445957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.383908987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.383927107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.384008884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.384016037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.384078979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.385520935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.385539055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.385620117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.385627985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.385687113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.387358904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.387373924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.387509108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.387516975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.387634993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.397512913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.397530079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.397603989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.397610903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.397651911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.431531906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.431552887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.431623936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.431636095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.431675911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.433726072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.433741093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.433784008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.433790922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.433816910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.433830023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.453444004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.453463078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.453516006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.453522921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.453568935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.467077017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.467097044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.467140913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.467149019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.467190027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.470901012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.470925093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.470976114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.470984936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.471016884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.471029997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.472392082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.472408056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.472457886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.472464085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.472497940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.474280119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.474293947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.474350929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.474359035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.474399090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.484256029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.484275103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.484354973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.484363079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.484401941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.518553019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.518569946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.518619061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.518626928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.518661976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.520524025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.520538092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.520603895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.520612001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.520651102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.540380955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.540405989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.540463924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.540472031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.540515900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.553910971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.553929090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.553967953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.553975105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.554009914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.554027081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.557662964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.557679892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.557742119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.557749033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.557790995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.559076071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.559092999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.559154987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.559161901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.559199095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.561036110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.561053038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.561101913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.561110020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.561144114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.571172953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.571191072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.571233034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.571239948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.571279049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.605439901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.605459929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.605509996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.605516911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.605560064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.607445002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.607470989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.607515097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.607521057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.607567072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.627249956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.627270937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.627439976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.627449989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.627501011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.640818119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.640841007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.640916109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.640923977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.640964031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.644498110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.644514084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.644575119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.644582033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.644623995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.646044970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.646059990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.646126032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.646133900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.646173954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.647900105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.647929907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.647974014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.647979975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.648006916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.648026943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.658040047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.658056021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.658118010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.658124924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.658164024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.692279100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.692295074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.692437887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.692445993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.692491055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.694247961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.694264889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.694327116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.694334030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.694379091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.714267969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.714287043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.714354038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.714365959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.714406013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.727606058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.727622986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.727694035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.727701902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.727744102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.731267929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.731287003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.731336117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.731343985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.731378078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.732805967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.732822895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.732878923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.732884884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.732923031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.734756947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.734776020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.734827995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.734834909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.734873056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.744873047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.744890928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.744956017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.744962931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.745002985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.779220104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.779237986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.779396057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.779416084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.779462099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.781347990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.781373978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.781430006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.781440973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.781476021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.781496048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.801104069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.801130056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.801271915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.801284075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.801323891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.814450979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.814469099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.814584017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.814591885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.814630032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.818090916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.818108082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.818190098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.818200111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.818242073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.819581985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.819597006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.819664001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.819673061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.819717884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.821604967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.821621895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.821680069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.821686029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.821723938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.831768990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.831784010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.831846952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.831857920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.831896067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.866255999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.866274118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.866345882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.866353035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.866394043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.868172884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.868191957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.868258953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.868266106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.868308067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.887989998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.888005972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.888081074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.888088942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.888129950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.901288986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.901304007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.901385069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.901391983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.901427984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.904983997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.904999971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.905072927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.905081987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.905128956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.906419992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.906438112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.906492949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.906500101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.906538010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.908278942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.908294916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.908351898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.908358097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.908390999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.918612957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.918628931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.918700933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.918709040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.918745041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.953094959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.953113079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.953171968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.953178883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.953221083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.955101967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.955122948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.955178976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.955188036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.955228090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.974936008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.974955082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.975024939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.975033045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.975065947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.975085020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.988141060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.988158941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.988240004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.988248110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.988286972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.991833925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.991848946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.991905928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.991911888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.991949081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.993290901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.993307114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.993366957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.993375063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.993408918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.995120049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.995136023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.995306015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:03.995317936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:03.995367050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.005496025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.005511045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.005582094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.005588055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.005625963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.040180922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.040209055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.040265083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.040272951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.040384054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.042020082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.042037010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.042094946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.042103052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.042207956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.062232971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.062252045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.062292099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.062299013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.062335968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.074973106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.074990988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.075037003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.075045109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.075088024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.078593969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.078613043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.078659058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.078665018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.078686953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.078706026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.080159903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.080177069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.080205917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.080245972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.080250978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.080302000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.081989050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.082024097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.082048893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.082055092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.082083941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.082112074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.092300892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.092329025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.092366934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.092391014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.092427015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.092437029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.127043962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.127068996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.127134085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.127146959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.127183914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.127196074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.128885031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.128904104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.128942013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.128951073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.128983974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.129004002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.149111986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.149136066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.149179935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.149189949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.149229050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.149271965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.162367105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.162393093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.162436008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.162445068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.162492990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.166066885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.166084051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.166145086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.166152954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.166197062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.167749882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.167764902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.167824984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.167831898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.167865992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.169595957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.169614077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.169652939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.169660091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.169691086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.169709921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.179264069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.179282904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.179932117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.179943085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.179987907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.214046001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.214062929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.214139938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.214149952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.214159966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.214189053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.215596914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.215615034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.215671062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.215677977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.215718031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.235990047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.236008883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.236069918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.236079931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.236119032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.257661104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257680893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257734060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.257742882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257756948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257774115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.257780075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257802963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.257811069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.257833958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.257869005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.258002996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258019924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258069992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.258078098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258133888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.258759022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258784056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258857965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.258865118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.258905888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.266057014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.266078949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.266124010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.266133070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.266168118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.266177893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.300813913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.300848007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.300899029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.300915003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.300944090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.300966978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.302479029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.302496910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.302567005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.302575111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.302614927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.322896004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.322912931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.322993040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.323003054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.323046923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.342716932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.342736006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.342823982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.342833042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.342873096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343178988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343194962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343254089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343261957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343303919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343600988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343617916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343691111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343697071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343734980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343796015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343811035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343842030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343847990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.343872070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.343895912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.352946997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.352966070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.353035927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.353049994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.353094101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.387670040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.387692928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.387788057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.387798071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.387840033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.389301062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.389317036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.389388084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.389395952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.389436007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.409646034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.409662962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.409742117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.409749985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.409794092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.429518938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429534912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429605007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.429614067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429655075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.429886103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429902077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429949045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.429955959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.429996967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430434942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430449963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430488110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430495024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430526972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430546045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430746078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430788040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430805922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430813074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.430839062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.430852890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.440007925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.440080881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.440105915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.440113068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.440150976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.440171003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.474544048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.474566936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.474632025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.474639893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.474687099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.476175070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.476195097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.476249933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.476257086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.476295948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.496500015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.496534109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.496689081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.496696949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.496741056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.516540051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516557932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516688108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.516695023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516751051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.516902924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516922951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516958952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.516966105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.516995907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.517018080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.517391920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517407894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517469883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.517477989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517514944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.517852068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517868042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517941952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.517949104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.517987967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.526659966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.526678085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.526765108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.526772976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.526814938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.561306953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.561325073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.561444044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.561451912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.561491966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.564699888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.564717054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.564785957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.564791918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.564832926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.583446026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.583463907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.583580017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.583587885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.583622932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.603446960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.603463888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.603540897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.603549004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.603610039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604013920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604028940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604085922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604093075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604127884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604238033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604259014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604305983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604315042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604357004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604820967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604837894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604902029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.604908943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.604944944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.613466024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.613486052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.613552094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.613559008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.613620043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.648160934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.648180008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.648263931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.648272038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.648318052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.651434898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.651458979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.651521921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.651529074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.651568890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.670315981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.670336008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.670433998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.670443058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.670486927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.690505981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.690557003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.690603971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.690610886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.690640926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.690655947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.690973997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.690989017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691041946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691049099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691092014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691301107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691320896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691375017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691382885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691421986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691766024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691798925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691833973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691842079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.691868067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.691888094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.700366974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.700386047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.700480938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.700489044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.700526953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.735088110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.735109091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.735232115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.735239029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.735281944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.738281012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.738300085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.738359928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.738367081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.738406897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.757076979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.757096052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.757184982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.757193089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.757235050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.777304888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777323961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777393103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.777400017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777467966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.777724981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777746916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777782917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.777789116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.777812958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.777834892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.778151035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778167009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778232098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.778239012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778281927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.778599977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778615952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778688908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.778696060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.778738022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.787306070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.787334919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.787400961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.787409067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.787453890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.821870089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.821908951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.822079897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.822086096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.822148085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.825337887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.825356960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.825413942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.825422049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.825460911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.843962908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.843981981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.844068050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.844077110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.844119072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.864278078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864299059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864428043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.864435911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864490032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.864635944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864660025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864695072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.864701033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.864729881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.864752054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.865047932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865066051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865117073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.865123987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865169048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.865459919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865475893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865528107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.865535021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.865580082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.874232054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.874255896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.874322891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.874331951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.874372959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.914060116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.914083958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.914122105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.914151907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.914159060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.914174080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.914232969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.930900097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.930923939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.931042910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.931051970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.931096077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951072931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951098919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951190948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951200008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951246977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951412916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951428890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951461077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951466084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951494932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951514006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951764107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951781988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951829910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.951838017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.951881886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.952168941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.952186108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.952241898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.952250004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.952292919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.961078882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.961100101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.961211920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.961219072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.961261988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.995618105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.995640039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.995779991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.995791912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.995839119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.998967886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.998986959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.999053001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:04.999061108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:04.999099016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.017684937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.017704010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.017807961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.017817020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.017868042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.037805080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.037826061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.037992001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.037997961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038048983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.038222075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038260937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038280964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.038285971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038326979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.038340092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.038642883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038660049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038717031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.038723946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.038764000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.039053917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.039071083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.039119959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.039129019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.039171934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.047895908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.047916889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.048144102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.048151016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.048204899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.105061054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.105087996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.105142117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.105150938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.105211020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.115669012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.115691900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.115735054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.115742922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.115791082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.120975018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.120997906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.121064901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.121073961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.121115923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.124830008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.124850035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.124886036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.124893904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.124948025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.124948025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.125282049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125298023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125346899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.125354052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125405073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.125600100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125614882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125662088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.125669956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.125708103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.126060009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.126076937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.126121998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.126128912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.126172066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.134706974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.134721994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.134805918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.134814024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.134849072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.191891909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.191912889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.191983938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.191998005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.192049026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.202543020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.202558994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.202600956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.202610970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.202636957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.202656031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.207704067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.207736969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.207772970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.207779884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.207806110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.207828999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.211497068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.211513996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.211600065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.211615086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.211657047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.211921930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.211936951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.211998940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.212007999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212049961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.212274075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212291002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212347984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.212354898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212392092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.212614059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212630033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212685108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.212692022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.212730885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.221630096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.221656084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.221697092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.221712112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.221729994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.221744061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.278712988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.278737068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.278826952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.278836966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.278882027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.289438963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.289462090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.289544106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.289556980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.289599895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.294461966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.294477940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.294547081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.294572115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.294614077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.298279047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.298296928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.298362970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.298371077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.298420906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.301234007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.301250935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.301316977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.301325083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.301364899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.302709103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302723885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302782059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.302788973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302826881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.302828074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302840948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302864075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302881956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.302890062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.302912951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.302928925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.319581032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.319597006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.319669008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.319678068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.319715977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.365590096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.365607023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.365684032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.365695953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.365740061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.381067991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.381086111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.381159067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.381181002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.381225109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.384949923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.384965897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385039091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385046005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385087967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385310888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385327101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385381937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385390043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385428905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385683060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385698080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385746002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385751963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385787964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.385977983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.385994911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.386044025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.386050940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.386087894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.389028072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.389045000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.389101028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.389107943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.389149904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.405118942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.405149937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.405206919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.405215979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.405261993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.452610970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.452636003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.452716112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.452728033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.452768087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.467725039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.467740059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.467819929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.467837095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.467879057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.471824884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.471842051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.471884966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.471893072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.471921921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.471945047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472229958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472245932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472300053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472306013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472347021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472618103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472632885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472687006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472695112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472733021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472845078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472862005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472898006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472906113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.472928047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.472949982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.475869894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.475888968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.475967884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.475979090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.476032972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.491935015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.491954088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.492034912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.492062092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.492075920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.492103100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.539515972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.539539099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.539642096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.539680958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.539727926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.554637909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.554662943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.554755926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.554769039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.554811954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.558686972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.558702946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.558744907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.558753014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.558779955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.558799982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.558970928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.558986902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559041023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559048891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559087038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559498072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559519053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559571981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559578896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559612036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559621096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559627056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559653997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559659958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559696913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.559703112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.559745073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.562943935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.562958002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.563028097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.563035011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.563066959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.563097954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.579067945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.579092979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.579164028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.579191923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.579229116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.626492023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.626509905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.626594067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.626624107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.626668930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.641364098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.641380072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.641460896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.641488075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.641535997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.645499945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.645517111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.645586967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.645596027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.645637989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.648943901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.648958921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649032116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649039030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649089098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649163008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649178982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649226904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649234056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649276972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649415016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649430990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649501085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649501085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.649508953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.649549007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.655585051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.655601025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.655657053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.655672073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.655690908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.655704021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.666295052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.666317940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.666368008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.666376114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.666405916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.666428089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.713578939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.713606119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.713644028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.713660955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.713684082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.713694096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.730062962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.730082035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.730145931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.730155945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.730195045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.732394934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.732412100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.732474089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.732481956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.732522011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736146927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736167908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736215115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736221075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736255884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736257076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736279964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736290932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736299992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736301899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736335993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736363888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736543894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736558914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736605883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.736613035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.736653090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.742167950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.742193937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.742255926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.742264032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.742306948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.753181934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.753204107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.753267050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.753273964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.753312111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.800358057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.800384998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.800461054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.800479889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.800518990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.816934109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.816953897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.817042112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.817049980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.817086935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.819192886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.819210052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.819274902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.819283962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.819324017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.822807074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.822824001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.822884083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.822891951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.822928905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.823074102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823090076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823137999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.823143959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823187113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.823411942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823427916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823481083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.823488951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.823528051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.829075098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.829107046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.829153061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.829160929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.829199076 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.829227924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.840147018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.840164900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.840265036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.840276957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.840322971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.887206078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.887237072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.887300014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.887315989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.887335062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.887356997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.903760910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.903779030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.903853893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.903866053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.903903008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.906315088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.906331062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.906378984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.906384945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.906421900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.906438112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.909622908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.909640074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.909698009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.909706116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.909744978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.910026073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910041094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910075903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.910082102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910105944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.910120964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.910345078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910367012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910418034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.910425901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.910463095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.915827036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.915846109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.915903091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.915913105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.915931940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.915956974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.927041054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.927058935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.927129984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.927138090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.927167892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.927190065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.974225044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.974246025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.974335909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.974353075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.974401951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.990608931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.990626097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.990703106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.990711927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.990752935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.993144989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.993161917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.993227959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.993235111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.993278027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996596098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996611118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996716976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996716976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996726036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996762991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996820927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996853113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996880054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996887922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.996917009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.996936083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.997296095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.997335911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.997350931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.997356892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:05.997399092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:05.997399092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.002676010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.002696037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.002756119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.002763033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.002801895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.002818108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.013983011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.014002085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.014069080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.014075994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.014138937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.062544107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.062561989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.062686920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.062704086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.062751055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.077492952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.077512980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.077601910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.077610970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.077650070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.080315113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.080331087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.080425024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.080432892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.080481052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.083805084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.083822012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.083889961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.083899021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.083933115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084403038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084424973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084467888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084475040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084501028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084517956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084523916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084536076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084553003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084579945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084587097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.084614992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.084624052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.089535952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.089553118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.089613914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.089622021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.089654922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.089675903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.101177931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.101197004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.101249933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.101259947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.101295948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.101309061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.147838116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.147856951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.147948980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.147958040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.147998095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.164446115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.164463043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.164549112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.164558887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.164589882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.167054892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.167074919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.167144060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.167151928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.167187929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170228958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170245886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170290947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170298100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170339108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170353889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170589924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170603991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170639992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170645952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170665979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170691967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.170941114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170954943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.170994997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.171000957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.171020031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.171046972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.176346064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.176359892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.176409006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.176417112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.176456928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.187947989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.187977076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.188016891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.188030005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.188061953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.188072920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.208836079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.234755993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.234774113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.234828949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.234839916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.234860897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.234883070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.255062103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255079985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255141020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.255158901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255215883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.255345106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255358934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255400896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.255409956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.255425930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.255445004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257097960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257145882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257174015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257181883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257211924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257225037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257451057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257466078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257503033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257510900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257539988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257546902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257812977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257834911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257863045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257869959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.257894039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.257910013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.263159037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.263176918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.263232946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.263242960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.263302088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.274671078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.274702072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.274733067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.274739981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.274777889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.274797916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.321532965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.321552992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.321599007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.321607113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.321643114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.321651936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.341873884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.341919899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.341947079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.341953993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.341994047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.342226028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.342245102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.342272997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.342278957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.342309952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.342328072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.343935013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.343952894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.343997002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344002962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344031096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344049931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344274044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344289064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344329119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344336033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344398975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344676018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344691038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344722033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344728947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.344755888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.344780922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.349956036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.349971056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.350012064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.350018024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.350044012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.350073099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.361457109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.361474037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.361510992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.361517906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.361543894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.361557961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.408377886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.408395052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.408442020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.408452988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.408480883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.408498049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.428817987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.428838968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.428920984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.428930044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.428966999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.429181099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.429217100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.429246902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.429255009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.429282904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.429292917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.430838108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.430865049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.430907965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.430913925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.430938959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.430963039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.431113958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431129932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431179047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.431186914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431226015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.431596994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431613922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431757927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.431766033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.431818008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.436808109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.436825037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.436887980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.436896086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.436937094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.448304892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.448323011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.448393106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.448400974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.448440075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.495289087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.495305061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.495388985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.495398045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.495436907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518167973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518184900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518280983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518291950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518337965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518416882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518430948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518471956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518477917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518507004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518544912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518635988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518654108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518698931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518712044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518752098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518836975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518852949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518898010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.518906116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.518945932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.519201994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.519217014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.519265890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.519273996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.519316912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.523736954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.523751974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.523824930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.523833990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.523876905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.535375118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.535391092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.535485029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.535501957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.535547018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.582231998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.582251072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.582318068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.582329035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.582371950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.604777098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.604800940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.604895115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.604902983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.604953051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.604959011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.604965925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.604998112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605010033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605016947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605050087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605074883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605412006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605427027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605483055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605490923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605762005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605859995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605878115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.605926991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.605935097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.606024981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.606106997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.606122017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.606178045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.606184959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.606411934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.610538006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.610553980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.610609055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.610616922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.610843897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.622060061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.622076035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.622149944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.622158051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.622198105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.669096947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.669117928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.669181108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.669193983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.669611931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.691560984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.691577911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.691648960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.691658020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.691797018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.691817045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.691868067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.691876888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692102909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692118883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692183018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.692192078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692487001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692508936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692549944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.692558050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692579031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.692604065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.692770958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692785978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.692833900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.692841053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.693172932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.697401047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.697417021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.697482109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.697489023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.697851896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.708990097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.709028959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.709043026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.709050894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.709079981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.709090948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.755971909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.756006002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.756048918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.756062031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.756092072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.756103039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778383970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778403044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778486013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778495073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778614044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778635979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778673887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778681040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778693914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778724909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778903961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778918982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.778973103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.778980970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779124975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.779305935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779325962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779365063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.779371977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779386044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.779408932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.779678106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779695034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779752016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.779757977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.779989958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.784210920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.784229994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.784296036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.784303904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.784537077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.795792103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.795809031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.795901060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.795908928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.796389103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.843336105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.843357086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.843457937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.843467951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.843506098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.865334988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865355015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865425110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.865432978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865474939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.865652084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865667105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865719080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.865726948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865895033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865916967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865952969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.865961075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.865983963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.866007090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.866333961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866349936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866410971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.866419077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866545916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.866576910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866591930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866645098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.866652966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.866947889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.871088982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.871105909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.871186018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.871198893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.871244907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.882678986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.882719040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.882771015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.882786989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.882816076 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.882823944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.930052996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.930075884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.930165052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.930190086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.930272102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952145100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952161074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952214003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952223063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952430010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952461004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952476978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952507019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952512980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952538967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952550888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952733040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952749014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952799082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.952806950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.952851057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.953138113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953156948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953248024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.953248024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.953255892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953318119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.953461885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953478098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953531981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.953540087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.953671932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.957993984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.958053112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.958070040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.958077908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.958106041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.958116055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.969476938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.969494104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.969573021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:06.969580889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:06.969722986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.016829014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.016845942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.016937017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.016949892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.017143965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.038954973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.038969994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039067030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039077044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039305925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039335012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039366007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039375067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039386034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039414883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039572954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039587975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039635897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039643049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039927006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.039975882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.039992094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.040043116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.040050983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.040283918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.040436983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.040453911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.040499926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.040507078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.040724993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.044982910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.045005083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.045058966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.045067072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.045273066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.056400061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.056428909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.056483984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.056493044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.056876898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.103693008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.103714943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.103790045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.103820086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.104051113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.125890017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.125926971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.125977039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.125992060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126044035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126085043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126100063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126143932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126151085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126219988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126478910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126493931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126537085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126544952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126605034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126773119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126785994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126825094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126833916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.126856089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.126872063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.127183914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.127197981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.127264023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.127270937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.127346039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.131752968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.131779909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.131822109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.131829977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.131856918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.131944895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.143579960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.143598080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.143659115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.143667936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.143786907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.190511942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.190545082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.190625906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.190634966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.190687895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.212616920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.212636948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.212717056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.212724924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.212764025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213073969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213090897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213151932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213160038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213212013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213258028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213274002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213310957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213319063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213346004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213356972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213661909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213675022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213728905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.213737011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213937998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.213970900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.214004040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.214010954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.214042902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.214052916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.218391895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.218406916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.218487978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.218497038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.218873024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.230421066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.230437994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.230496883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.230505943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.230874062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.277632952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.277657986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.277709961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.277726889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.277759075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.277776003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.299427032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.299444914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.299515963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.299523115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.299765110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.299782991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.299839973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.299844980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300084114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300091028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300097942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300132990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300143003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300153971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300188065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300446033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300462008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300522089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300529003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300811052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300837040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300853014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.300909042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.300914049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.301121950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.305275917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.305291891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.305350065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.305356026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.305454016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.317384005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.317399025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.317454100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.317462921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.317723989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.364176989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.364195108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.364290953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.364300013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.364700079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.386480093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386497021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386574030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.386581898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386688948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386707067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386745930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.386753082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.386779070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.386801958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387027979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387042999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387099028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387108088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387242079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387340069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387361050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387411118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387418985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387510061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387703896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387721062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.387773037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.387778997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.388000965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.392364979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.392383099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.392420053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.392426014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.392461061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.392472982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.404297113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.404314041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.404371023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.404376984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.404608965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.470397949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.470417976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.470490932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.470499992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.470876932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.539165020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539184093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539268970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.539284945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539335012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.539378881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539396048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539443016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.539448023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539522886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.539959908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.539974928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540041924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.540047884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540194988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.540281057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540297985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540357113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.540361881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540430069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.540591002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540606022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.540673971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.540680885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.541328907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.556663036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.556675911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.556756973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.556763887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.557173967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.594335079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.594355106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.594424009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.594440937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.594485044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.649919033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.649947882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.650005102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.650012970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.650044918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.650065899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.680403948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680419922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680473089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.680480003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680521965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.680696964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680711985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680763006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.680768967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.680808067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681061029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681075096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681133032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681138992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681200027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681401014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681420088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681478977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681485891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681521893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681690931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681706905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681752920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.681759119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.681796074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.682123899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.682141066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.682202101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.682207108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.682244062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.684565067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.684581995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.684652090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.684659004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.684699059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.736799955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.736819983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.736900091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.736912012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.736952066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767297983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767318010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767386913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767394066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767431974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767575979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767589092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767633915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767641068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767683029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767932892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767947912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.767990112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.767997026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768018961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768027067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768282890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768304110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768340111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768345118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768373966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768387079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768631935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768647909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768688917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768695116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768718004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768737078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.768969059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.768985987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.769045115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.769051075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.769088984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.771390915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.771405935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.771461010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.771466970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.771506071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.823638916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.823666096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.823779106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.823786974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.823843956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854135990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854151964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854238987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854244947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854288101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854479074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854496956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854561090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854566097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854628086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854844093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854861021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854907990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854912996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.854939938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.854959011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855145931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855160952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855214119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855218887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855262995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855608940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855624914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855689049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855695009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855739117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855829954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855850935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855885029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855890036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.855911016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.855925083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.858186960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.858201981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.858278036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.858283997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.858323097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.910509109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.910525084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.910583973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.910593987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.910605907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.910629988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941112041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941131115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941179037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941184998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941203117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941219091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941355944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941373110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941406965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941411972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941436052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941442966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941695929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941709042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941764116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.941770077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.941821098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942071915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942089081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942126989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942131996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942158937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942168951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942343950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942357063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942393064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942398071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942424059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942439079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942651033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942672014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942737103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942742109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.942770958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.942790031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.945143938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.945161104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.945240021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.945245981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.945280075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.997272015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.997287035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.997329950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.997349977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:07.997364044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:07.997380018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.027992964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028009892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028063059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028079033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028095007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028115034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028270006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028289080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028342009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028348923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028389931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028594971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028628111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028650999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028656960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028678894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028701067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028879881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028894901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028942108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.028947115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.028985977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029211998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029227972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029268026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029273033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029299974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029326916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029552937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029567957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029609919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029616117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.029644012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.029652119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.032085896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.032100916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.032162905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.032169104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.032212019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.084166050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.084182978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.084239960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.084247112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.084276915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.084297895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.114753962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.114769936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.114850998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.114860058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.114898920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115086079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115115881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115148067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115154028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115183115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115192890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115415096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115437031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115469933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115474939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115500927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115520000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115751982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115766048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115814924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.115819931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.115861893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.116059065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116074085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116128922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.116133928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116169930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.116422892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116436005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116482973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.116487980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.116527081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.118949890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.118966103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.119023085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.119028091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.119074106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.170969963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.170985937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.171106100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.171113968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.171154022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.201630116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.201654911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.201780081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.201786995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.201838017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.201884031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.201900959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.201961040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.201968908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202011108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202337980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202353954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202406883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202411890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202455044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202598095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202615023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202663898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202670097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202708006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202920914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202936888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.202982903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.202987909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.203031063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.203290939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.203305960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.203361034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.203366041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.203404903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.205773115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.205790043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.205869913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.205877066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.205916882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.257989883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.258007050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.258131981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.258140087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.258182049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.288564920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288582087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288647890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.288656950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288705111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.288840055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288856983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288912058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.288918018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.288964033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289218903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289232969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289268970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289274931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289303064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289321899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289529085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289545059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289581060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289586067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289609909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289628029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289829969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289855957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289881945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289886951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.289911032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.289927006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.290189028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.290224075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.290239096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.290246010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.290266991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.290288925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.292658091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.292675018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.292712927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.292723894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.292752028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.292771101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.344741106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.344759941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.344854116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.344870090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.344912052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.375458956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375477076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375551939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.375560999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375708103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375709057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.375719070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375752926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375761032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.375771999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.375807047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.375818968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376013994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376029015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376077890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376084089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376121044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376283884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376298904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376344919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376349926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376386881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376791000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376805067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376863003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.376868963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.376905918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.377049923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.377063990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.377108097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.377113104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.377150059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.379487038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.379503012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.379560947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.379566908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.379606962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.431535959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.431552887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.431723118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.431730986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.431780100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.462505102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462526083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462618113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.462625027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462668896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.462737083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462753057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462801933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.462807894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.462852001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463128090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463155031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463186979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463196039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463217020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463243008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463468075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463486910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463540077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463546038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463582993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463685989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463706017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463754892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.463759899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.463799000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.464036942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.464051962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.464102983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.464108944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.464148045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.466329098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.466350079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.466411114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.466417074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.466456890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.518390894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.518413067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.518651962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.518666983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.518709898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549163103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549181938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549420118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549452066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549468040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549488068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549499035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549515963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549540043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549726009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549740076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549789906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.549797058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.549835920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550075054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550101995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550122023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550126076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550154924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550172091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550340891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550355911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550395966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550400972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550420046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550440073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550715923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550733089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550770998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550776005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.550798893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.550822020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.553123951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.553153038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.553221941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.553227901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.553273916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.605185986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.605207920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.605437994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.605451107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.605494022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.635950089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.635971069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636179924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636192083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636233091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636240005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636255026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636302948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636307955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636344910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636646032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636662960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636708021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636713028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636751890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.636955023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.636975050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637005091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637011051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637058020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637058020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637311935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637326956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637367010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637372017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637408018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637552023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637584925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637599945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637604952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.637633085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.637641907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.639882088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.639952898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.639987946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.639992952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.640028954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.691956043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.691972971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.692087889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.692096949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.692140102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.722692966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.722708941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.722781897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.722790003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.722827911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723041058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723054886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723087072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723090887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723118067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723134041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723339081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723354101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723387957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723392963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723407030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723428011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723661900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723676920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723711014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723721981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.723731995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.723757982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.724071980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724087000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724133968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.724139929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724174023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.724366903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724381924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724415064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.724420071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.724443913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.724452019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.726943016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.726958990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.727011919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.727018118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.727056026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.778806925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.778832912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.778887987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.778898001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.779057026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.779057026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.809578896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809597015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809755087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.809762955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809798956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.809859991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809876919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809922934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.809928894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.809967041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.810198069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810214996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810256004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.810261011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810297966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.810563087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810576916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810626030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.810631990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810668945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.810973883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.810997009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.811057091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.811057091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.811064959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.811099052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.811170101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.811187983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.811232090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.811239004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.811280966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.813796997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.813813925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.813888073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.813891888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.813925982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.813934088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.868107080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.868141890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.868175030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.868180990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.868211031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.868226051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.896497965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896513939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896610022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.896615982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896656036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.896811008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896831036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896866083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.896871090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.896903992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.896912098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897042990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897059917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897093058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897099018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897125959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897138119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897420883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897435904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897492886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897499084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897537947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897722006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897737026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897774935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897779942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.897806883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.897815943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.898046017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.898061037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.898112059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.898118019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.898158073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.900638103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.900652885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.900727987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.900732994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.900774956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.954828024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.954843998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.954927921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.954938889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.954982042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983298063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983323097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983370066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983375072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983424902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983663082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983678102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983731031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983736992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983783007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983854055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983874083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983927011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.983932972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.983974934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984335899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984350920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984407902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984426022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984456062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984649897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984663010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984714985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984720945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984759092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984921932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984935999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.984983921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.984989882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.985027075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.987541914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.987556934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.987615108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:08.987622976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:08.987659931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.041640043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.041660070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.041712046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.041728020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.041742086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.041764021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070467949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070486069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070563078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070585012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070597887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070640087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070647001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070657969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070691109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070703030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070849895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070866108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070914030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.070919991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.070960045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071154118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071171045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071217060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071223974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071257114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071590900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071607113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071631908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071636915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071661949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071681976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071724892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071738958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071775913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071780920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.071799994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.071816921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.074274063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.074323893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.074337959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.074342012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.074362040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.074390888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.128556013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.128575087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.128638029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.128652096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.128688097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157032967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157057047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157116890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157130957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157182932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157361984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157378912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157413960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157418966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157447100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157470942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157782078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157797098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157835960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157841921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.157870054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.157890081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159159899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159176111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159235001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159240007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159276962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159596920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159621954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159651995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159656048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159682989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159696102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159816027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159831047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159872055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.159877062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.159905910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.161284924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.161300898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.161345959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.161350965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.161376953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.161397934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.215440035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.215464115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.215533018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.215545893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.215586901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.256788969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.256805897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.256867886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.256876945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.256932974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257102013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257118940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257155895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257160902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257184982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257185936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257198095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257205009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257215023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257230997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257266045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257467985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257483959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257528067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257534027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257570028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257631063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257646084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257688046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257693052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257730961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257916927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257931948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.257978916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.257983923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.258022070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.258022070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.258030891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.258064985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.258073092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.258083105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.258120060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.258133888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.302228928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.302253962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.302321911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.302335024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.302381039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.333483934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333501101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333564043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.333571911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333606005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.333800077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333815098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333856106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.333861113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.333919048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334136963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334172010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334206104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334211111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334237099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334254026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334408045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334423065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334462881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334466934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334506989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334670067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334701061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334722996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334729910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.334768057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.334786892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.335057974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.335076094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.335125923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.335131884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.335189104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.343513966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.343528986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.343605042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.343611956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.343652010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.389048100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.389065981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.389116049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.389125109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.389153957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.389175892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.420382023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420399904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420458078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.420464039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420511007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.420697927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420720100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420752048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.420758009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.420788050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.420810938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421000004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421021938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421052933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421056986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421094894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421226978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421334982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421349049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421380043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421385050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421412945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421427011 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421731949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421749115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421785116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421788931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421811104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421835899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421878099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421899080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421940088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421943903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.421971083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.421989918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.430404902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.430437088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.430474997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.430480957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.430526972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.475954056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.475979090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.476044893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.476052046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.476094961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507322073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507339001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507461071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507468939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507499933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507606983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507622957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507675886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507682085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507724047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507838011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507853985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507916927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.507921934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.507971048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.508172989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508196115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508256912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.508261919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508308887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.508563995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508582115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508625984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.508631945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.508657932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.508673906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.517309904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.517337084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.517379999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.517386913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.517412901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.517424107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.562623978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.562650919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.562779903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.562803030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.562844992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.596126080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596143007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596326113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.596359968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596467972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596489906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596532106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.596539021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.596550941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.596575975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.596976995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597002029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597053051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597065926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597099066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597121000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597403049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597419024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597469091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597481966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597511053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597533941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597568989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597589016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597600937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597620964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597671032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597685099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.597727060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.597733974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.599011898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.603945017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.603977919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.604057074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.604063988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.606944084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.649521112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.649585009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.649638891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.649645090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.649672985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.649696112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.682969093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.682986975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683094025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683099985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683137894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683278084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683294058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683343887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683348894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683414936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683434963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683471918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683478117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683495998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683520079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683832884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683847904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.683907032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.683912039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684079885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684098005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684139967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.684145927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684170008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.684192896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.684475899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684489012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684544086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.684549093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.684741974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.690671921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.690687895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.690745115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.690752029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.690936089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.736323118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.736337900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.736413002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.736419916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.738929033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.769812107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.769829988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.769908905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.769916058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770200014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770225048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770265102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770270109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770298004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770327091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770607948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770623922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770807981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770812988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770849943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770893097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770908117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770948887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770953894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.770972967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.770987988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.771101952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.771115065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.771153927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.771159887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.771188974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.771210909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.771354914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.771370888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.771423101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.771429062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.773927927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.777559996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.777576923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.777637959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.777643919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.778023005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.823055983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.823071003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.823133945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.823141098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.823690891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.856612921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.856626987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.856705904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.856713057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.856751919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857079983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857101917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857147932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857158899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857170105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857328892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857343912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857381105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857387066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857403994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857429028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857541084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857553005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857609034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857614994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857845068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857862949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857870102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857873917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.857913017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.857934952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.858202934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.858215094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.858277082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.858282089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.858524084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.866039038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.866054058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.866134882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.866141081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.866559982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.910891056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.910906076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.910994053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.911000967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.911729097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944498062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944514990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944565058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944571018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944597006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944614887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944825888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944839954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944880962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944885969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.944914103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.944921970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.945328951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.945346117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.945380926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.945385933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.945415020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.945432901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.945888996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.945909023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.945957899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.945964098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946227074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946244001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946289062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.946296930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946320057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.946341991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.946577072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946598053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946629047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.946634054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.946660995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.946681023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.952258110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.952271938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.952377081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.952382088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.952897072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.996743917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.996767044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.996818066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.996824980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:09.996856928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:09.996876001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.030369043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030384064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030483007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.030488014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030599117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030615091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030669928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.030677080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030935049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.030946970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031008005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.031014919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031075001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.031323910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031344891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031397104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.031402111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031650066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031666040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031711102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.031716108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031922102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031940937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.031969070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.031975031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.032007933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.032030106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.038157940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.038172007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.038239002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.038244009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.038537025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.083734989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.083750010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.083873034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.083878040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.084542036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117389917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117409945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117465973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117470980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117517948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117578983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117594957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117644072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117652893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117662907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117705107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117793083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117813110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117861032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.117866993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.117944002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118170023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118184090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118243933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118247986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118351936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118550062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118563890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118619919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118628979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118649006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118669033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118731976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118745089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118789911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.118796110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.118829012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.125118971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.125133038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.125200033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.125205994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.125395060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.170655012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.170672894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.170741081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.170747995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.170787096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204277992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204294920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204385042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204391956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204441071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204449892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204452991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204485893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204505920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204511881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204539061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204557896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204790115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204804897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.204864979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.204871893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205087900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205104113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205141068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205147028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205171108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205192089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205492020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205504894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205558062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205562115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205688000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205704927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205746889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205754042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.205768108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.205796957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.211971045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.211986065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.212066889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.212073088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.212711096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.257519960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.257545948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.257680893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.257688046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.257726908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291146040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291162968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291271925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291277885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291321993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291398048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291419983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291465998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291472912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291709900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291729927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291769981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291774988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.291785955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291819096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.291994095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292020082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292049885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292054892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292074919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292119980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292347908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292362928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292419910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292426109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292531967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292551041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292584896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292589903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.292613983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.292644978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.298861980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.298882961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.298983097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.298989058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.299026966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.344491005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.344506025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.344748974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.344748974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.344754934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.344894886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378012896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378020048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378220081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378227949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378273964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378350973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378366947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378540039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378549099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378582954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378602028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378644943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378649950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378667116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378698111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378885984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378901005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.378966093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.378971100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379057884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379075050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379111052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.379120111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379141092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.379168034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.379487991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379501104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379559994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.379565001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.379786968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.385685921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.385714054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.385766983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.385772943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.385786057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.386152983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.431345940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.431360960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.431488991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.431495905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.431540966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.464785099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.464799881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.464864969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.464871883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465080023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465095997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465150118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465154886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465351105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465363979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465425968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465432882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465457916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465496063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465761900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465779066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465838909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465845108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.465857029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.465883970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.466084957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466099024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466156006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.466161966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466394901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.466397047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466407061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466442108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466454983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.466460943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.466492891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.466509104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.472477913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.472493887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.472553015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.472558022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.472641945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.518028975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.518050909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.518122911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.518127918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.518167973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.551712990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.551727057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.551803112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.551810026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.551863909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.551949978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.551963091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552031040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552036047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552073002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552201033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552217007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552284956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552290916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552493095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552516937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552544117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552552938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552563906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552598953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552845001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552859068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552905083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.552908897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.552927017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.553327084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.553342104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.553364992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.553369045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.553394079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.553423882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.559345961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.559364080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.559422970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.559427977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.559446096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.559459925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.604947090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.604965925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.605017900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.605021954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.605060101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.638627052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.638648033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.638719082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.638725996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.638757944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.638880968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.638895035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.638967037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.638972998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639012098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639178991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639193058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639245033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639250040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639295101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639498949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639513016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639554024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639559984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639600039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639833927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639848948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639900923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.639906883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.639939070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.640172958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.640187025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.640239954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.640245914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.640285015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.646172047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.646184921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.646353960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.646359921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.646400928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.691802979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.691818953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.691946983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.691960096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.692003965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.725550890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725567102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725651026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.725662947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725703955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.725807905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725822926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725872040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.725878000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.725918055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726075888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726093054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726141930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726147890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726186991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726414919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726429939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726478100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726484060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726524115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726677895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726692915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726739883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.726746082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.726780891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.727076054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.727108955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.727152109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.727158070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.727186918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.727205992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.733083010 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.733098030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.733181953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.733186960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.733222008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.778603077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.778618097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.778686047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.778693914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.778734922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.812453985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812469006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812568903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.812598944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812650919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.812752962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812767029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812819004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.812824965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.812865973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813061953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813086033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813117027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813122988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813149929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813163996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813373089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813394070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813429117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813433886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813469887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813479900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813647032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813661098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813725948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813731909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813769102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.813922882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.813936949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.814003944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.814009905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.814049006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.822240114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.822254896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.822325945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.822330952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.822382927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.865631104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.865647078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.865745068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.865762949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.865813971 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.899482965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899498940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899611950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899645090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899646997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.899661064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899713993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.899935961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899949074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.899997950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900003910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900039911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900226116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900238991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900283098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900288105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900330067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900582075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900605917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900643110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900648117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900676012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900690079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900821924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900839090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900893927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.900898933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.900938034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.906667948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.906682014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.906769037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.906774044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.906817913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.952366114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.952389002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.952435017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.952440977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.952490091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986330032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986344099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986440897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986447096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986458063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986476898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986493111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986496925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986526966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986550093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986737967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986751080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986802101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.986807108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.986843109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987091064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987106085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987158060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987164021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987200975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987515926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987539053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987575054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987579107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987605095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987616062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987651110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987664938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987709045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.987714052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.987751961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.993458986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.993473053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.993534088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:10.993539095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:10.993576050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.039184093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.039199114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.039345980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.039361000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.039403915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073074102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073095083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073205948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073213100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073249102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073559999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073579073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073631048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073635101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073674917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073921919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073935986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.073992014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.073997974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074035883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074229956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074249983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074296951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074302912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074341059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074508905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074522972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074568033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074573994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074609995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074661970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074695110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074712992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074717999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.074748039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.074769020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.080440044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.080454111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.080544949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.080549955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.080583096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.126123905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.126143932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.126198053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.126204967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.126251936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.159945965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.159965038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160054922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160060883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160100937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160129070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160144091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160195112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160200119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160229921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160511017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160525084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160569906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160578012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160619020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160775900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160790920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160835981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.160844088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.160883904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161133051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161147118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161184072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161189079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161214113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161243916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161510944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161535025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161560059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161564112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.161587954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.161607981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.167160034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.167176008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.167248964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.167256117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.167294025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.212879896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.212908030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.212979078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.212986946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.213027000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255486965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255506039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255577087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255584002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255631924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255702972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255717993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255762100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255768061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.255779028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255801916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.255987883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256001949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256048918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256053925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256088972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256257057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256273031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256310940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256314993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256337881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256342888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256359100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256361008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256367922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256386042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256421089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256606102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256618023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256664991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256671906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256722927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256926060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256939888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.256983995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.256989002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.257026911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.299752951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.299772978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.299880028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.299885988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.299932003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334047079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334063053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334142923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334148884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334189892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334440947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334455013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334490061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334494114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334526062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334563017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334661961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334676027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334713936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334718943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334748983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334758043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.334961891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.334975004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.335010052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.335014105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.335038900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.335058928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.335412025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.335427046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.335474968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.335479975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.335522890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.342314005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342328072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342401028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.342406988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342468023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.342628002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342643976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342684984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.342690945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.342717886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.342724085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.386729002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.386744976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.386817932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.386825085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.386869907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.420980930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421001911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421047926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421053886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421102047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421314955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421330929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421375990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421380997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421435118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421475887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421500921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421526909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421530962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421559095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421571016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421874046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421890020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421935081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.421940088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.421993017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.422123909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.422137976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.422169924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.422173977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.422208071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.422216892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.429117918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429131985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429199934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.429204941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429240942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.429361105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429377079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429425001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.429431915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.429475069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.473483086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.473496914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.473551989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.473561049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.473598957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.507884979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.507899046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.507968903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.507973909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508017063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508021116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508029938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508057117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508068085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508084059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508086920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508109093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508137941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508332968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508347988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508392096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508398056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508435965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508691072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508704901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508738995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508743048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508769989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508788109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.508971930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.508985043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.509023905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.509030104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.509067059 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.515938997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.515952110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.516005993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.516011000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.516047955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.516130924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.516144991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.516177893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.516182899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.516208887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.516222954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.560398102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.560415030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.560460091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.560554028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.560558081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.560599089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.594615936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.594631910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.594685078 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.594688892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.594727993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.594892025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.594906092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.594954967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.594959974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595019102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595196962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595210075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595244884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595247984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595287085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595330954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595529079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595549107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595575094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595578909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595609903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595638037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595824003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595846891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595875025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595880032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.595917940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.595937014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.602823019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.602837086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.602893114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.602897882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.602931976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.603117943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.603135109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.603162050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.603167057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.603207111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.603219986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.647388935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.647404909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.647443056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.647500038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.647506952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.647552967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.681629896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.681644917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.681691885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.681696892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.681747913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682014942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682029963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682080984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682085991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682120085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682538033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682550907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682598114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682604074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682634115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682648897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682754993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682768106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682800055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682804108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.682837963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.682847023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.683013916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.683027983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.683060884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.683065891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.683092117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.683120012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.689757109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.689785957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.689809084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.689814091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.689853907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.690103054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.690135002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.690176010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.690181017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.690192938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.690220118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.734281063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.734298944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.734419107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.734425068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.734473944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.768434048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768448114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768570900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.768575907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768620014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.768764973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768779039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768836021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.768841028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.768883944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769018888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769036055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769083977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769089937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769129992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769561052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769575119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769628048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769629955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769642115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769670963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769679070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769705057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769710064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.769737005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.769753933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.776463032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776474953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776557922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.776566982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776606083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.776808977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776824951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776879072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.776885033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.776921988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.821165085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.821182966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.821302891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.821309090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.821360111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.855451107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855468035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855590105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.855596066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855642080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.855730057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855747938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855798960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.855803967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.855844975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856010914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856024981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856079102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856084108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856122017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856226921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856240034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856292009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856297970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856334925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856635094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856647968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856687069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856692076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.856715918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.856734991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863343954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863363981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863435030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863440990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863466978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863481045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863719940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863739967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863792896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863799095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.863826990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.863845110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.908011913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.908030033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.908124924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.908138037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.908176899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942327976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942342997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942435026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942442894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942487955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942596912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942611933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942657948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942663908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942702055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942890882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942905903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.942960024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.942964077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943001986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.943176985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943192005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943244934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.943250895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943286896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.943571091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943608999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943624973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.943629980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.943656921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.943672895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.950202942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950217009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950275898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.950280905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950320959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.950485945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950499058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950548887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.950552940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.950592995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.994857073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.994873047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.994955063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:11.994961977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:11.994998932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.029203892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029222965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029301882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.029309034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029350996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.029581070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029596090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029649019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.029654026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029694080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.029962063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.029975891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030030966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030035973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030075073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030225992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030240059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030286074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030291080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030328989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030352116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030374050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030410051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030415058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.030442953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.030462980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.037137985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037154913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037342072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.037349939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037389994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.037448883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037463903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037514925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.037520885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.037556887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.081633091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.081650019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.081784010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.081794024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.081837893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116242886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116260052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116322994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116331100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116370916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116611004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116626978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116677999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116683006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116715908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116723061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116727114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116745949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116765976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116770983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116801023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116810083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.116981030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.116996050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.117033958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.117038012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.117083073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.117096901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.117393017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.117407084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.117450953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.117456913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.117499113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.123945951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.123960972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.124001026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.124006987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.124048948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.124056101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.124294996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.124310017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.124346018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.124350071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.124372959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.124393940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.168490887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.168509007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.168577909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.168584108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.168608904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.168631077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.202874899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.202893019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.202948093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.202953100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203005075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203011990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203160048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203178883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203258038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203264952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203305006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203583002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203599930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203638077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203641891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203668118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203689098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203783035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203799009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203843117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.203849077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.203887939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.204193115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.204206944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.204243898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.204247952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.204277039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.204291105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.210731983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.210747957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.210788965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.210793972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.210834026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.211086988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.211112976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.211141109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.211146116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.211168051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.211186886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.255960941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.255975008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.256042004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.256050110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.256105900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.289748907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.289764881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.289818048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.289824963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.289874077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.289989948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290005922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290052891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290056944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290086985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290106058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290337086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290368080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290394068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290399075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290426016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290441036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290632963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290648937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290698051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290703058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290743113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290743113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.290921926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.290940046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.291002989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.291014910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.291062117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.297576904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.297594070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.297641039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.297645092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.297678947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.297693014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.297966957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.297981977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.298044920 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.298051119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.298084021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.342916965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.342931032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.342981100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.342987061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.343034029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.377486944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377510071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377553940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.377567053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377609968 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.377846003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377862930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377906084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.377912998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.377959013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378012896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378026962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378062963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378068924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378088951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378107071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378297091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378310919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378356934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378361940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378370047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378386974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378392935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378396034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.378421068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.378452063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.384394884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384408951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384453058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.384459972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384493113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.384743929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384757996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384795904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.384802103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.384841919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.429789066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.429822922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.429862022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.429868937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.429922104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.463630915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.463648081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.463821888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.463844061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.463892937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.463913918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.463938951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.463973045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.463978052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464006901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464015007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464260101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464273930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464329958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464335918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464375973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464592934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464607954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464652061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464657068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464695930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464826107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464843988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464893103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464898109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.464925051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.464946032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.471364975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471379995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471451044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.471457005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471498013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.471664906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471679926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471733093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.471738100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.471775055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.516664982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.516680002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.516778946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.516787052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.516844988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.550370932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550391912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550503016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.550509930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550549030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.550736904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550751925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550801039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.550806046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550843954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.550936937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550952911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.550997019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551002026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551028967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551055908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551268101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551282883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551327944 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551331997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551367044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551373005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551639080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551652908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551709890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.551714897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.551752090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.558026075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558039904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558226109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.558231115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558279991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.558367968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558382988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558434963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.558439016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.558557987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.603562117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.603594065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.603770018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.603785038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.604451895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637259007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637276888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637376070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637386084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637500048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637517929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637562990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637568951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637579918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637614012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637787104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637799025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.637861013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.637866974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638139009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638154984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638209105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.638216019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638432980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638446093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638490915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.638500929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.638525963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.638550997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.644947052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.644961119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.645026922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.645032883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.645267963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.645317078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.645332098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.645382881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.645389080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.645612955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.690808058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.690828085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.690902948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.690915108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.691030025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724185944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724201918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724289894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724299908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724435091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724452972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724488020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724493980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724512100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724540949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724730968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724744081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724797964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724803925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.724891901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.724996090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725008965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725070000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.725081921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725164890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.725363970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725378036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725431919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.725436926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.725596905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.731823921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.731839895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.731911898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.731921911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.731965065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.732224941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.732239008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.732290030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.732295990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.732347965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.777260065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.777282000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.777514935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.777540922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.778326035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811079025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811103106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811175108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811187029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811199903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811224937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811263084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811275959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811310053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811319113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811347008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811361074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811512947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811527967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811583996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.811589003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811939001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811959028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.811997890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.812005043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.812017918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.812047005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.812189102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.812201977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.812256098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.812262058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.812566996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.818636894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.818658113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.818732023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.818743944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.818923950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.818938971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.818998098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.819005966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.819262981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.864089966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.864106894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.864206076 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.864222050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.864862919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.897933960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.897953033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898019075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898026943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898190022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898251057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898257017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898269892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898319960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898585081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898601055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898647070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898657084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898813963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898832083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898866892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898873091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.898902893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.898926973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.899091005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.899113894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.899142981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.899147987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.899164915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.899194002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.905483007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905498981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905560970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.905565977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905807018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905813932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.905817032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905843973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905853987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.905859947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.905886889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.905894041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.950984955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.950998068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.951097965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.951103926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.951702118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.984623909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.984639883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.984714031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.984720945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.984899998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.984985113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.984998941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985054016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.985059023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985239029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985255957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985294104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.985302925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985327005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.985348940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.985630035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985644102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985693932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.985698938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.985855103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.986016035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.986032963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.986084938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.986090899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.986175060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.992224932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992239952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992321014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.992326975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992358923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.992636919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992650032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992698908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:12.992703915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:12.992894888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.037817001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.037831068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.037903070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.037909031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.040926933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.071511030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.071526051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.071651936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.071659088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.071688890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.071777105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.071790934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.071846962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.071851969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072185993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072207928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072242022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072247028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072267056 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072293997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072422981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072437048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072489023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072494030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072686911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072705984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072741985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072750092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.072778940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.072799921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.079063892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.079077005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.079193115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.079201937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.079240084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.079443932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.079457998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.079502106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.079505920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.080925941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.124625921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.124641895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.124711037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.124726057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.124780893 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158395052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158420086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158468962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158474922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158510923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158526897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158679008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158691883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158752918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158757925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158889055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.158971071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.158991098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159049988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159055948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159123898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159405947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159420013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159471989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159476995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159506083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159512997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159662962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159677982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159724951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159729004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.159759998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.159775019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.166068077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166081905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166157007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.166162968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166172981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.166218996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.166321993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166337013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166378021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.166383028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.166443110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.211575985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.211596012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.211658001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.211673021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.211898088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255147934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255167961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255220890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255233049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255309105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255403996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255418062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255465031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255475998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255486965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255517960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255552053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255822897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255842924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255878925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255883932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255893946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255901098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255911112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255929947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255934954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.255945921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255960941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.255989075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.256223917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256237030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256273985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.256278992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256299973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.256320000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.256359100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256375074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256416082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.256421089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.256658077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.298343897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.298366070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.298424959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.298435926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.298475027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.342626095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342639923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342689037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.342696905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342708111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342714071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.342725992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342745066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.342750072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.342778921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.342803001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.343148947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343163013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343211889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.343216896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343298912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.343828917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343842983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343909025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.343913078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.343964100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344026089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344039917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344093084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344098091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344172955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344181061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344183922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344208956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344214916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344252110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344255924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344280958 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344309092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344456911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344474077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344527960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.344533920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.344763994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.385214090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.385232925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.385293961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.385318041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.385802984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429228067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429250002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429414034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429421902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429445028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429465055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429466009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429478884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429503918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429541111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429770947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429785013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429835081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429841042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429848909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429866076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429894924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429898977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.429925919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.429953098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430089951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430103064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430138111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430143118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430155993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430181026 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430308104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430322886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430365086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430368900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430393934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430409908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430571079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430587053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430624008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430629015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.430655003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.430664062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.472012043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.472028971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.472120047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.472132921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.472683907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.515918970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.515937090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516134024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516144991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516247988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516268015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516311884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516318083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516336918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516364098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516501904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516515017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516573906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516578913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516866922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516884089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516911030 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516916037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.516944885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.516980886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.517159939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517174006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517235041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.517240047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517427921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517445087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517503977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.517509937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517550945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.517781019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517795086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.517848015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.517853022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.518091917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.558912039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.558929920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.558995962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.559003115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.559406996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.603626013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.603673935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.603738070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.603744984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.603784084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.603842020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.603857040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.603902102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.603908062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.604650974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.604667902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.604722023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.604727030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.604759932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.604783058 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605021954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605036020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605087996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605093002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605117083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605132103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605433941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605468035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605506897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605511904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605539083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605559111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.605961084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.605977058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.606045008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.606050014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.606463909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.606481075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.606533051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.606539011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.606563091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.606587887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.648617029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.648637056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.648706913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.648715019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.648904085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690069914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690084934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690143108 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690149069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690362930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690381050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690413952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690419912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690445900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690471888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690639019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690653086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690691948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690697908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690716028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690742016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.690951109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.690967083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691015005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691020966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691365004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691385031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691426992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691431999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691458941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691483021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691562891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691591024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691608906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691612959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691637039 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691660881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691907883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691930056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.691987991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.691992998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.692903996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.735090971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.735105991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.735194921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.735203981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.736927986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.776987076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777000904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777106047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777121067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777146101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777160883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777167082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777200937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777211905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777218103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777259111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777460098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777476072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777534962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777540922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777828932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777847052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777884960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777890921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.777928114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.777944088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778101921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778116941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778163910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778170109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778353930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778376102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778413057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778419018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778445959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778470993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778692961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778707027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778759003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.778764963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.778911114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.821980953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.821996927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.822099924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.822109938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.822151899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.863687992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.863704920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.863768101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.863775015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864077091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864093065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864135027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864140987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864167929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864191055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864245892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864258051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864309072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864315033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864567041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864583969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864619017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864624023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864646912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864670038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864870071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864893913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.864948988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.864953995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865123987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865140915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865190983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.865196943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865206003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.865237951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.865520954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865534067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.865585089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.865591049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.866426945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.909037113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.909050941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.909256935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.909264088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.909305096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.950547934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.950562954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.950635910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.950643063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.950687885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.950903893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.950917959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.950965881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.950969934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951241970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951257944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951299906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.951307058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951510906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951529980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951566935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.951575994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951601028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.951630116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.951926947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951945066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951980114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.951984882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.951994896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952016115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952116013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952131987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952164888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952169895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952193022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952212095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952533960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952548981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952586889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952591896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.952617884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.952639103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.995889902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.995903969 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.996067047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:13.996074915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:13.996114969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037437916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037451029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037620068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037625074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037667036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037805080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037818909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037861109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037868023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.037885904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037903070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.037986040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038001060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038047075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038052082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038388968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038404942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038440943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038458109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038490057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038490057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038557053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038569927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038618088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038623095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038851976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038882971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038896084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.038945913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.038952112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.040903091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.042098045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.042113066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.042150021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.042155027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.042176008 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.042193890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.082719088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.082732916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.082921028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.082927942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.082973003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.129106045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.129123926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.129354000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.129385948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.129435062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.148423910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.148441076 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.148648024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.148660898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.148704052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.163125992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.163146973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.163207054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.163218021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.163388014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.177659988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.177675962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.177740097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.177750111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.177778006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.177788973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.196846962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.196861029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.196943045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.196953058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.201014042 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.216289043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.216305017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.216375113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.216382027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.216425896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.231056929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.231070042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.231117964 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.231127977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.231169939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.231189013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.245686054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.245702028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.245765924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.245774031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.247226954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.265177011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.265224934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.265242100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.265248060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.265299082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.265299082 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.284596920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.284614086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.284668922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.284677029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.284744978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294655085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294672012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294719934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294728041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294763088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294763088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294811964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294826031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294852972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294858932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.294881105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294898033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.294991970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295010090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295039892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295046091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295068979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295082092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295279980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295295000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295329094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295334101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295351028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295373917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295439005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295455933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295497894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295506001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295520067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295542955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295702934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295718908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295751095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295758009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.295775890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.295795918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.297852993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.297868013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.297921896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.297929049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.297988892 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298175097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298197031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298228979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298234940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298261881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298279047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298465014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298480988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298530102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298537016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298563004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298839092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298857927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298871994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298877954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.298890114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.298932076 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299166918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299184084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299231052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299237967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299326897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299370050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299381971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299431086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299438953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299532890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299669981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299684048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299712896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299719095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.299752951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.299776077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.343210936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.343240976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.343280077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.343287945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.343344927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.343344927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385039091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385054111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385097027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385103941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385162115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385162115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385525942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385540962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385613918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385621071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385755062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385776043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385778904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385786057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.385808945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.385847092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386013985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386027098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386070013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386076927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386090994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386178970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386329889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386343956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386377096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386383057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386404991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386527061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386543989 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386554956 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386560917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386576891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386611938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386749983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386764050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386799097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386806011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.386831999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.386846066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.430016994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.430031061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.430073023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.430092096 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.430111885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.430133104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.471662998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471683979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471769094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.471786022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471829891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471847057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471879959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.471888065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.471903086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472131968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472143888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472167015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472174883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472191095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472223043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472399950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472414017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472467899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472484112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472498894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472521067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472882032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472902060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472940922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472946882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472956896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472973108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.472975016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472987890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.472995043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.473026037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.473046064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.473520994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.473532915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.473601103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.473609924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.473650932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.516875029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.516891956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.516957998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.516968012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.517020941 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558479071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558496952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558568001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558578014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558610916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558621883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558689117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558706045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558752060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558760881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558810949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558931112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558950901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.558980942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.558986902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559021950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559031963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559225082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559242964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559289932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559297085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559336901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559336901 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559448957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559463024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559497118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559503078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559536934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559550047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559695005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559712887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559747934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559753895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.559787035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.559797049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.560237885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.560252905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.560288906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.560295105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.560326099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.560334921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.603866100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.603882074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.603945017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.603951931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.604146004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.647809982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.647828102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.647888899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.647896051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.647932053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648053885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648071051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648104906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648111105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648138046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648154974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648248911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648262024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648298025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648335934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648339987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648384094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648457050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648473024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648519993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648525000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648555040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648555040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648734093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648749113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648794889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648799896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648816109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648835897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648869038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648874998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.648895979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.648921013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.649106979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.649122000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.649185896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.649192095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.649307966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.690571070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.690587997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.690648079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.690654993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.690754890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.734534979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734551907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734638929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.734644890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734713078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734731913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734766006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.734771013 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734797001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.734817028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.734977961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.734989882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735025883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735029936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735049963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735073090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735234976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735249043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735277891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735282898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735308886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735318899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735506058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735518932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735562086 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735568047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735763073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735780001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735820055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735826015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.735846996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.735868931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.736087084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.736100912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.736150980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.736155987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.736917973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.777591944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.777609110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.777695894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.777704000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.780930996 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821362019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821392059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821430922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821446896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821464062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821480989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821543932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821558952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821607113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821614981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821933985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821954966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.821990967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.821997881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822025061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822048903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822237015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822252035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822308064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822314024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822424889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822458029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822483063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822488070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822513103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822537899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822701931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822715998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822757959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822762966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822911978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822937965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822961092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.822968006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.822993994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.823020935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.867484093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.867501974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.867578983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.867585897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.867700100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908221006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908236980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908293009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908298016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908459902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908477068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908492088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908497095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908508062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908540010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908638954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908652067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908699989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908704996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908801079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.908965111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.908979893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909032106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909037113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909099102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909240961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909260988 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909298897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909307003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909328938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909347057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909557104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909573078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909616947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909621954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909648895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909674883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909744978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909759998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.909806967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.909812927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.912659883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.954231024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.954245090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.954324961 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.954333067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.955101967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995045900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995062113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995242119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995248079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995270967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995287895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995291948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995305061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995330095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995357990 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995501041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995544910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995564938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995569944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995580912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995600939 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995615959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995794058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995809078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.995860100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.995865107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996049881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996068001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996103048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996108055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996124983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996150970 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996309042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996323109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996383905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996388912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996601105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996613979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996618032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996633053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996649027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996665955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996671915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:14.996699095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:14.996722937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.041111946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.041124105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.041275978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.041281939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.041332960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.081842899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.081859112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.081938982 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.081944942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082078934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082096100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082246065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082252026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082295895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082340956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082353115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082405090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082410097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082643032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082664967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082701921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082710981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082736969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082760096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082887888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082904100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082951069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.082954884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.082982063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.083003044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.083148956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083163023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083216906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.083223104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083410025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083427906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083456993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.083462000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.083483934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.083508015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.128132105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.128148079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.128237963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.128245115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.128403902 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.168869019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.168885946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.168965101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.168973923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.168994904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169013023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169063091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.169070005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169244051 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.169615030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169645071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169688940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.169694901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.169720888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.169735909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170039892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170053959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170098066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170103073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170135975 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170141935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170157909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170159101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170171022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170183897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170217991 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170308113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170322895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170380116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170384884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170433044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170572996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170587063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170641899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.170648098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.170852900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.214999914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.215025902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.215080976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.215095997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.215128899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.215148926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.257637978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.257653952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.257733107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.257747889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.257944107 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258003950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258024931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258070946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258075953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258119106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258188009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258228064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258275032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258280993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258308887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258320093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258331060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258335114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258356094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258371115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258374929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258394003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258426905 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258666039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258681059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258750916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258757114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258785009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258802891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258836985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258842945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.258868933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.258900881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.259005070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.259018898 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.259078979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.259084940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.259500980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.301812887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.301829100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.301901102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.301908970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.303688049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.344568968 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.344583035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.344655037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.344661951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.344695091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.344712019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.344892979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.344907999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.344958067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.344963074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345040083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345057964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345089912 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345094919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345115900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345136881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345345020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345357895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345390081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345395088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345413923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345433950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345561981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345576048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345640898 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345647097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345832109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345848083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345885992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345891953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.345916986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.345942020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.346110106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.346121073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.346173048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.346179008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.348933935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.388804913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.388818979 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.388983965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.388992071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.389034986 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.431510925 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431531906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431583881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.431590080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431713104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431729078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431765079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.431771994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.431786060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.431818962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432038069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432050943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432104111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432110071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432230949 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432248116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432280064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432285070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432312965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432337999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432549000 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432563066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432607889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432612896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432781935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432800055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432847023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432852030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.432882071 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.432888985 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.433130026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.433141947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.433191061 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.433196068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.433223963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.433238029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.475675106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.475688934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.475737095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.475744009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.475774050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.475781918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.518384933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518402100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518500090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.518512964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518553019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.518585920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518600941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518646955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.518654108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518896103 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518913031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.518973112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.518980980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519108057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519120932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519165993 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519171953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519196033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519223928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519438982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519458055 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519511938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519517899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519706011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519723892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519767046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519773006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519799948 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519821882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.519954920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.519968033 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.520019054 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.520025015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.520934105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.562974930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.563004971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.563060045 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.563069105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.563108921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.563117981 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605299950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605319977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605405092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605413914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605458021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605534077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605550051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605597973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605603933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605741024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605761051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605796099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605801105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605818033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605848074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.605952978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.605968952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606018066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606021881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606247902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606265068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606300116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606303930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606329918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606359005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606481075 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606518030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606539965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606544018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606559992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606586933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606828928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606849909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606883049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606889009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.606986046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.606986046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.649981022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.649998903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.650064945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.650070906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.650105000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.692430973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692446947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692512989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.692518950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692553997 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.692712069 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692734003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692770004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.692775011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.692790031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.692811012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693203926 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693219900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693262100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693267107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693291903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693305969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693701029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693716049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693762064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693767071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693794012 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693804979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.693938971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.693957090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694003105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694008112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694031954 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694037914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694452047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694468021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694514036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694519043 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694617033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694803953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694824934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694859028 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694864035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.694888115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.694905043 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.736650944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.736687899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.736721992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.736730099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.736779928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.779194117 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779208899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779300928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.779308081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779629946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779647112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779711962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.779717922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.779952049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780112982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780128002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780181885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780188084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780425072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780457973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780477047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780508995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780514002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780536890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780543089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780775070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780790091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.780843019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.780848026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781074047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.781307936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781322002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781374931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.781380892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781605005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.781651974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781666994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781709909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.781714916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.781743050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.781754017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.823554993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.823571920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.823667049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.823673964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.823714018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.865776062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.865793943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866007090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866038084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866039038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866050005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866139889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866266012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866280079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866344929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866350889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866564035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866580963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866624117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866627932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866650105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866673946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866879940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866894007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.866952896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.866959095 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867127895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867149115 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867202044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.867208958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867396116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867409945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867463112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.867470026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.867940903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.910443068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.910468102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.910547018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.910553932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.910969019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952605963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952622890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952670097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952675104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952699900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952716112 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952877045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952903032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952943087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952949047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.952975035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.952989101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953182936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953197956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953264952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953270912 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953387976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953408003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953444004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953449011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953459024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953494072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953759909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953773022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953830004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953835964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953937054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953963995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.953990936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.953996897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.954022884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.954047918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.954545975 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.954560995 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.954617977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.954622984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.954855919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.997226954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.997241974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.997303009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:15.997309923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:15.997358084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.039479017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039489031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039714098 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.039721966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039762974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.039890051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039906025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039943933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.039948940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.039975882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.039994001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040030003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040045977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040081978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040086031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040112972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040131092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040252924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040267944 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040304899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040313959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040332079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040354967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040513992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040529966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040571928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040576935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040602922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040608883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040802002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040817022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040855885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040859938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.040890932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.040931940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.041481972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.041496992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.041568041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.041573048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.041610003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.084070921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.084088087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.084136009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.084142923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.084562063 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.126390934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126405954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126476049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.126482964 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126607895 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126624107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126673937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.126679897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126780987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126806974 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126827955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.126832962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.126859903 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.126884937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127100945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127114058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127156019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127160072 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127329111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127348900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127360106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127372980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127377033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127398014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127422094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127707958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127732992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127757072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127762079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.127787113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.127795935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.128293037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.128308058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.128357887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.128364086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.128601074 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.171021938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.171057940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.171084881 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.171092987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.171132088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.171156883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213342905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213376045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213413000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213419914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213470936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213546991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213562012 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213618994 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213624001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213728905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213735104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213747025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213788033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213787079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213809013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213813066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213849068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213872910 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.213973999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.213989973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.214039087 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.214045048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.214072943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.214082003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.214265108 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.214279890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.214339018 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.214344025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.214406013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220086098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220103025 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220154047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220202923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220207930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220278978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220324039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220339060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220381021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220386982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.220407009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.220436096 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.257935047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.257953882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.258032084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.258038044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.258080959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300287962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300304890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300379992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300385952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300436020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300632954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300647020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300695896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300700903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300760031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300779104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300795078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300832987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300838947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.300857067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.300873041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301269054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301285028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301317930 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301323891 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301352978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301361084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301439047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301459074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301487923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301491976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.301526070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.301533937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.307113886 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307127953 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307215929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.307229042 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307287931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.307605982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307620049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307668924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.307677031 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.307758093 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.367892981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.367908001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.367964029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.367976904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.368014097 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387139082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387155056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387212038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387223005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387257099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387264013 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387269020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387296915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387305021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387310982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387339115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387608051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387628078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387665033 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387670040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387690067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387717009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387932062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387944937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.387989044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.387993097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.388051987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.388138056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.388151884 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.388189077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.388194084 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.388216972 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.388230085 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.393918991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.393932104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.393987894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.393996954 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.394032001 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.394367933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.394381046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.394432068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.394439936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.394490957 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.454735041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.454749107 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.454806089 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.454827070 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.454842091 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.454869032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.473988056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474003077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474059105 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474066973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474140882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474170923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474184990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474225044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474231005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474258900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474277973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474522114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474535942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474586010 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474591017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474706888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474710941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474720001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474746943 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474756002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474783897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474792957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474807024 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474833965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.474941015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474953890 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.474997044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.475003958 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.475029945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.475048065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.480792999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.480808020 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.480851889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.480858088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.480884075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.480914116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.481161118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.481174946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.481201887 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.481206894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.481231928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.481256962 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.541661024 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.541692019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.541732073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.541740894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.541794062 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.560914993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.560934067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561007023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561017990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561188936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561207056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561240911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561244965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561275005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561284065 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561296940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561296940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561307907 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561331034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561353922 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561657906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561671019 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561714888 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561721087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561804056 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561825991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561856031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561861992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.561887980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.561913967 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.567657948 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.567676067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.567745924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.567766905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.568123102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.568141937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.568180084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.568186045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.568219900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.568242073 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.628817081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.628834963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.628916979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.628923893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.628967047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.647919893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.647934914 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.647995949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648001909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648027897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648045063 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648051023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648056984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648085117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648121119 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648190022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648202896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648233891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648240089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648251057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648277044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648534060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648550034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648600101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648606062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648654938 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648777962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648793936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648830891 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648835897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.648860931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.648880005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.654669046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.654690981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.654740095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.654747009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.654793978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.654977083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.654992104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.655030966 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.655035973 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.655061960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.655081034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.715612888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.715635061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.715701103 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.715708971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.719118118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.734678030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.734695911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.734761000 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.734766006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.734994888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735013962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735049009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735054016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735080004 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735099077 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735182047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735194921 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735246897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735251904 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735351086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735367060 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735409021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735414982 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735579014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735591888 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.735636950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.735644102 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.736041069 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.741224051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741239071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741297007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.741302967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741910934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741930008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741964102 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.741969109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.741981983 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.742013931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.802381992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.802398920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.802968025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.802973986 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.803025007 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.821547985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821564913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821615934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.821619987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821660995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.821808100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821822882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821854115 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.821858883 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.821885109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.821901083 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822081089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822094917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822129965 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822134972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822161913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822175980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822268963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822283030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822315931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822319984 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822349072 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822360992 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822539091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822552919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822604895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.822611094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.822945118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.828053951 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828068972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828115940 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.828121901 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828164101 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.828691959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828707933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828742027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.828747034 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.828758955 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.828784943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.889188051 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.889205933 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.889286995 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.889295101 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.891050100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908274889 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908299923 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908396006 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908411026 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908556938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908579111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908617020 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908622980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908639908 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908674002 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908811092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908823967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908870935 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.908876896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.908991098 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.909018993 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.909049034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.909053087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.909080029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.909109116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.909313917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.909327030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.909378052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.909383059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.910955906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.914880991 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.914897919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.914972067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.914978981 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.915090084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.915560007 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.915575027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.915627003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.915632963 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.918479919 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.976124048 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.976140022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.976205111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.976216078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.976306915 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995206118 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995225906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995270014 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995276928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995300055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995327950 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995357990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995373011 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995419025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995423079 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995486021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995723009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995738983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995774031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995779037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995798111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995819092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995889902 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995907068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995939016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.995944023 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.995969057 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.996001959 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.996166945 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.996181965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.996231079 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.996236086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:16.996263027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:16.996273041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.001718998 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.001734018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.001786947 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.001794100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.001842976 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.002515078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.002528906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.002571106 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.002576113 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.002613068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.002621889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.063011885 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.063028097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.063076019 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.063090086 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.063124895 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.063143015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082175970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082190990 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082231998 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082238913 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082268953 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082293987 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082461119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082474947 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082530022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082535028 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082662106 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082681894 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082712889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082719088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.082731009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.082751036 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.083039045 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083053112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083100080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.083106041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083153009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.083271980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083288908 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083334923 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.083339930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.083369017 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.083375931 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.088627100 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.088641882 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.088701963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.088707924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.088747025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.089378119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.089395046 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.089449883 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.089456081 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.089540005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.149866104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.149882078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.149955988 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.149966002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.150126934 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.168935061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.168951035 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169027090 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169034004 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169140100 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169249058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169269085 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169323921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169328928 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169415951 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169511080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169527054 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169564009 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169568062 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169594049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169612885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169878006 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169892073 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.169955015 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.169960022 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.170048952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.170048952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.170059919 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.170087099 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.170099974 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.170105934 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.170133114 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.170145035 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.175280094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.175293922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.175350904 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.175358057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.175398111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.175405979 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.176171064 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.176188946 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.176242113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.176246881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.176300049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.236670017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.236687899 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.236792088 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.236800909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.236848116 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256083965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256097078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256160021 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256166935 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256208897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256438971 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256453037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256499052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256511927 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256521940 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256548882 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256586075 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256808996 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256822109 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256863117 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256869078 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.256881952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.256915092 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.257055044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.257069111 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.257132053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.257138014 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.257396936 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.262197018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.262212992 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.262289047 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.262295008 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.262331963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.262929916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.262943029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.263010025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.263015985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.263289928 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.324693918 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.324709892 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.324784040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.324790955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.324831963 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.342962980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.342987061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343061924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343069077 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343276978 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343297005 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343306065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343311071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343358040 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343543053 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343555927 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343615055 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343621016 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343761921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343796015 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343821049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343843937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343849897 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.343878984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.343878984 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.344013929 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.344033003 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.344080925 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.344085932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.344142914 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.349005938 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.349040985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.349098921 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.349104881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.349149942 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.349864960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.349879980 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.349945068 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.349951029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.350055933 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.411540985 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.411556959 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.411621094 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.411628962 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.411701918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.429924965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.429940939 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430011034 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430016994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430053949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430078983 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430119038 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430130005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430134058 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430162907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430175066 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430368900 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430392027 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430435896 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430440903 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430465937 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430479050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430514097 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430526972 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430592060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430592060 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430597067 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430635929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430820942 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430835009 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430881023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430886030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.430917978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.430932999 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.436106920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436121941 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436168909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.436173916 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436217070 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.436245918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.436610937 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436626911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436695099 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.436701059 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.436845064 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.498450994 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.498492002 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.498553038 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.498559952 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.498610973 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.516716957 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516731977 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516789913 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.516797066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516856909 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.516866922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516882896 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516935110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.516941071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.516983032 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517167091 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517187119 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517219067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517222881 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517257929 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517266989 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517452955 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517467976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517523050 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517528057 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517550945 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517568111 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517620087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517633915 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517673969 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517678976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.517705917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.517729044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.522708893 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.522722960 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.522795916 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.522800922 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.522840977 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.523459911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.523474932 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.523530960 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.523535967 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.523585081 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.585225105 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.585239887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.585315943 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.585325956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.585378885 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.603475094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603491068 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603550911 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.603559017 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603596926 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.603712082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603725910 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603768110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.603774071 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.603959084 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604000092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604032040 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604058027 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604062080 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604089022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604109049 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604211092 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604226112 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604271889 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604278088 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604329109 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604531050 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604545116 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604595900 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.604600906 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.604649067 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.609935999 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.609950066 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.609996080 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.610001087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.610030890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.610054016 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.671675920 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.671689987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.671758890 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.671771049 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.671802044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.671823978 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690165997 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690182924 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690242052 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690248966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690311909 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690334082 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690357924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690362930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690390110 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690414906 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690552950 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690567970 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690620899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690628052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690730095 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690814018 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690829039 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690884113 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.690890074 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.690943003 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.691080093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691095114 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691138029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.691143036 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691165924 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.691184044 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.691358089 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691373110 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691431046 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.691436052 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.691524029 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.696804047 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.696820021 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.696894884 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.696901083 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.696964025 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.758589029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.758606911 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.758654118 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.758661032 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.758692980 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.758712053 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777029037 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777043104 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777098894 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777105093 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777142048 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777307987 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777323961 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777369022 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777374029 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777452946 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777565956 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777581930 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777628899 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777633905 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777782917 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777805090 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777815104 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777817965 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.777843952 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.777978897 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778064966 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778076887 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778120041 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778126001 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778157949 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778168917 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778335094 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778358936 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778398037 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778403044 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.778429031 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.778454065 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.783668041 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.783689976 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.783725023 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.783730030 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.783762932 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.783782005 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.845359087 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.845375061 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.845444918 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.845454931 CET	443	49713	37.19.203.49	192.168.2.6
Jan 3, 2025 14:39:17.845491886 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.845506907 CET	49713	443	192.168.2.6	37.19.203.49
Jan 3, 2025 14:39:17.864017963 CET	443	49713	37.19.203.49	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 3, 2025 14:38:59.732017994 CET	192.168.2.6	1.1.1.1	0xeef6	Standard query (0)	static.adtidy.org	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:39:42.418643951 CET	192.168.2.6	1.1.1.1	0xcdad	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:39:44.754632950 CET	192.168.2.6	1.1.1.1	0x6cd7	Standard query (0)	static.adguard.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 3, 2025 14:38:59.742202997 CET	1.1.1.1	192.168.2.6	0xeef6	No error (0)	static.adtidy.org	1625341327.rsc.cdn77.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 14:38:59.742202997 CET	1.1.1.1	192.168.2.6	0xeef6	No error (0)	1625341327.rsc.cdn77.org		37.19.203.49	A (IP address)	IN (0x0001)	false
Jan 3, 2025 14:39:42.425518990 CET	1.1.1.1	192.168.2.6	0xcdad	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 14:39:44.765515089 CET	1.1.1.1	192.168.2.6	0x6cd7	No error (0)	static.adguard.com	1625341327.rsc.cdn77.org		CNAME (Canonical name)	IN (0x0001)	false
Jan 3, 2025 14:39:44.765515089 CET	1.1.1.1	192.168.2.6	0x6cd7	No error (0)	1625341327.rsc.cdn77.org		37.19.203.49	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49712	37.19.203.49	80	3000	C:\Users\user\Desktop\adguardInstaller.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 14:38:59.751836061 CET	95	OUT	GET /windows/setup.exe HTTP/1.1 User-Agent: AdGuard Web Installer Host: static.adtidy.org
Jan 3, 2025 14:39:00.444521904 CET	1117	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 03 Jan 2025 13:39:00 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://static.adtidy.org/windows/setup.exe Server: CDN77-Turbo X-77-NZT: EQgBJRPLLwAA X-77-NZT-Ray: b977a113ad4eb65c74e8776770555014 X-77-POP: sofiaBG X-77-Cache: MISS Data Raw: 33 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 65 72 72 6f 72 2e 63 2e 63 64 6e 37 37 2e 6f 72 67 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 28 63 29 20 32 30 32 33 20 43 44 4e 37 37 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c [TRUNCATED] Data Ascii: 304<!DOCTYPE html><head> <base href="https://error.c.cdn77.org/" target="_blank"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="author" content="(c) 2023 CDN77"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="css/main.css"> <link rel="shortcut icon" href="img/favicon.ico" /> <title>Moved Permanently</title></head><body style="background-color: #0d5284; color: #fff;" class="Header-wrap"> <h1> <small class="Header-errorNumber"> 301 Redirect</small><br> Moved Permanently </h1> <p class="Header-description"> This resource has been permanently moved to a new location.</p></body>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49950	37.19.203.49	80	4364	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Timestamp	Bytes transferred	Direction	Data
Jan 3, 2025 14:39:44.775402069 CET	87	OUT	GET /installer.v1.0.json HTTP/1.1 Host: static.adguard.com Connection: Keep-Alive
Jan 3, 2025 14:39:45.458487034 CET	1120	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 03 Jan 2025 13:39:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://static.adguard.com/installer.v1.0.json Server: CDN77-Turbo X-77-NZT: EQgBJRPLLwAA X-77-NZT-Ray: b977a113102d2dd5a1e87767417c2615 X-77-POP: sofiaBG X-77-Cache: MISS Data Raw: 33 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 65 72 72 6f 72 2e 63 2e 63 64 6e 37 37 2e 6f 72 67 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 28 63 29 20 32 30 32 33 20 43 44 4e 37 37 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c [TRUNCATED] Data Ascii: 304<!DOCTYPE html><head> <base href="https://error.c.cdn77.org/" target="_blank"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="author" content="(c) 2023 CDN77"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="stylesheet" href="css/main.css"> <link rel="shortcut icon" href="img/favicon.ico" /> <title>Moved Permanently</title></head><body style="background-color: #0d5284; color: #fff;" class="Header-wrap"> <h1> <small class="Header-errorNumber"> 301 Redirect</small><br> Moved Permanently </h1> <p class="Header-description"> This resource has been permanently moved to a new location.</p></body>0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	37.19.203.49	443	3000	C:\Users\user\Desktop\adguardInstaller.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:39:01 UTC	119	OUT	GET /windows/setup.exe HTTP/1.1 User-Agent: AdGuard Web Installer Host: static.adtidy.org Connection: Keep-Alive
2025-01-03 13:39:01 UTC	524	IN	HTTP/1.1 200 OK Date: Fri, 03 Jan 2025 13:39:01 GMT Content-Type: application/x-msdos-program Content-Length: 51932240 Connection: close Last-Modified: Thu, 24 Oct 2024 18:35:54 GMT x-rgw-object-type: Normal ETag: "9eff4ea678ea4a1f9f7802b8fc4ad702" x-amz-request-id: tx000009ff98ab1701d5b71-006777e129-7c1d5a3-prg X-77-NZT: EwwBJRPLLwH3ZQYAAAwBw7WvBgG35wAAAAgBbT1aDgAA X-77-NZT-Ray: b977a113054b877275e87767ee07d81c X-77-Cache: HIT X-77-Age: 1637 Server: CDN77-Turbo X-77-POP: sofiaBG Accept-Ranges: bytes
2025-01-03 13:39:01 UTC	15860	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 39 0a 6f fb 7d 6b 01 a8 7d 6b 01 a8 7d 6b 01 a8 c9 f7 f0 a8 77 6b 01 a8 c9 f7 f2 a8 00 6b 01 a8 c9 f7 f3 a8 65 6b 01 a8 2f 03 05 a9 6e 6b 01 a8 2f 03 02 a9 69 6b 01 a8 2f 03 04 a9 56 6b 01 a8 74 13 82 a8 78 6b 01 a8 74 13 92 a8 6c 6b 01 a8 7d 6b 00 a8 28 6a 01 a8 eb 02 04 a9 36 6b 01 a8 eb 02 fe a8 7c 6b 01 a8 7d 6b 96 a8 7f 6b 01 a8 eb 02 03 a9 7c 6b 01 a8 52 69 63 68 7d 6b 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$9o}k}k}kwkkek/nk/ik/Vktxktlk}k(j6k\|k}kk\|kRich}k
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: e9 95 00 00 00 57 68 9e 45 40 00 e8 5d b5 03 00 57 ff 75 08 e8 c1 9e 01 00 8b f0 85 f6 79 07 68 d8 ad 44 00 eb 74 6a 01 e8 f0 ca 03 00 8d 47 18 50 8d 87 f8 00 00 00 50 8d 45 f8 50 8d 45 fc 50 8d 87 b8 00 00 00 50 8d 87 00 01 00 00 50 8d 87 88 00 00 00 50 8d 87 b8 02 00 00 50 8d 87 c0 02 00 00 50 8d 87 a8 02 00 00 50 8d 87 d8 03 00 00 50 ff b7 b4 04 00 00 ff b7 b0 04 00 00 ff b7 98 04 00 00 e8 68 86 01 00 53 53 8b f0 e8 dc b4 03 00 85 f6 79 0d 68 7c af 44 00 56 e8 75 b0 03 00 59 59 53 53 e8 c4 b4 03 00 57 e8 ec 9d 01 00 39 5d f8 74 05 e8 5f 87 01 00 39 5d fc 74 12 ff 75 fc ff 15 9c a1 44 00 ff 75 fc ff 15 e0 a0 44 00 5f 8b c6 5e 5b c9 c2 0c 00 55 8b ec 53 56 57 8b 7d 0c 33 db 6a 00 43 8d 87 b8 04 00 00 89 9f ec 03 00 00 50 e8 c3 ff 00 00 8b f0 85 f6 79 07 Data Ascii: WhE@]WuyhDtjGPPEPEPPPPPPPPhSSyh\|DVuYYSSW9]t_9]tuDuD_^[USVW}3jCPy
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: 33 db 57 8b 7d 08 8b c7 ff 75 0c c1 e8 11 83 e0 01 89 45 fc ff d6 ff 75 10 89 45 08 ff d6 8b f0 81 ff 0a 00 03 00 7f 5f 81 ff 05 00 03 00 7d 2c 81 ff 05 00 01 00 7c 61 81 ff 0a 00 01 00 7e 1c 81 ff 0b 00 01 00 0f 84 96 00 00 00 81 ff 0c 00 01 00 74 67 81 ff 0d 00 01 00 eb 3b 56 ff 75 10 ff 75 08 ff 75 0c ff 75 fc 6a 7f ff 15 34 a1 44 00 ff 75 14 99 53 6a 02 52 50 57 e8 2c fe ff ff 8b d8 e9 97 00 00 00 81 ef 0b 00 03 00 74 53 83 ef 01 74 27 83 ef 01 74 07 bb 57 00 07 80 eb 7e 8b 45 08 3b c6 7c 10 8b 4d 0c 2b c6 56 ff 75 10 56 8d 04 41 50 eb 11 8b cb eb 20 39 75 08 7c f7 56 ff 75 10 56 ff 75 0c ff 75 fc 6a 7f ff 15 34 a1 44 00 83 f8 02 75 df 33 c9 41 8b 45 14 89 08 eb 3c 8b 7d 08 3b f7 7f 30 8b 45 0c 89 75 08 56 ff 75 10 56 50 ff 75 fc 6a 7f ff 15 34 a1 44 Data Ascii: 3W}uEuE_},\|a~tg;Vuuuuj4DuSjRPW,tSt'tW~E;\|M+VuVAP 9u\|VuVuuj4Du3AE<};0EuVuVPuj4D
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: 7f 08 00 74 08 ff 77 08 e8 61 5d ff ff 83 7f 04 00 74 08 ff 77 04 e8 53 5d ff ff 8b 45 08 43 83 c0 10 89 45 08 3b 5e 04 72 b2 8b 06 5f 50 e8 7d 70 ff ff 5b 83 26 00 83 66 04 00 5e 5d c2 04 00 55 8b ec 83 ec 0c 56 57 8d 45 f4 33 ff 50 68 90 ea 44 00 ff 75 0c 89 7d f4 89 7d fc 89 7d f8 e8 2b 67 03 00 8b f0 85 f6 79 12 68 a0 ea 44 00 56 e8 a0 30 03 00 59 59 e9 f0 00 00 00 8b 45 f4 8d 55 f8 52 50 8b 08 ff 51 20 8b f0 85 f6 79 07 68 c0 ea 44 00 eb d9 8b 45 f8 85 c0 0f 84 cb 00 00 00 6a 01 c1 e0 04 50 e8 3f 6f ff ff 8b 4d 08 89 01 85 c0 75 19 be 0e 00 07 80 56 6a 21 68 e4 ea 44 00 e8 ff 6d ff ff 68 14 eb 44 00 eb a1 8b 45 f8 89 41 04 53 8b df 85 c0 0f 84 8c 00 00 00 8b c7 89 7d 0c 8b 39 03 f8 8d 45 fc 6a 00 50 83 4f 0c ff ff 75 f4 e8 f4 65 03 00 8b f0 85 f6 78 Data Ascii: twa]twS]ECE;^r_P}p[&f^]UVWE3PhDu}}}+gyhDV0YYEURPQ yhDEjP?oMuVj!hDmhDEAS}9EjPOuex
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: e8 69 1d ff ff 8b 86 a4 00 00 00 85 c0 74 06 50 e8 59 1d ff ff 8b 86 a8 00 00 00 85 c0 74 06 50 e8 49 1d ff ff 8b 86 ac 00 00 00 85 c0 74 06 50 e8 39 1d ff ff 8b 86 b0 00 00 00 85 c0 74 06 50 e8 29 1d ff ff 8b 86 94 00 00 00 85 c0 74 79 39 9e 98 00 00 00 76 69 33 ff 8b 14 38 8b c8 85 d2 74 0e 52 e8 06 1d ff ff 8b 86 94 00 00 00 8b c8 8b 54 39 04 85 d2 74 0e 52 e8 f0 1c ff ff 8b 86 94 00 00 00 8b c8 8b 54 39 08 85 d2 74 0e 52 e8 da 1c ff ff 8b 86 94 00 00 00 8b c8 8b 54 39 0c 85 d2 74 0e 52 e8 c4 1c ff ff 8b 86 94 00 00 00 8b c8 43 83 c7 10 3b 9e 98 00 00 00 72 9b 8b c1 50 e8 ea 2f ff ff 33 db 8b 86 bc 00 00 00 85 c0 74 06 50 e8 96 1c ff ff 8b 86 c0 00 00 00 85 c0 74 06 50 e8 86 1c ff ff 8d 86 b4 00 00 00 50 e8 f5 80 01 00 68 a8 01 00 00 53 56 e8 0c eb 01 Data Ascii: itPYtPItP9tP)ty9vi38tRT9tRT9tRT9tRC;rP/3tPtPPhSV
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: fe ff 5f 8b c6 5e 5b c9 c2 08 00 55 8b ec 51 51 56 57 8d 45 fc 33 ff 50 8d 45 f8 89 7d f8 50 ff 75 14 89 7d fc ff 75 10 ff 75 0c e8 aa fb ff ff 8b f0 85 f6 79 07 68 40 3a 45 00 eb 61 89 7d 14 39 7d fc 76 61 6a 00 8d 45 14 50 8b 45 fc 2b c7 50 ff 75 f8 ff 75 08 ff 15 3c a1 44 00 85 c0 74 0a 03 7d 14 3b 7d fc 72 dc eb 3b ff 15 f4 a0 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 68 f0 02 00 00 68 a4 33 45 00 e8 2d ee fe ff 68 68 3a 45 00 56 e8 71 b0 02 00 59 59 83 7d f8 00 74 08 ff 75 f8 e8 fc ef fe ff 5f 8b c6 5e c9 c2 10 00 55 8b ec 51 83 65 fc 00 8d 45 fc 56 57 8b 7d 08 ff 37 68 c0 32 45 00 50 e8 55 d5 fe ff 8b f0 83 c4 0c 85 f6 79 12 68 4c 39 45 00 56 e8 28 b0 02 00 59 59 e9 8b 01 00 00 53 be ff ff 00 80 33 db 81 fb 08 Data Ascii: _^[UQQVWE3PE}Pu}uuyh@:Ea}9}vajEPE+Puu<Dt};}r;D~x@Vhh3E-hh:EVqYY}tu_^UQeEVW}7h2EPUyhL9EV(YYS3
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: 8b d8 85 db 79 12 68 3c 63 45 00 53 e8 04 71 02 00 59 59 e9 13 01 00 00 39 35 7c aa 46 00 74 13 57 e8 e4 a1 fe ff 8b d8 85 db 79 21 68 70 63 45 00 eb d8 56 ff 35 78 aa 46 00 57 e8 6a 98 fe ff 8b d8 85 db 79 07 68 c8 63 45 00 eb be a1 7c aa 46 00 39 75 0c 75 05 a1 78 aa 46 00 56 8b 75 10 50 56 e8 43 98 fe ff 8b d8 85 db 79 0a 68 74 57 45 00 e9 a6 00 00 00 8d 45 f8 50 ff 36 ff 35 78 aa 46 00 e8 67 a3 fe ff 8b d8 85 db 79 0a 68 50 64 45 00 e9 73 ff ff ff 33 db 83 7d f8 02 0f 95 c3 e9 85 00 00 00 a1 74 aa 46 00 85 c0 75 59 8d 45 fc 50 6a 1c e8 fa aa fe ff 8b d8 85 db 79 0a 68 80 57 45 00 e9 ca fe ff ff bf 74 aa 46 00 57 68 e0 53 45 00 ff 75 fc e8 84 a3 fe ff 8b d8 85 db 79 0a 68 80 57 45 00 e9 cf fe ff ff 57 e8 17 a1 fe ff 8b d8 85 db 79 0a 68 80 57 45 00 e9 Data Ascii: yh<cESqYY95\|FtWy!hpcEV5xFWjyhcE\|F9uuxFVuPVCyhtWEEP65xFgyhPdEs3}tFuYEPjyhWEtFWhSEuyhWEWyhWE
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: ec 8b 45 0c 8d 4d e0 ff 70 04 51 ff 10 8b 4d 10 89 01 83 7d f4 00 74 08 ff 75 f4 e8 4e 5d fe ff 85 db 74 25 8b 45 f8 85 c0 74 18 33 ff 83 3c bb 00 74 0b ff 34 bb e8 33 5d fe ff 8b 45 f8 47 3b f8 72 ea 53 e8 67 70 fe ff 5f 8b c6 5e 5b c9 c2 0c 00 8b 45 08 50 68 48 7f 45 00 56 e8 b4 30 02 00 83 c4 0c eb ac 8d 45 e8 c7 45 e0 01 00 00 00 50 8d 45 fc 50 ff 77 04 ff 77 0c e8 d6 24 02 00 8b f0 85 f6 79 0a 68 cc 7e 45 00 e9 90 fe ff ff 8d 45 f4 50 8d 45 fc 50 ff 77 04 ff 77 0c e8 0c 25 02 00 8b f0 85 f6 79 0a 68 e8 7e 45 00 e9 6d fe ff ff 8b 45 f4 89 45 ec e9 43 ff ff ff 8d 45 e8 c7 45 e0 02 00 00 00 50 8d 45 fc 50 ff 77 04 ff 77 0c e8 7e 24 02 00 8b f0 85 f6 0f 89 1f ff ff ff 68 b8 7e 45 00 e9 34 fe ff ff 55 8b ec 51 51 8b 45 08 83 65 f8 00 83 65 fc 00 56 83 38 Data Ascii: EMpQM}tuN]t%Et3<t43]EG;rSgp_^[EPhHEV0EEPEPww$yh~EEPEPww%yh~EmEECEEPEPww~$h~E4UQQEeeV8
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: 83 c8 ff c9 c3 8b 45 fc c9 c3 55 8b ec 83 ec 10 56 57 8b 7d 08 33 f6 89 75 f0 89 75 f4 89 75 f8 8b 47 2c 48 89 75 fc 83 e8 01 74 3a 83 e8 01 0f 84 80 00 00 00 48 83 e8 01 74 24 be 9f 13 07 80 56 68 96 02 00 00 68 28 9d 45 00 e8 76 2e fe ff 68 d8 9f 45 00 56 e8 ba f0 01 00 59 59 eb 56 be 04 40 00 80 eb 4f 8b 4d 0c 8d 45 f0 50 0f b7 41 1a 50 0f b7 41 18 50 ff 15 5c a2 44 00 85 c0 74 21 8d 45 f8 50 8d 45 f0 50 ff 15 58 a2 44 00 85 c0 74 0f 8d 45 f8 50 50 50 ff 77 3c ff 15 54 a2 44 00 83 7f 3c ff 74 0d ff 77 3c ff 15 e0 a0 44 00 83 4f 3c ff 89 77 30 c1 fe 1f 83 e6 fe 5f 8d 46 01 5e c9 c2 08 00 55 8b ec 53 56 57 8b 7d 08 33 db 43 ff 77 28 ff 15 3c a2 44 00 85 c0 75 40 ff 15 f4 a0 44 00 8b f0 85 f6 7e 0b 0f b7 f6 81 ce 00 00 07 80 85 f6 78 05 be 05 40 00 80 56 Data Ascii: EUVW}3uuuG,Hut:Ht$Vhh(Ev.hEVYYV@OMEPAPAP\Dt!EPEPXDtEPPPw<TD<tw<DO<w0_F^USVW}3Cw(<Du@D~x@V
2025-01-03 13:39:01 UTC	16384	IN	Data Raw: 75 fc e8 62 e1 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 1d 01 00 00 8b 45 0c 83 c0 08 50 68 c0 ad 45 00 ff 75 fc e8 3c e1 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 01 01 00 00 8b 45 0c 83 c0 0c 50 68 0c ae 45 00 ff 75 fc e8 16 e1 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 e5 00 00 00 8b 45 0c 83 c0 10 50 68 58 ae 45 00 ff 75 fc e8 f0 e0 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 c9 00 00 00 8b 45 0c 83 c0 14 50 68 b8 ae 45 00 ff 75 fc e8 ca e0 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 ad 00 00 00 8b 45 0c 83 c0 18 50 68 1c af 45 00 ff 75 fc e8 a4 e0 01 00 8b f0 81 fe 90 04 07 80 74 08 85 f6 0f 88 91 00 00 00 8b 4d fc 85 c9 74 0a 8b 01 51 ff 50 08 83 65 fc 00 8b 45 08 8b 4d ec 40 83 c1 28 89 45 08 89 4d ec 3b 45 f4 0f 82 b5 fe Data Ascii: ubtEPhEu<tEPhEutEPhXEutEPhEutEPhEutMtQPeEM@(EM;E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49957	37.19.203.49	443	4364	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-03 13:39:46 UTC	87	OUT	GET /installer.v1.0.json HTTP/1.1 Host: static.adguard.com Connection: Keep-Alive

Target ID:	0
Start time:	08:38:57
Start date:	03/01/2025
Path:	C:\Users\user\Desktop\adguardInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\adguardInstaller.exe"
Imagebase:	0xec0000
File size:	145'944 bytes
MD5 hash:	A74538FCB6491C24A788B008128DC41B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:39:38
Start date:	03/01/2025
Path:	C:\Users\user\AppData\Local\Temp\adguard\setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\adguard\setup.exe AID=18673_page_en_welcome
Imagebase:	0xb50000
File size:	51'932'240 bytes
MD5 hash:	9EFF4EA678EA4A1F9F7802B8FC4AD702
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:39:38
Start date:	03/01/2025
Path:	C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\adguard\setup.exe" -burn.filehandle.attached=716 -burn.filehandle.self=732 AID=18673_page_en_welcome
Imagebase:	0xce0000
File size:	3'347'128 bytes
MD5 hash:	44876B0645D1BDFDCDD7C5133B2EAD8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3365693311.0000000007262000.00000002.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3364676133.0000000006E82000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3366477621.00000000076A2000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.3%
Total number of Nodes:	1675
Total number of Limit Nodes:	12

Executed Functions

Function 00EC8170 Relevance: 91.6, APIs: 45, Strings: 7, Instructions: 599
memorywindowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00EC818A
strlen.MSVCRT ref: 00EC819E
HeapAlloc.KERNEL32 ref: 00EC81B9
memchr.MSVCRT ref: 00EC8207
memchr.MSVCRT ref: 00EC8226
memchr.MSVCRT ref: 00EC8261
memchr.MSVCRT ref: 00EC82AC
HeapAlloc.KERNEL32 ref: 00EC8308
HeapFree.KERNEL32 ref: 00EC83A5
GetLastError.KERNEL32 ref: 00EC8403

Part of subcall function 00EC9B84: strlen.MSVCRT ref: 00EC9B91

HeapAlloc.KERNEL32 ref: 00EC845C
GdiplusStartup.GDIPLUS ref: 00EC84AF
GetCurrentThreadId.KERNEL32 ref: 00EC84C0
GetDC.USER32 ref: 00EC84CD
GetDeviceCaps.GDI32 ref: 00EC84E5
ReleaseDC.USER32 ref: 00EC84FD
GetModuleHandleW.KERNEL32 ref: 00EC85BA
LoadIconW.USER32 ref: 00EC85DD
LoadCursorW.USER32 ref: 00EC85FA
RegisterClassExW.USER32(00000000), ref: 00EC8612
SendMessageW.USER32 ref: 00EC8690
SendMessageW.USER32 ref: 00EC86B1
SetWindowLongW.USER32(00000000,00000000), ref: 00EC86EF

Part of subcall function 00ECB104: GlobalAlloc.KERNEL32 ref: 00ECB132
Part of subcall function 00ECB104: GlobalLock.KERNEL32 ref: 00ECB148
Part of subcall function 00ECB104: GlobalFree.KERNEL32 ref: 00ECB15B

ShowWindow.USER32 ref: 00EC87B1

Part of subcall function 00ECB2AC: GetDC.USER32 ref: 00ECB2C4
Part of subcall function 00ECB2AC: CreateCompatibleDC.GDI32 ref: 00ECB2D1
Part of subcall function 00ECB2AC: SelectObject.GDI32 ref: 00ECB2F0
Part of subcall function 00ECB2AC: GdipCreateFromHDC.GDIPLUS ref: 00ECB351
Part of subcall function 00ECB2AC: GdipCreateSolidFill.GDIPLUS ref: 00ECB385
Part of subcall function 00ECB2AC: GdipFillRectangleI.GDIPLUS ref: 00ECB3BB
Part of subcall function 00ECB2AC: GdipDeleteGraphics.GDIPLUS(?,?,?,00ECB642), ref: 00ECB3DA
Part of subcall function 00ECB2AC: CreateCompatibleDC.GDI32(00000000), ref: 00ECB3E6

Part of subcall function 00EC929C: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00EC87C3,00000000), ref: 00EC93A1
Part of subcall function 00EC929C: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC93BE

GetLastError.KERNEL32(00000000,00000000), ref: 00EC87C9

Part of subcall function 00EC93D8: GetLocaleInfoW.KERNEL32 ref: 00EC941D
Part of subcall function 00EC93D8: GetWindowLongW.USER32 ref: 00EC945E
Part of subcall function 00EC93D8: SetWindowLongW.USER32 ref: 00EC9482
Part of subcall function 00EC93D8: ShowWindow.USER32 ref: 00EC9514
Part of subcall function 00EC93D8: SendMessageW.USER32(00000000,00000000), ref: 00EC955D
Part of subcall function 00EC93D8: SendMessageW.USER32 ref: 00EC9588

CreateThread.KERNEL32(?,?,00000000,00000000), ref: 00EC8821
KiUserCallbackDispatcher.NTDLL(00000030), ref: 00EC8859
GetParent.USER32 ref: 00EC8890
TranslateAcceleratorW.USER32 ref: 00EC88DD
TranslateMessage.USER32 ref: 00EC88F1
DispatchMessageW.USER32 ref: 00EC88FB

Part of subcall function 00ECB220: GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00ECB242
Part of subcall function 00ECB220: GdipGetImageWidth.GDIPLUS ref: 00ECB265
Part of subcall function 00ECB220: GdipGetImageHeight.GDIPLUS ref: 00ECB28A

Part of subcall function 00ECAE88: SetWindowPos.USER32 ref: 00ECAEEB

Part of subcall function 00ECB104: GlobalUnlock.KERNEL32 ref: 00ECB177
Part of subcall function 00ECB104: CreateStreamOnHGlobal.OLE32(00000000), ref: 00ECB193
Part of subcall function 00ECB104: GlobalFree.KERNEL32 ref: 00ECB1A6

WaitForSingleObject.KERNEL32 ref: 00EC8929
GetExitCodeThread.KERNEL32 ref: 00EC893F
CloseHandle.KERNEL32(00000000,00000000), ref: 00EC894A
DeleteObject.GDI32 ref: 00EC8974
DeleteObject.GDI32(00000001), ref: 00EC8985
GdiplusShutdown.GDIPLUS(00000000), ref: 00EC8996
GetModuleHandleW.KERNEL32(00000000,00000000), ref: 00EC89AC
UnregisterClassW.USER32 ref: 00EC89BE
HeapFree.KERNEL32(00000000), ref: 00EC89E9
HeapFree.KERNEL32 ref: 00EC8A2A
HeapFree.KERNEL32 ref: 00EC8A46
HeapFree.KERNEL32 ref: 00EC8A62
HeapFree.KERNEL32 ref: 00EC8A7E
HeapFree.KERNEL32 ref: 00EC8AB6

Strings

https_url, xrefs: 00EC8376
X, xrefs: 00EC84DA
http_url, xrefs: 00EC8352
AdGuard Web Installer, xrefs: 00EC8645
setup_args, xrefs: 00EC8328
0, xrefs: 00EC85AC
ADGUARD_WI_WNDCLASS, xrefs: 00EC85CB, 00EC89B7

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$CreateGdip$GlobalMessageWindow$AllocObjectSendmemchr$DeleteHandleLongThread$ClassCompatibleErrorFillFromGdiplusImageLastLoadModuleShowTranslatestrlen$AcceleratorBitmapCallbackCapsCloseCodeCurrentCursorDeviceDispatchDispatcherExitGraphicsHeightIconInfoLocaleLockParentProcessRectangleRegisterReleaseSelectShutdownSingleSolidStartupStreamUnlockUnregisterUserWaitWidth
String ID: 0$ADGUARD_WI_WNDCLASS$AdGuard Web Installer$X$http_url$https_url$setup_args
API String ID: 4084662147-3388329929
Opcode ID: 1610b64692fa84a1c421bb4eca6719c8147b2f0c5d2bb77483ae8862e195d1ac
Instruction ID: 9f64b8498759f0d0f42a013a5d2ddf50644de6ff9d8df3afd6d48727dfc608f4
Opcode Fuzzy Hash: 1610b64692fa84a1c421bb4eca6719c8147b2f0c5d2bb77483ae8862e195d1ac
Instruction Fuzzy Hash: 35424B709093058FD704EFA9DA88B9EBBF0FF44304F01952DE598AB354DB76984ACB41

Function 00EC8E34 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 218
networkfilememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC9F00: DeleteFileW.KERNEL32 ref: 00EC9F3A
Part of subcall function 00EC9F00: HeapFree.KERNEL32 ref: 00EC9F59

Part of subcall function 00EC9DB8: CreateFileW.KERNEL32 ref: 00EC9EB6
Part of subcall function 00EC9DB8: HeapFree.KERNEL32 ref: 00EC9EE5

GetLastError.KERNEL32 ref: 00EC8E5C
InternetOpenW.WININET ref: 00EC8F1E
InternetOpenUrlW.WININET ref: 00EC8F76
InternetReadFile.WININET ref: 00EC904D
WriteFile.KERNEL32 ref: 00EC9084
HeapFree.KERNEL32 ref: 00EC90D9
InternetCloseHandle.WININET ref: 00EC90EB
InternetCloseHandle.WININET ref: 00EC90F1
GetLastError.KERNEL32 ref: 00EC9103

Part of subcall function 00EC8CD8: HeapAlloc.KERNEL32 ref: 00EC8D1C

CloseHandle.KERNEL32 ref: 00EC9130

Strings

AdGuard Web Installer, xrefs: 00EC8F17
https://, xrefs: 00EC8F34

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Internet$FileHeap$CloseFreeHandle$ErrorLastOpen$AllocCreateDeleteReadWrite
String ID: AdGuard Web Installer$https://
API String ID: 430734991-929163020
Opcode ID: ff314d8dd0f9a38bde7527d23bbe261e7b26ee87b6fcc5dbf08ae049959c2da8
Instruction ID: ea5b872f6ad24bfa1d293cfdfc1fd3e6f30abed51f786b76895117986ae20e6b
Opcode Fuzzy Hash: ff314d8dd0f9a38bde7527d23bbe261e7b26ee87b6fcc5dbf08ae049959c2da8
Instruction Fuzzy Hash: 28915970A053058FDB10EFA9DA89B9EBBF1FF84314F10962DE454A7291DB768806CF52

Function 00EC117C Relevance: 19.7, APIs: 13, Instructions: 199
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00EC11C7
SetUnhandledExceptionFilter.KERNEL32 ref: 00EC1248
__p__acmdln.MSVCRT ref: 00EC1271
malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C
GetStartupInfoA.KERNEL32 ref: 00EC1443

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 69e7c495ceb6e20b1464576ac007ed6ece7e2f1fd0fa62a8161221771868f9fa
Instruction ID: 284a297a5e213035625c9c47b44743594ed02912e14d33b892bd6cb27b5f870b
Opcode Fuzzy Hash: 69e7c495ceb6e20b1464576ac007ed6ece7e2f1fd0fa62a8161221771868f9fa
Instruction Fuzzy Hash: B481E1B49093408FDB14EFA5EA81B6977E1FB42304F1054AED984F7312D736988ADB82

Function 00EC13D1 Relevance: 12.1, APIs: 8, Instructions: 108
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00EC1248
__p__acmdln.MSVCRT ref: 00EC1271
malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C
_amsg_exit.MSVCRT ref: 00EC13F2
_initterm.MSVCRT ref: 00EC1414

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: 85a06163bcf7b0a21f1dca92163e5fcf47f0b1b3ade41e7fde082339b23edf3a
Instruction ID: b4d61e6524e8dd2897f84f6179e20558a63608ba71154ddd9611dd320277d6c9
Opcode Fuzzy Hash: 85a06163bcf7b0a21f1dca92163e5fcf47f0b1b3ade41e7fde082339b23edf3a
Instruction Fuzzy Hash: 69416BB49093409FDB10EF65EA81B59B7E1FB45304F1094AED584B7312D736988ACF42

Function 00EC11B3 Relevance: 10.6, APIs: 7, Instructions: 114
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00EC11C7
SetUnhandledExceptionFilter.KERNEL32 ref: 00EC1248
__p__acmdln.MSVCRT ref: 00EC1271
malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C
_amsg_exit.MSVCRT ref: 00EC13F2
_initterm.MSVCRT ref: 00EC1414

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 92ff81dec9ffb70c2d3ba4959b9e839a57e36fb7966279a0392f50dd89e82b80
Instruction ID: 38a695170707b6b86c9b99716cb575b7274d8692c54373fbf54c94def1509bf5
Opcode Fuzzy Hash: 92ff81dec9ffb70c2d3ba4959b9e839a57e36fb7966279a0392f50dd89e82b80
Instruction Fuzzy Hash: 77416AB0A053418FDB10EFAAEA81B19B7E0FB05304F1054AED584E7312D736988ACF81

Function 00EC1170 Relevance: 9.1, APIs: 6, Instructions: 130
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00EC11C7
SetUnhandledExceptionFilter.KERNEL32 ref: 00EC1248
__p__acmdln.MSVCRT ref: 00EC1271
malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C
GetStartupInfoA.KERNEL32 ref: 00EC1443

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 53d28a5186740b775d03bdc729c93ffbad15de47932fef98542b7f0a05b4d3d5
Instruction ID: 84ff5bc16497beaeb7f9f5326e6d0f7b4d248c5aba80876ee16da2cb506a1ec8
Opcode Fuzzy Hash: 53d28a5186740b775d03bdc729c93ffbad15de47932fef98542b7f0a05b4d3d5
Instruction Fuzzy Hash: 6F519C70A053409FDB14EFAAEA81B59B7E0FB45304F1094AEE944E7312D736D88ACB81

Function 00EC9998 Relevance: 7.5, APIs: 5, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,00000000,00000001,?,?,00EC83D3), ref: 00EC99AC
FindResourceW.KERNEL32 ref: 00EC99C4
SizeofResource.KERNEL32(?,?,?,?,?,00000000,00000001,?,?,00EC83D3), ref: 00EC99DF
LoadResource.KERNEL32(?,?,?,?,?,?,?,00000000,00000001,?,?,00EC83D3), ref: 00EC99F4
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000001,?,?,00EC83D3), ref: 00EC99FF

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Resource$FindHandleLoadLockModuleSizeof
String ID:
API String ID: 1601749889-0
Opcode ID: 3404b1c25abd397d1f6728f5e0eb42a84c432eeb8c1637f048b86daf0bea191a
Instruction ID: 1c2a7a24c8bb233a29e1dc5cc5339be7b59eeb57caa31c0220c3e1bbf28afae1
Opcode Fuzzy Hash: 3404b1c25abd397d1f6728f5e0eb42a84c432eeb8c1637f048b86daf0bea191a
Instruction Fuzzy Hash: EB0184B2509300AFD3006F79AD48A6ABBF8FF94711F01852EF599D3211E73088048B52

Function 00ECB6A8 Relevance: 44.4, APIs: 24, Strings: 1, Instructions: 694windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00ECB772
FillRect.USER32(?,?), ref: 00ECB78B
GetFocus.USER32 ref: 00ECBBC7
GetClientRect.USER32 ref: 00ECBC26
SetWindowPos.USER32 ref: 00ECBD33
PostQuitMessage.USER32 ref: 00ECBFF6
SetWindowLongW.USER32 ref: 00ECC01B

Strings

N, xrefs: 00ECB751

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Rect$ClientWindow$FillFocusLongMessagePostQuit
String ID: N
API String ID: 3298376866-1130791706
Opcode ID: 1c2bcb239299cc7b1b57a7b5308e1332b2c7777edd56495c70a5a511721f3d61
Instruction ID: 5c7a2554a4f4117499a259f38125443bc68221c0cc70de818e666c5925a20d90
Opcode Fuzzy Hash: 1c2bcb239299cc7b1b57a7b5308e1332b2c7777edd56495c70a5a511721f3d61
Instruction Fuzzy Hash: 8D520770A05605CFCB24DF69CA89BAEBBF0EB44348F14951EE899AB354D336D846CF41

Function 00ECB2AC Relevance: 16.7, APIs: 11, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32 ref: 00ECB2C4
CreateCompatibleDC.GDI32 ref: 00ECB2D1
SelectObject.GDI32 ref: 00ECB2F0
GdipCreateFromHDC.GDIPLUS ref: 00ECB351
GdipCreateSolidFill.GDIPLUS ref: 00ECB385
GdipFillRectangleI.GDIPLUS ref: 00ECB3BB
GdipDeleteGraphics.GDIPLUS(?,?,?,00ECB642), ref: 00ECB3DA
CreateCompatibleDC.GDI32(00000000), ref: 00ECB3E6
AlphaBlend.MSIMG32 ref: 00ECB460
UpdateLayeredWindow.USER32 ref: 00ECB514
ReleaseDC.USER32(00000000), ref: 00ECB54B

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: CreateGdip$CompatibleFill$AlphaBlendDeleteFromGraphicsLayeredObjectRectangleReleaseSelectSolidUpdateWindow
String ID:
API String ID: 545367414-0
Opcode ID: 977113300e7c7322b74d832f35ec404363ba7b64dc5a54fba9112771a6680afc
Instruction ID: cebd9a44106f4a85705b7ebeee6cfe83cbfd6385032b9c9cbccc29a9c60b2fc8
Opcode Fuzzy Hash: 977113300e7c7322b74d832f35ec404363ba7b64dc5a54fba9112771a6680afc
Instruction Fuzzy Hash: 8991AFB49053089FCB04DFA9D984A9EBBF4FB88314F00892EE998E7310E7759949CF55

Function 00EC9144 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 95
memoryprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC929C: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00EC87C3,00000000), ref: 00EC93A1
Part of subcall function 00EC929C: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00EC93BE

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

CreateProcessW.KERNEL32 ref: 00EC9204
CloseHandle.KERNEL32 ref: 00EC921A
HeapFree.KERNEL32 ref: 00EC9241
HeapFree.KERNEL32 ref: 00EC925D
CloseHandle.KERNEL32 ref: 00EC926F
HeapFree.KERNEL32 ref: 00EC928A

Strings

D, xrefs: 00EC91BB
%s %s%Z, xrefs: 00EC9165

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$CloseHandle$AllocByteCharCreateMultiProcessWidestrlen
String ID: %s %s%Z$D
API String ID: 2791976147-1551950450
Opcode ID: 3f53955b70ffd0972136996431c0741a677b9c0e11060bbfacb7a8a738b1a37f
Instruction ID: 847b14f9f9c6df19fbee17321096b81160ed1b827bff76f558eccafc758718be
Opcode Fuzzy Hash: 3f53955b70ffd0972136996431c0741a677b9c0e11060bbfacb7a8a738b1a37f
Instruction Fuzzy Hash: 613141B09047059FD700EFB9E98974EFBF5AF84324F118A2DE5A4A73A0D775844A8B42

Function 00ECB104 Relevance: 13.6, APIs: 9, Instructions: 88
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC9998: GetModuleHandleW.KERNEL32(?,?,00000000,00000001,?,?,00EC83D3), ref: 00EC99AC
Part of subcall function 00EC9998: FindResourceW.KERNEL32 ref: 00EC99C4

GlobalAlloc.KERNEL32 ref: 00ECB132
GlobalLock.KERNEL32 ref: 00ECB148
GlobalFree.KERNEL32 ref: 00ECB15B
GlobalUnlock.KERNEL32 ref: 00ECB177
CreateStreamOnHGlobal.OLE32(00000000), ref: 00ECB193
GlobalFree.KERNEL32 ref: 00ECB1A6

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Global$Free$AllocCreateFindHandleLockModuleResourceStreamUnlock
String ID:
API String ID: 785323675-0
Opcode ID: 63b1ee6a9078497b7556201fcd4ad7a46c2387d001219bdc207113f90ad250b8
Instruction ID: 1757680a3c055cce1d8345a33326123c9e8f5e0aca568c00561cb2701c740ec9
Opcode Fuzzy Hash: 63b1ee6a9078497b7556201fcd4ad7a46c2387d001219bdc207113f90ad250b8
Instruction Fuzzy Hash: 5431F4B49053049FDB04EFA9D988B9EBBF8EF88310F04C42DE958A7211E7759845CF61

Function 00ECB55C Relevance: 7.5, APIs: 5, Instructions: 43
synchronizationthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00ECB579
GetExitCodeThread.KERNEL32 ref: 00ECB58F
CloseHandle.KERNEL32(00000000,00000000), ref: 00ECB59A

Part of subcall function 00EC9144: HeapFree.KERNEL32 ref: 00EC9241
Part of subcall function 00EC9144: HeapFree.KERNEL32 ref: 00EC925D
Part of subcall function 00EC9144: CloseHandle.KERNEL32 ref: 00EC926F
Part of subcall function 00EC9144: HeapFree.KERNEL32 ref: 00EC928A

GetLastError.KERNEL32 ref: 00ECB5BF
SendMessageW.USER32 ref: 00ECB5EE

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: FreeHeap$CloseHandle$CodeErrorExitLastMessageObjectSendSingleThreadWait
String ID:
API String ID: 426020348-0
Opcode ID: 84879248a8a82199c52f5cfd798c5af1dc9420bf5421540285f01f8a248ab387
Instruction ID: ab3a615b96e048df87ad3dfe7b0cb8df7cffcf1726ab33b904ad650a1a7e483f
Opcode Fuzzy Hash: 84879248a8a82199c52f5cfd798c5af1dc9420bf5421540285f01f8a248ab387
Instruction Fuzzy Hash: DE1127B04043019FD700AF6AE989B9EBBE8FB08308F40946DE685A7261D7769849CF52

Function 00EC9BD4 Relevance: 6.1, APIs: 4, Instructions: 94
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

strlen.MSVCRT ref: 00EC9C26
CreateDirectoryW.KERNEL32 ref: 00EC9CA3
GetLastError.KERNEL32 ref: 00EC9CBC
HeapFree.KERNEL32 ref: 00EC9CEC

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Freestrlen$AllocByteCharCreateDirectoryErrorLastMultiWide
String ID:
API String ID: 896362570-0
Opcode ID: 0183219d23b56e6ec0682e146c5ef27758dcfada938a016fffa3b86d9c4b194e
Instruction ID: 35afa33b8f93ad683b717b62258b7e1b8befcaf165d0064fac6b3f8becfd054b
Opcode Fuzzy Hash: 0183219d23b56e6ec0682e146c5ef27758dcfada938a016fffa3b86d9c4b194e
Instruction Fuzzy Hash: C43124715043098EDB20AB69DACCFEAF7E5EB11358F44512DC554A7292E3734D87C782

Function 00EC12A6 Relevance: 5.1, APIs: 4, Instructions: 79
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: faeef42c7323f4febe3b44b1ab91a074fd1a9831913910cc13975bb35a052b5c
Instruction ID: 0a7ac4d5dc54d72314d56634d746fc06eacb5f8aea5d5311bb3a5884db189dc1
Opcode Fuzzy Hash: faeef42c7323f4febe3b44b1ab91a074fd1a9831913910cc13975bb35a052b5c
Instruction Fuzzy Hash: AC316974A053458FCB10EF69EA80B59B7F1FB09304F1485AED984E7312D736A94ACF81

Function 00EC13C3 Relevance: 5.1, APIs: 4, Instructions: 65
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00EC12FB
strlen.MSVCRT ref: 00EC132B
malloc.MSVCRT ref: 00EC1336
memcpy.MSVCRT ref: 00EC134C

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 8a326472ffcb472025fa31334265625660dd434eb779703287368b92206db62e
Instruction ID: b94441443a98a05dec072d2cd338ff61700adb02ff1a5d3173ac9ca51abe87c5
Opcode Fuzzy Hash: 8a326472ffcb472025fa31334265625660dd434eb779703287368b92206db62e
Instruction Fuzzy Hash: 192117B5A05345DFCB10EF6AEA80A99B7F1FB48300F10856ED584E7312E735A946CF81

Function 00ECB220 Relevance: 4.6, APIs: 3, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipCreateHBITMAPFromBitmap.GDIPLUS ref: 00ECB242
GdipGetImageWidth.GDIPLUS ref: 00ECB265
GdipGetImageHeight.GDIPLUS ref: 00ECB28A

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateFromHeightWidth
String ID:
API String ID: 827228198-0
Opcode ID: d5384ace18526dfa02fc9ed9e983848a8f41f5692bbe84d4d7d6a49b42c56bb1
Instruction ID: cf4bd2d7951d383a0bdf31c2e4fef0731410a5585240585a69fd2c9909bbf6b3
Opcode Fuzzy Hash: d5384ace18526dfa02fc9ed9e983848a8f41f5692bbe84d4d7d6a49b42c56bb1
Instruction Fuzzy Hash: DB11B6B0D042069FDB109FA9C585A5AFBF8EF84344F04C46EE858EB205E275D8458BA1

Function 00EC9DB8 Relevance: 3.1, APIs: 2, Instructions: 88filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

CreateFileW.KERNEL32 ref: 00EC9EB6
HeapFree.KERNEL32 ref: 00EC9EE5

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$AllocByteCharCreateFileMultiWidestrlen
String ID:
API String ID: 4054799010-0
Opcode ID: e1f722f6f157e17d922e4a5277966bb8ab6bac1333cb9afb8120dc21d648fea9
Instruction ID: e855d1580aececc66f19c4918e9fcb3cd652cd3055af185b00c66a004ad261b0
Opcode Fuzzy Hash: e1f722f6f157e17d922e4a5277966bb8ab6bac1333cb9afb8120dc21d648fea9
Instruction Fuzzy Hash: B4310871E042048FDB10DF6DD98C79DB7E1EB94300F1085ADD418E7281D7768D468F85

Function 00EC9A14 Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00ECD008,?,?,00ECB07B), ref: 00EC9A31
CreateWindowExW.USER32 ref: 00EC9AAF

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: CreateHandleModuleWindow
String ID:
API String ID: 1178124398-0
Opcode ID: f217c987babe7bfdf151ebcaad03bdcdccdc4c9295db9e33946681bac019372b
Instruction ID: 98f6df4fe8d2c4a88a01b0162c1951309d945aed3b32ca5dd005fc13819ba065
Opcode Fuzzy Hash: f217c987babe7bfdf151ebcaad03bdcdccdc4c9295db9e33946681bac019372b
Instruction Fuzzy Hash: CD1104B1A153119FC704CF69D985A0AFBE8FB88220F11996EF898D7350D371E9158B92

Function 00ECAEFC Relevance: 3.0, APIs: 2, Instructions: 40memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

SendMessageW.USER32 ref: 00ECAF57
HeapFree.KERNEL32 ref: 00ECAF78

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$AllocByteCharMessageMultiSendWidestrlen
String ID:
API String ID: 2843101947-0
Opcode ID: fd878dff57a3f20d4cb4452063d6f4f5a51873886f1e2967ba9142b6c7a49bed
Instruction ID: 217bd7b7cdbc7b30029760e1624dd9ff59ac1a9b632e0bb6498bec943f13190f
Opcode Fuzzy Hash: fd878dff57a3f20d4cb4452063d6f4f5a51873886f1e2967ba9142b6c7a49bed
Instruction Fuzzy Hash: C3019EB4A043049FD710AF6DE98879DBBF0EB94304F10856DE84897350D37288498F82

Function 00EC9F00 Relevance: 3.0, APIs: 2, Instructions: 31filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

DeleteFileW.KERNEL32 ref: 00EC9F3A
HeapFree.KERNEL32 ref: 00EC9F59

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$AllocByteCharDeleteFileMultiWidestrlen
String ID:
API String ID: 3068648626-0
Opcode ID: 02036e478f3d4e010289d5fd4ee2a18168b2690feccb30331b9bf3e78ba34a2c
Instruction ID: 02aa9a3309322078238e4243db6d5218cc7b68245105daac81498297a4a8db3e
Opcode Fuzzy Hash: 02036e478f3d4e010289d5fd4ee2a18168b2690feccb30331b9bf3e78ba34a2c
Instruction Fuzzy Hash: 30F096715053149FCB106FA9FD4C6DDBBB8EB04714F00465DE598D7251D77148898F81

Function 00ECADDC Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00EC8668), ref: 00ECAE00
LoadImageW.USER32 ref: 00ECAE2A

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: HandleImageLoadModule
String ID:
API String ID: 2603579926-0
Opcode ID: 95e7ff9cf82608060e0a4e9043d9f53c9ab26c85a6134ad4721587f497f52fca
Instruction ID: 5822e604f271ca2950b89241d48f2c61c26a627113bb13d753c89ad1a0492cdd
Opcode Fuzzy Hash: 95e7ff9cf82608060e0a4e9043d9f53c9ab26c85a6134ad4721587f497f52fca
Instruction Fuzzy Hash: 13F082B09083009FD700AF6AE84979AFBF4FB88354F00892EE9D893340D7B544488B92

Function 00EC98B4 Relevance: 1.6, APIs: 1, Instructions: 65windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00EC992A

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 06bc5455b21d21471d0832ca7796dd262860a08686d15929b805f7d894ee8dc3
Instruction ID: f7149faf460eac50ca01344abf06604a038f8cad857cc29a8d2eb2ad54df5ba6
Opcode Fuzzy Hash: 06bc5455b21d21471d0832ca7796dd262860a08686d15929b805f7d894ee8dc3
Instruction Fuzzy Hash: 64214171A043009FDB04DF69D584B9EBBF4FB88324F10962EE568A7391D3769806CF91

Function 00ECB020 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32 ref: 00ECB04F

Part of subcall function 00EC9A14: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00ECD008,?,?,00ECB07B), ref: 00EC9A31
Part of subcall function 00EC9A14: CreateWindowExW.USER32 ref: 00EC9AAF

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Create$BrushHandleModuleSolidWindow
String ID:
API String ID: 1662306801-0
Opcode ID: b11ba6ef4d9470e1a1d2cf2c41032444c86dfe225fb319d3ac2ab962c36ec369
Instruction ID: aec459dfb5ef301923ef78a68ddf7e20a19af28261500654bace7c619f6edbbe
Opcode Fuzzy Hash: b11ba6ef4d9470e1a1d2cf2c41032444c86dfe225fb319d3ac2ab962c36ec369
Instruction Fuzzy Hash: 23F0BBB15003049BDB00DF6AD945BDABBF5FF84310F00403DE954A7291D7769449C761

Function 00EC9B84 Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00EC9B91

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1b6b4a49818362832c93dce2a13d75510bb9af8dc27697fe666a996c876aae41
Instruction ID: f5c3f88a725fc48b46c3b0895aa3af20351e3e3fe9471ab16e81f0fe158f6cd2
Opcode Fuzzy Hash: 1b6b4a49818362832c93dce2a13d75510bb9af8dc27697fe666a996c876aae41
Instruction Fuzzy Hash: 8DF0AE1161C2F86BCF2532B925C9BBABBD44B1E304B0419EDD495E7347E0538D46439A

Non-executed Functions

Function 00EC93D8 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 268windowstringCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00EC941D

Part of subcall function 00ECB020: CreateSolidBrush.GDI32 ref: 00ECB04F

GetWindowLongW.USER32 ref: 00EC945E
SetWindowLongW.USER32 ref: 00EC9482

Part of subcall function 00ECAEFC: SendMessageW.USER32 ref: 00ECAF57
Part of subcall function 00ECAEFC: HeapFree.KERNEL32 ref: 00ECAF78

Part of subcall function 00ECAE88: SetWindowPos.USER32 ref: 00ECAEEB

ShowWindow.USER32 ref: 00EC9514

Part of subcall function 00ECADDC: GetModuleHandleW.KERNEL32(?,?,?,00EC8668), ref: 00ECAE00
Part of subcall function 00ECADDC: LoadImageW.USER32 ref: 00ECAE2A

SendMessageW.USER32(00000000,00000000), ref: 00EC955D
SendMessageW.USER32 ref: 00EC9588

Part of subcall function 00ECAD58: MultiByteToWideChar.KERNEL32 ref: 00ECADA4

CreateFontIndirectW.GDI32 ref: 00EC95AA
CreateSolidBrush.GDI32(?), ref: 00EC95C5
LoadImageW.USER32 ref: 00EC9671
SendMessageW.USER32 ref: 00EC969C
ShowWindow.USER32 ref: 00EC96C1
strlen.MSVCRT ref: 00EC96DA
ShowWindow.USER32(00000000,00000000), ref: 00EC9732
LoadCursorW.USER32(00000000,00000000), ref: 00EC9757
SetWindowLongW.USER32 ref: 00EC978D
CreateFontIndirectW.GDI32 ref: 00EC9816
SendMessageW.USER32 ref: 00EC984B
strlen.MSVCRT ref: 00EC9874
ShowWindow.USER32 ref: 00EC98A6

Strings

An error has occurred during the installation.Please try downloading the installer manually., xrefs: 00EC93E4
Download AdGuard, xrefs: 00EC9851
AdGuard Web Installer, xrefs: 00EC9499
0, xrefs: 00EC9836

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Window$MessageSend$CreateShow$LoadLong$BrushFontImageIndirectSolidstrlen$ByteCharCursorFreeHandleHeapInfoLocaleModuleMultiWide
String ID: 0$AdGuard Web Installer$An error has occurred during the installation.Please try downloading the installer manually.$Download AdGuard
API String ID: 3353892530-2524707978
Opcode ID: fe89b0e9fc7ed8304446d717896ddf60d4e02b9d630775818009f9d44523d39b
Instruction ID: f119aad9350526b544eb05f729f015c7969dfbd58bac5c2f8599f75d164f9a8f
Opcode Fuzzy Hash: fe89b0e9fc7ed8304446d717896ddf60d4e02b9d630775818009f9d44523d39b
Instruction Fuzzy Hash: FAD15A705043098FD714EF29D945B9ABBF0FB84314F00887DE998A7351D776A98ACF92

Function 00EC14F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00EC1500
LoadLibraryA.KERNEL32 ref: 00EC1516
GetProcAddress.KERNEL32 ref: 00EC1535
GetProcAddress.KERNEL32 ref: 00EC1547

Strings

libgcc_s_dw2-1.dll, xrefs: 00EC14F9, 00EC150F
__deregister_frame_info, xrefs: 00EC153C
__register_frame_info, xrefs: 00EC152A

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 641747f7c0e2e221eb1f838cb743ecf76d20f8086088548cc138073baf3bdaf0
Instruction ID: a269518dd0c7178d032d017c1ff09cb31c0a157b224743c864640e5edf1ede8f
Opcode Fuzzy Hash: 641747f7c0e2e221eb1f838cb743ecf76d20f8086088548cc138073baf3bdaf0
Instruction Fuzzy Hash: 63018CB080A3009FC300BF7AAB4AB19BFE4EB80310F01246ED58567301D7B2944A8B93

Function 00EC5010 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 1481COMMON

Download Yara Rule

Strings

NaN, xrefs: 00EC50DF
, xrefs: 00EC6786
Infinity, xrefs: 00EC5340
, xrefs: 00EC64EE
9, xrefs: 00EC65AB

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID:
String ID: $ $9$Infinity$NaN
API String ID: 0-2156819404
Opcode ID: 0c1242e0db086b19b2ecc4cb29ffaed8fb32b9985c42ffcf2ceb7ef540ee9743
Instruction ID: a6862582f403ee10faf5f9c7072637d46306aeabc234a6f064a2739a1cee597d
Opcode Fuzzy Hash: 0c1242e0db086b19b2ecc4cb29ffaed8fb32b9985c42ffcf2ceb7ef540ee9743
Instruction Fuzzy Hash: 6CD25772A087818FD714DF29C284B5BFBE0BB84354F149D1DE895A7351E772E8868F82

Function 00EC3D60 Relevance: 7.9, Strings: 6, Instructions: 417COMMON

Download Yara Rule

Strings

Inf, xrefs: 00EC42AC
NaN, xrefs: 00EC40C2
gfff, xrefs: 00EC3E35
@, xrefs: 00EC3ECC
gfff, xrefs: 00EC3E70
., xrefs: 00EC3DFD

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID:
String ID: .$@$Inf$NaN$gfff$gfff
API String ID: 0-3155045678
Opcode ID: c69bf3ff697b0dbdd51ac30d9c0c65237452b0ad25c137d8785395830d817f07
Instruction ID: 1b18bfb566dd87e3fc8ee2c6363559d869427987d693c2051739277ec1a66c5d
Opcode Fuzzy Hash: c69bf3ff697b0dbdd51ac30d9c0c65237452b0ad25c137d8785395830d817f07
Instruction Fuzzy Hash: 78E119B1A083018BD7149E39C690B5AF7E1AFC4308F18992DF999EB395D632DD42CB52

Function 00EC18C0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00EC18EF
vfprintf.MSVCRT ref: 00EC190F
abort.MSVCRT ref: 00EC1914
VirtualQuery.KERNEL32 ref: 00EC19AB

Strings

Mingw-w64 runtime failure:, xrefs: 00EC18E8
Address %p has no image-section, xrefs: 00EC1A6B
VirtualProtect failed with code 0x%x, xrefs: 00EC1A26
VirtualQuery failed for %d bytes at address %p, xrefs: 00EC1A57

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 700241132391c2bff76681afed17e87e07375e9e2f7eef323f4d8e1ba1e51e22
Instruction ID: df9a824e6e098d04fce32c4dc73676607574839f6bf5cb0b62465e6f9106a26b
Opcode Fuzzy Hash: 700241132391c2bff76681afed17e87e07375e9e2f7eef323f4d8e1ba1e51e22
Instruction Fuzzy Hash: F7518FB15053019FC700EF29EA85B5AFBE0FF85354F44895EE588A7212D735D84ACF92

Function 00EC1D50 Relevance: 12.1, APIs: 8, Instructions: 90COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00EC1D8F
signal.MSVCRT ref: 00EC1DD6
signal.MSVCRT ref: 00EC1DEF
signal.MSVCRT ref: 00EC1E16
signal.MSVCRT ref: 00EC1E5A

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 5f7d497fe553dff411c2e851caa327fddea3e74c28a607402f3d94229e0e5ff1
Instruction ID: efa1b025fc1b1a0e7ce76449c334db71f31a414849199e1c9fba658d46ec05c7
Opcode Fuzzy Hash: 5f7d497fe553dff411c2e851caa327fddea3e74c28a607402f3d94229e0e5ff1
Instruction Fuzzy Hash: D23123B05083018EE7506F688740B6D76E0AB4232DF116A4DE8E5E72D3CB7BC886DB53

Function 00EC2AB0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00EC2C60
memset.MSVCRT ref: 00EC2D7F

Strings

o, xrefs: 00EC2FC8
0, xrefs: 00EC2FA7

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: fputcmemset
String ID: 0$o
API String ID: 947785774-4157579757
Opcode ID: 8e0685638adb49ae4f37e01c505298bd78bdcd604d7e6113846537aeeb44b7b6
Instruction ID: 59e384f5b05bd5e4f925d96688b8d1a64d3cc8c98d9a28f8360bb732e74354b0
Opcode Fuzzy Hash: 8e0685638adb49ae4f37e01c505298bd78bdcd604d7e6113846537aeeb44b7b6
Instruction Fuzzy Hash: 94F13C72E002188FDB15DF68C680B9DBBF1AF84314F19926DE955BB345D736E842CB90

Function 00EC7E61 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00EC7E6C
GetProcAddress.KERNEL32 ref: 00EC7E8C
GetProcAddress.KERNEL32 ref: 00EC7ECB

Strings

___lc_codepage_func, xrefs: 00EC7E84
msvcrt.dll, xrefs: 00EC7E65
__lc_codepage, xrefs: 00EC7EC0

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 1b37352ae1d3104ec51a4c56d89ee70c0e7706d0f0535e038de663228a57e6ff
Instruction ID: b35ef110221096b52f0f178ad4fdc2d93e3bf81c62e8b08ee34207d05b1a0279
Opcode Fuzzy Hash: 1b37352ae1d3104ec51a4c56d89ee70c0e7706d0f0535e038de663228a57e6ff
Instruction Fuzzy Hash: 21F0FFB25492008F87006B797F46B597BE0A644324F05197ED8C5FB251E672D85ACB92

Function 00EC3050 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

0, xrefs: 00EC33FA

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 906d0336041f0955854ea0fe103f6f14ae2e15edb6cc9c825826e81eb6b08927
Instruction ID: 511c0d2785b775e43f21c7973d23e022f972651c93571f89fe1a0363007286e0
Opcode Fuzzy Hash: 906d0336041f0955854ea0fe103f6f14ae2e15edb6cc9c825826e81eb6b08927
Instruction Fuzzy Hash: 98B17C71A042158FDB18CF68C684B9ABBE1AF88314F19D16DEC59BB355D736ED02CB80

Function 00EC3183 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00EC31BD
fputc.MSVCRT ref: 00EC3277
fputc.MSVCRT ref: 00EC32D1

Strings

0, xrefs: 00EC31AE

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: fputc$memset
String ID: 0
API String ID: 2944404495-4108050209
Opcode ID: 0ae888e68ee06ac94637e7e2c572a203338626a9d5973659b47df7a582a49451
Instruction ID: 3fba28b15fdb0fd1a04b4cd78f1c42711cb043d1aa10c9a3d3830de757b036fb
Opcode Fuzzy Hash: 0ae888e68ee06ac94637e7e2c572a203338626a9d5973659b47df7a582a49451
Instruction Fuzzy Hash: D7314B71E052158BDB18CF78C284B9ABBA2AF48744F15E56DEC48AB355D736ED02CB80

Function 00EC33CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00EC3277
fputc.MSVCRT ref: 00EC32D1
memset.MSVCRT ref: 00EC3405

Strings

0, xrefs: 00EC33FA

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: fputc$memset
String ID: 0
API String ID: 2944404495-4108050209
Opcode ID: cf32a4d500d49d76f558de93517f77d76bc5c35e592a36b3ebc26798908fe853
Instruction ID: 53c3b5559c62edd38ef67085c8cd7ccb934310ee1cc53c9a1fb7372ee344b74e
Opcode Fuzzy Hash: cf32a4d500d49d76f558de93517f77d76bc5c35e592a36b3ebc26798908fe853
Instruction Fuzzy Hash: 4D212C719042058BDB18CF68C284B95B7E2BB84314F25E65DE899AF356D336ED02CB84

Function 00EC7E18 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00EC7E32
strchr.MSVCRT ref: 00EC7E42
atoi.MSVCRT ref: 00EC7E53

Strings

., xrefs: 00EC7E37

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 2e20cc0a2f8bd01d80a18571f6e875e0734c2b59010ac96151a74daf2c5f9a7c
Instruction ID: a32a6e230f3bfc9303489661b862bbcee2142aaf43f6826d5085419690c5225b
Opcode Fuzzy Hash: 2e20cc0a2f8bd01d80a18571f6e875e0734c2b59010ac96151a74daf2c5f9a7c
Instruction Fuzzy Hash: B8E0E6729087404ED7007F38C60A71A79D17B40304F45985CE4C497745E77A98469B52

Function 00ECABB8 Relevance: 6.3, APIs: 5, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00ECABD2
MultiByteToWideChar.KERNEL32 ref: 00ECAC02
HeapAlloc.KERNEL32 ref: 00ECAC34
MultiByteToWideChar.KERNEL32 ref: 00ECAC68
HeapFree.KERNEL32 ref: 00ECAC8B

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: ByteCharHeapMultiWide$AllocFreestrlen
String ID:
API String ID: 998811608-0
Opcode ID: bef129e8c949c8fcf4ae69f71cafa8b40797338d5893e25362d4f942dd339199
Instruction ID: 5134cd6e909a0531683076ff8e46f646999df8b474681d3b109d2535b928c154
Opcode Fuzzy Hash: bef129e8c949c8fcf4ae69f71cafa8b40797338d5893e25362d4f942dd339199
Instruction Fuzzy Hash: AB3129B09093059FD710EF69D684A5AFBF0FB84318F05893EE99897210E775D84A8B82

Function 00EC7820 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00EC7872
MultiByteToWideChar.KERNEL32 ref: 00EC78B5

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 30c790cda4e25ab5f633b1803b1a7a02091e07d64f545f45b4adf5d8a0216fd3
Instruction ID: 8228df7eb582c23aa0d7063ec7f3a2ec59cd8a1cddd4682cfa7e6dacf87b0677
Opcode Fuzzy Hash: 30c790cda4e25ab5f633b1803b1a7a02091e07d64f545f45b4adf5d8a0216fd3
Instruction Fuzzy Hash: BD4104B150D3418FD7009F29D584B5ABBE0BF89318F05991EE8E497290E376D84ACF43

Function 00EC1001 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00EC1075
__p__fmode.MSVCRT ref: 00EC107A
__p__commode.MSVCRT ref: 00EC1087

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 0a36c1f2d6121d9cd64cae55832ed46f65216a44c4d25345b930b41ab0ccf565
Instruction ID: 3d063077acbecdf0d3ce845726a4de43da8ca4f1c0b5c784d7a67961b842f654
Opcode Fuzzy Hash: 0a36c1f2d6121d9cd64cae55832ed46f65216a44c4d25345b930b41ab0ccf565
Instruction Fuzzy Hash: BB21AC70500281CFC314AF21D616BAA33E1FB02388F5495AEC4547A25BD77BD8CBEBA1

Function 00EC1A80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00EC1CD3
Unknown pseudo relocation bit size %d., xrefs: 00EC1B84

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 0-395989641
Opcode ID: 57e8b03f47dc4b6dd4ea79acf01658f7d5cf5400201b25a01637ba5bf83fe704
Instruction ID: 3050a1e0d33b2d6423a725741379a3ce957184dbcbb7bda942718490e334b03c
Opcode Fuzzy Hash: 57e8b03f47dc4b6dd4ea79acf01658f7d5cf5400201b25a01637ba5bf83fe704
Instruction Fuzzy Hash: AE71C2319042018BC714DF28DA81F6AB7F2FF86344F19999ED855B7316D332E9478B91

Function 00EC9AC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00EC9A14: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00ECD008,?,?,00ECB07B), ref: 00EC9A31
Part of subcall function 00EC9A14: CreateWindowExW.USER32 ref: 00EC9AAF

SetWindowLongW.USER32 ref: 00EC9B24

Strings

An error has occurred during the installation.Please try downloading the installer manually., xrefs: 00EC9ACC
, xrefs: 00EC9AF1

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Window$CreateHandleLongModule
String ID: An error has occurred during the installation.Please try downloading the installer manually.$
API String ID: 4115577067-2286091221
Opcode ID: 94b8a262adefa8c6696c2bd411e6801f7a85afee3c28314d2eee1857c2b03f5e
Instruction ID: e6ba8aa9ab5eef3ab1c261e806f66b77921fa4e153d3138804f2b8f0c480bec4
Opcode Fuzzy Hash: 94b8a262adefa8c6696c2bd411e6801f7a85afee3c28314d2eee1857c2b03f5e
Instruction Fuzzy Hash: 9A01AD716043049FE700DF69E989B9ABBE4FB88314F40893DE58AE7351E631D945CB42

Function 00ECAF8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00ECABB8: strlen.MSVCRT ref: 00ECABD2
Part of subcall function 00ECABB8: HeapAlloc.KERNEL32 ref: 00ECAC34
Part of subcall function 00ECABB8: MultiByteToWideChar.KERNEL32 ref: 00ECAC68
Part of subcall function 00ECABB8: HeapFree.KERNEL32 ref: 00ECAC8B

ShellExecuteW.SHELL32 ref: 00ECAFEE
HeapFree.KERNEL32 ref: 00ECB00F

Strings

open, xrefs: 00ECAFDF

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: Heap$Free$AllocByteCharExecuteMultiShellWidestrlen
String ID: open
API String ID: 2746946616-2758837156
Opcode ID: 629dc74a41131191c9ae50850f778e292d0614d01c50797b88d72c089f9c595a
Instruction ID: 69ba1b3a90ba7adaa6af925150f2de792cadde54bc2c5801e44aa35153950023
Opcode Fuzzy Hash: 629dc74a41131191c9ae50850f778e292d0614d01c50797b88d72c089f9c595a
Instruction Fuzzy Hash: 99014FB05093059FD710AFA9E94978EBBF4FB44314F00865DE4A8A7290D7B6898D8FD2

Function 00EC1830 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00EC189E

Strings

Unknown error, xrefs: 00EC1832
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00EC187F

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 0951e5a5ae969588856841a5a41b64a1ff951769688184f83126fbb09d4d2fa4
Instruction ID: 76ad675d7993da76cf6b51c12452abeb0f7ba3cc11c3b49090d1794e80877bc0
Opcode Fuzzy Hash: 0951e5a5ae969588856841a5a41b64a1ff951769688184f83126fbb09d4d2fa4
Instruction Fuzzy Hash: 0D01D670408B45CBD300AF15E58891ABFF1FF89350F42989CF5C456269CB32D879CB42

Function 00ECAE3C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC9AC0: SetWindowLongW.USER32 ref: 00EC9B24

SendMessageW.USER32 ref: 00ECAE78

Strings

An error has occurred during the installation.Please try downloading the installer manually., xrefs: 00ECAE42
0, xrefs: 00ECAE6D

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: LongMessageSendWindow
String ID: 0$An error has occurred during the installation.Please try downloading the installer manually.
API String ID: 3360111000-109714329
Opcode ID: e40fa837a05a91cf21acf532207c7824417c14db080f549dc38427098c400e34
Instruction ID: 944a4f967caf83cd7347be2eb0b81d586e32d915f4ced3c890a17de8c869c8e5
Opcode Fuzzy Hash: e40fa837a05a91cf21acf532207c7824417c14db080f549dc38427098c400e34
Instruction Fuzzy Hash: B9F06D70A053149FEB00AF7ED989B6ABBE8EB44358F40846DE958D7341E732D845CBD2

Function 00EC6940 Relevance: 5.1, APIs: 4, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00EC6A71,?,?,?,?,?,?,00000000,00EC4D84), ref: 00EC6967
InitializeCriticalSection.KERNEL32(?,?,?,?,00EC6A71,?,?,?,?,?,?,00000000,00EC4D84), ref: 00EC69A4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00EC6A71,?,?,?,?,?,?,00000000,00EC4D84), ref: 00EC69B0
EnterCriticalSection.KERNEL32(?,?,?,?,00EC6A71,?,?,?,?,?,?,00000000,00EC4D84), ref: 00EC69D8

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: dda8d0bac632221ce83d320c9fa48c0e5f38d034b6bd4210e2ac93cf3f9049d4
Instruction ID: 9b7140927099e7a2dc6b718deee0ed31def84d109ff9c57984fb708a2ba85203
Opcode Fuzzy Hash: dda8d0bac632221ce83d320c9fa48c0e5f38d034b6bd4210e2ac93cf3f9049d4
Instruction Fuzzy Hash: 3A1186B09062409ED710AB6EFB85B5B77A0E751304F15156EC482FB219D732D88EC793

Function 00EC1F00 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00EC20CB,?,?,?,?,?,00EC1768), ref: 00EC1F0E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00EC20CB,?,?,?,?,?,00EC1768), ref: 00EC1F35
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00EC20CB,?,?,?,?,?,00EC1768), ref: 00EC1F3C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00EC20CB,?,?,?,?,?,00EC1768), ref: 00EC1F5C

Memory Dump Source

Source File: 00000000.00000002.2517258943.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true

Associated: 00000000.00000002.2517206398.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517375681.0000000000ECD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517527742.0000000000ECE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517723810.0000000000ED2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517827798.0000000000ED6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2517932445.0000000000EE6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ec0000_adguardInstaller.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 56af1b6b081e1c1a535ee9d1b0dc4a8a01e996f1038affc41914b4ac0a5f46a6
Instruction ID: 96874a3525e39c505a67aa3f8e4e713b2753dbb4bdf45df6295bd89f7275f34f
Opcode Fuzzy Hash: 56af1b6b081e1c1a535ee9d1b0dc4a8a01e996f1038affc41914b4ac0a5f46a6
Instruction Fuzzy Hash: 77F0A9756012408FC7107FB5F984A1A7BA4EF54344B0541AEDD4867316D731E84AC7A2

Analysis Process: setup.exePID: 2264, Parent PID: 3000COMMON

Executed Functions

Function 00B551D2 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B55254

Part of subcall function 00B8FDC4: InitializeCriticalSection.KERNEL32(00BBB5D4,?,00B55260,00000000,?,?,?,?,?,?), ref: 00B8FDDB

Part of subcall function 00B51206: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00B5527C,00000000,?), ref: 00B51244
Part of subcall function 00B51206: GetLastError.KERNEL32(?,?,?,00B5527C,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B5124E

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B552C2

Part of subcall function 00B906C0: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00B906E1

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00B55354
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B5535E
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B555CB

Strings

Failed to initialize XML util., xrefs: 00B55336
Failed to run untrusted mode., xrefs: 00B554F3
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B55382
Failed to initialize COM., xrefs: 00B552CE
Invalid run mode., xrefs: 00B55436
3.11.2.4516, xrefs: 00B553C1
Failed to initialize Regutil., xrefs: 00B55306
Failed to run per-machine mode., xrefs: 00B554A9
Failed to run embedded mode., xrefs: 00B55481
Failed to parse command line., xrefs: 00B55282
Failed to get OS info., xrefs: 00B5538C
@, xrefs: 00B55532
Failed to initialize user state., xrefs: 00B552A9
Failed to initialize core., xrefs: 00B55400
Failed to initialize Cryputil., xrefs: 00B552E3
Failed to run RunOnce mode., xrefs: 00B55459
Failed to run per-user mode., xrefs: 00B554D1
Failed to initialize Wiutil., xrefs: 00B5531E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.2.4516$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\66\s\src\burn\user\user.cpp$@
API String ID: 3262001429-4222581132
Opcode ID: 05cefd0f8adea6a0c4aae141d20e20a7322fa1901ab0b96f4da413cca554c543
Instruction ID: 8fc39ca3f42bd9c06f28f46088fe2ec1c58bed4887dfe176d1aed59214ebafe3
Opcode Fuzzy Hash: 05cefd0f8adea6a0c4aae141d20e20a7322fa1901ab0b96f4da413cca554c543
Instruction Fuzzy Hash: 75B19071D00A299BDF31AF649D65BED76F4AF08713F1001E5ED08B6251EA349E88CF91

Function 00B928BD Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00B92E6B,00000000,?,00000000), ref: 00B928D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B7BD14,?,00B55442,?,00000000,?), ref: 00B928E3
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00B92923
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B9292F
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00B9293A
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B92944
CoCreateInstance.OLE32(00BBB688,00000000,00000001,00B9A878,?,?,?,?,?,?,?,?,?,?,?,00B7BD14), ref: 00B9297F
ExitProcess.KERNEL32 ref: 00B92A2E

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B92907
kernel32.dll, xrefs: 00B928C7
Wow64RevertWow64FsRedirection, xrefs: 00B9293C
IsWow64Process, xrefs: 00B9291D
Wow64EnableWow64FsRedirection, xrefs: 00B92931
Wow64DisableWow64FsRedirection, xrefs: 00B92929

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp$kernel32.dll
API String ID: 2124981135-3734847636
Opcode ID: 2daf47cf3eaa0e28fe52a80b7b4a75a42dfe918ed2462443af86528e6a0a22d4
Instruction ID: 54bee1e1b760257abca825423fecdc60719f4b334fbcb4ec4e4955e5346c680f
Opcode Fuzzy Hash: 2daf47cf3eaa0e28fe52a80b7b4a75a42dfe918ed2462443af86528e6a0a22d4
Instruction Fuzzy Hash: D9419E36E01315BBDF249BA88884FAEBBE5EF04710F1141F9E902EB251DBB5DD418B90

Function 00B51070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B534C4: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00B510DD,?,00000000), ref: 00B534E5

CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00B510F6

Part of subcall function 00B51173: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B51184
Part of subcall function 00B51173: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B5118F
Part of subcall function 00B51173: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B5119D
Part of subcall function 00B51173: GetLastError.KERNEL32(?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B511B8
Part of subcall function 00B51173: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B511C0
Part of subcall function 00B51173: GetLastError.KERNEL32(?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B511D5

CloseHandle.KERNEL32(?,?,?,?,00B9A4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00B51131

Strings

clbcatq.dll, xrefs: 00B510BC
msasn1.dll, xrefs: 00B510C3
crypt32.dll, xrefs: 00B510CA
msi.dll, xrefs: 00B510A0
wininet.dll, xrefs: 00B510AE
comres.dll, xrefs: 00B510B5
feclient.dll, xrefs: 00B510D1
version.dll, xrefs: 00B510A7
cabinet.dll, xrefs: 00B51099, 00B51114

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 4b985c96d3e9451902ecce09e15d17058d711fce9e6a27d255d9a0af2f185609
Instruction ID: 805c28751118166638300090720ec02cea22f3cfabc2e3dc876ec4991515e2be
Opcode Fuzzy Hash: 4b985c96d3e9451902ecce09e15d17058d711fce9e6a27d255d9a0af2f185609
Instruction Fuzzy Hash: F9217472900218ABDF109FA8DD49BDEBBF8EF45715F5045E5EA11B7380D7B059088BE1

Function 00B69F8F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

Strings

Failed to calculate working folder to ensure it exists., xrefs: 00B69FAC
Failed create working folder., xrefs: 00B69FC2
Failed to copy working folder., xrefs: 00B69FEA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CurrentDirectoryErrorLastProcessWindows
String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
API String ID: 3841436932-2072961686
Opcode ID: 04e75222c69f62832b70648f71225495bb0876e4d8a8a8b45ded9c1169a18319
Instruction ID: 361afeb522afe7e7ad24d4bb8ed6dbedc7048c4f1dd6604415c5c3969696089f
Opcode Fuzzy Hash: 04e75222c69f62832b70648f71225495bb0876e4d8a8a8b45ded9c1169a18319
Instruction Fuzzy Hash: CB01D431905524FB8F226B54DD06D9EBBF9DF91B21B1241D1F800B6224DB359F00EA80

Function 00B5DEDC Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 648COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00B5E001
SysFreeString.OLEAUT32(00000000), ref: 00B5E6E5

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

Strings

InstallSize, xrefs: 00B5E1A8
Failed to get @Permanent., xrefs: 00B5E66E
Failed to get package node count., xrefs: 00B5E05A
wininet.dll, xrefs: 00B5E203
yes, xrefs: 00B5E130
Failed to allocate memory for patch sequence information to package lookup., xrefs: 00B5E519
RollbackLogPathVariable, xrefs: 00B5E242
Failed to find forward transaction boundary: %ls, xrefs: 00B5E4AF
Failed to parse EXE package., xrefs: 00B5E332
Failed to parse dependency providers., xrefs: 00B5E659
`Dv, xrefs: 00B5E001, 00B5E424, 00B5E6E5
Invalid cache type: %ls, xrefs: 00B5E699
Failed to parse payload references., xrefs: 00B5E660
Cache, xrefs: 00B5E0F4
Size, xrefs: 00B5E18D
crypt32.dll, xrefs: 00B5E264
msi.dll, xrefs: 00B5E171
Failed to get @Cache., xrefs: 00B5E6A9
Failed to get @RollbackLogPathVariable., xrefs: 00B5E498
clbcatq.dll, xrefs: 00B5E1C2
RollbackBoundary, xrefs: 00B5DEFF
Failed to get @Vital., xrefs: 00B5E667
Failed to select package nodes., xrefs: 00B5E03D
Failed to parse MSI package., xrefs: 00B5E36A
Failed to get next node., xrefs: 00B5E6B7
Failed to get @InstallSize., xrefs: 00B5E67C
Failed to get @RollbackBoundaryForward., xrefs: 00B5E4B9
MsiPackage, xrefs: 00B5E33E
Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage, xrefs: 00B5E02A
Failed to allocate memory for rollback boundary structs., xrefs: 00B5DF73
Failed to allocate memory for package structs., xrefs: 00B5E098
Failed to get @CacheId., xrefs: 00B5E68A
Failed to get @LogPathVariable., xrefs: 00B5E48E
ExePackage, xrefs: 00B5E300
CacheId, xrefs: 00B5E172
Failed to select rollback boundary nodes., xrefs: 00B5DF12
comres.dll, xrefs: 00B5E1DD
PerMachine, xrefs: 00B5E1C3
Failed to get @RollbackBoundaryBackward., xrefs: 00B5E4D0
MsuPackage, xrefs: 00B5E3AF
c:\agent\_work\66\s\src\burn\user\package.cpp, xrefs: 00B5DF67, 00B5E08C, 00B5E478, 00B5E50D
Permanent, xrefs: 00B5E1DE
Failed to get @Id., xrefs: 00B5E6B0
Failed to get @PerMachine., xrefs: 00B5E675
RollbackBoundaryForward, xrefs: 00B5E288
InstallCondition, xrefs: 00B5E265
LogPathVariable, xrefs: 00B5E21F
Failed to get @Size., xrefs: 00B5E683
Failed to parse MSU package., xrefs: 00B5E4E4
Failed to parse target product codes., xrefs: 00B5E64A
Failed to allocate memory for MSP patch sequence information., xrefs: 00B5E484
Failed to parse MSP package., xrefs: 00B5E4DA
feclient.dll, xrefs: 00B5E241
cabinet.dll, xrefs: 00B5E1A7
Vital, xrefs: 00B5DFD0, 00B5E204
MspPackage, xrefs: 00B5E376
Failed to find backward transaction boundary: %ls, xrefs: 00B5E4C6
Failed to get rollback bundary node count., xrefs: 00B5DF37
Failed to get @InstallCondition., xrefs: 00B5E4A2
RollbackBoundaryBackward, xrefs: 00B5E2C2
always, xrefs: 00B5E150

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$`Dv$always$c:\agent\_work\66\s\src\burn\user\package.cpp$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$wininet.dll$yes
API String ID: 336948655-681028173
Opcode ID: e11408ec0a9c8bb4fad7ea1878d9d974dbbb30893b48c3f8834b089e7024aa99
Instruction ID: 2f81aebb9f97090f38bdc4f7e39ed0d097e296176039e9c2516d72998db779a3
Opcode Fuzzy Hash: e11408ec0a9c8bb4fad7ea1878d9d974dbbb30893b48c3f8834b089e7024aa99
Instruction Fuzzy Hash: B532A131D00226ABCF159F54CC81FAEB6E5AB14B61F2542F5ED21BB2A0D774EE048B94

Function 00B5F981 Relevance: 114.2, APIs: 3, Strings: 62, Instructions: 445
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to select ARP node., xrefs: 00B5FAED
button, xrefs: 00B5FCB3
HelpTelephone, xrefs: 00B5FBB0
yes, xrefs: 00B5FCD4
Publisher, xrefs: 00B5FB66
Tag, xrefs: 00B5F9F5
c:\agent\_work\66\s\src\burn\user\registration.cpp, xrefs: 00B5FD25
DisableModify, xrefs: 00B5FC94
Failed to get @Manufacturer., xrefs: 00B5FE04
Failed to get @Classification., xrefs: 00B5FE93
Failed to get @ProductFamily., xrefs: 00B5FE51
DisplayVersion, xrefs: 00B5FB41
Failed to get @Tag., xrefs: 00B5FA08
Failed to get @DisableModify., xrefs: 00B5FD56
Failed to get @Name., xrefs: 00B5FE72
Update, xrefs: 00B5FDBC
Contact, xrefs: 00B5FC6F
DisplayName, xrefs: 00B5FB1C
DisableRemove, xrefs: 00B5FD67
Failed to get @DisableRemove., xrefs: 00B5FD7E
Failed to get @ExecutableName., xrefs: 00B5FAA5
Failed to parse @Version: %ls, xrefs: 00B5FA63
ExecutableName, xrefs: 00B5FA92
Failed to select registration node., xrefs: 00B5F9BA
Failed to get @Contact., xrefs: 00B5FC86
HelpLink, xrefs: 00B5FB8B
Version, xrefs: 00B5FA2F
Failed to get @Register., xrefs: 00B5FB0E
Failed to get @HelpLink., xrefs: 00B5FBA2
Failed to get @UpdateUrl., xrefs: 00B5FC11
Register, xrefs: 00B5FAFB
Failed to get @HelpTelephone., xrefs: 00B5FBC7
Arp, xrefs: 00B5FAD1
PerMachine, xrefs: 00B5FAB0
Failed to get @Department., xrefs: 00B5FE2C
Classification, xrefs: 00B5FE80
Failed to get @ProviderKey., xrefs: 00B5FA84
Failed to get @Id., xrefs: 00B5F9E7
Name, xrefs: 00B5FE5F
Failed to get @PerMachine., xrefs: 00B5FAC3
Department, xrefs: 00B5FE15
ProviderKey, xrefs: 00B5FA71
@, xrefs: 00B5FE7F
Comments, xrefs: 00B5FC47
Failed to get @ParentDisplayName., xrefs: 00B5FC36
AboutUrl, xrefs: 00B5FBD5
UpdateUrl, xrefs: 00B5FBFA
Failed to set registration paths., xrefs: 00B5FEA6
Registration, xrefs: 00B5F99B
Failed to get @Publisher., xrefs: 00B5FB7D
Failed to parse software tag., xrefs: 00B5FDAE
Manufacturer, xrefs: 00B5FDF1
Failed to get @DisplayVersion., xrefs: 00B5FB58
Failed to select Update node., xrefs: 00B5FDDA
Failed to get @DisplayName., xrefs: 00B5FB33
ParentDisplayName, xrefs: 00B5FC1F
Failed to get @AboutUrl., xrefs: 00B5FBEC
ProductFamily, xrefs: 00B5FE3A
Invalid modify disabled type: %ls, xrefs: 00B5FD32
Failed to get @Comments., xrefs: 00B5FC5E
Failed to get @Version., xrefs: 00B5FA42
Failed to parse related bundles, xrefs: 00B5FA21

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\66\s\src\burn\user\registration.cpp$yes$@
API String ID: 760788290-3384854740
Opcode ID: 0bbfc305185541fd1ae1d05255976c21abf9e48b7f213f91ad6c2c6ac32d3c44
Instruction ID: e0e828f09883ea5c9a28570dcaedb10922fa250307ae6f28f07d58767815b2f4
Opcode Fuzzy Hash: 0bbfc305185541fd1ae1d05255976c21abf9e48b7f213f91ad6c2c6ac32d3c44
Instruction Fuzzy Hash: 2FE19432E94627FBCF21BA60DC86F7DFAE4AB05B11F1142F1BD20B71A1D7609D095680

Function 00B5B45A Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00B5B4D1
SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B51F
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00B5B525
ReadFile.KERNELBASE(00000000,00B544B0,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B56D
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00B5B573
SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B5D0
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B5D6
ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B61F
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B625
SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B696
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B69C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B6E5
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B6EB
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B734
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B73A
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B786
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B78C

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B7DF
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B841
SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B8CB
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B8D5

Strings

Failed to seek past optional headers., xrefs: 00B5B7BA
Failed to read signature size., xrefs: 00B5B765
Failed to allocate memory for container sizes., xrefs: 00B5BAA2
Failed to seek to start of file., xrefs: 00B5B550
Failed to read image section header, index: %u, xrefs: 00B5BB7B
Failed to read DOS header., xrefs: 00B5B59E
Failed to find valid DOS image header in buffer., xrefs: 00B5BBBA
Failed to read section info, data to short: %u, xrefs: 00B5B879
Failed to open handle to user process path., xrefs: 00B5B4FC
Failed to find Burn section., xrefs: 00B5BB01
PE, xrefs: 00B5B667
Failed to get total size of bundle., xrefs: 00B5B9F2
PE Header from file didn't match PE Header in memory., xrefs: 00B5BAE0
Failed to read complete image section header, index: %u, xrefs: 00B5BB44
(, xrefs: 00B5B7EC
Failed to read section info., xrefs: 00B5B968
Failed to allocate buffer for section info., xrefs: 00B5B8B3
burn, xrefs: 00B5B807
Failed to seek to section info., xrefs: 00B5B6C7, 00B5B903
Failed to find valid NT image header in buffer., xrefs: 00B5BB9F
Failed to read section info, unsupported version: %08x, xrefs: 00B5B9C4
Failed to read NT header., xrefs: 00B5B650
.wix, xrefs: 00B5B7FF
c:\agent\_work\66\s\src\burn\user\section.cpp, xrefs: 00B5B4F2, 00B5B546, 00B5B594, 00B5B5F7, 00B5B646, 00B5B6BD, 00B5B70C, 00B5B75B, 00B5B7B0, 00B5B867, 00B5B8A7, 00B5B8F9, 00B5B95E, 00B5B988, 00B5B9AF, 00B5BA96, 00B5BAD6, 00B5BAF5, 00B5BB32, 00B5BB70, 00B5BB93, 00B5BBAE
Failed to read signature offset., xrefs: 00B5B716
Failed to seek to NT header., xrefs: 00B5B601
4, xrefs: 00B5B853
Failed to read complete section info., xrefs: 00B5B994

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\66\s\src\burn\user\section.cpp
API String ID: 3411815225-1671293494
Opcode ID: e32b8e9c00ae894b994f28a2418e1920f1167640b4a8d0851a52b7124ac737c0
Instruction ID: 948dca1b7a23c67114a0c522ce919ef939453212005680ec4646305706ee6769
Opcode Fuzzy Hash: e32b8e9c00ae894b994f28a2418e1920f1167640b4a8d0851a52b7124ac737c0
Instruction Fuzzy Hash: 6112F772940236ABDB349B158C86FAA76E4EF44B12F1141E5FE05BB280E774DD48CBE1

Function 00B70ABB Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32(?,?,?,?,?,00B7066B,?,?), ref: 00B70ACA
GetLastError.KERNEL32(?,?,?,?,00B7066B,?,?), ref: 00B70AD4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00B7066B,?,?), ref: 00B70B19
GetLastError.KERNEL32(?,?,?,?,00B7066B,?,?), ref: 00B70B24
ResetEvent.KERNEL32(?,?,?,?,?,00B7066B,?,?), ref: 00B70B5C
GetLastError.KERNEL32(?,?,?,?,00B7066B,?,?), ref: 00B70B66

Strings

Failed to set file pointer to end of file., xrefs: 00B70DF4
Failed to copy stream name: %ls, xrefs: 00B70BF5
Failed to set operation complete event., xrefs: 00B70B02, 00B70C43
Failed to allocate buffer for stream., xrefs: 00B70D38
Failed to set file pointer to beginning of file., xrefs: 00B70E7D
Failed to reset begin operation event., xrefs: 00B70B94, 00B70CD0
Failed to create file: %ls, xrefs: 00B70DA6
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B70AF8, 00B70B48, 00B70B8A, 00B70BB6, 00B70C39, 00B70C81, 00B70CC6, 00B70D2E, 00B70D99, 00B70DEA, 00B70E2F, 00B70E73
Invalid operation for this state., xrefs: 00B70BC2
Failed to set end of file., xrefs: 00B70E39
Failed to wait for begin operation event., xrefs: 00B70B52, 00B70C8B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$Event$ObjectResetSingleWait
String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 1865021742-1830388895
Opcode ID: 6376d41a6ef205fd0f97890a720ee625273ab6e9c00ccade9848f151266f90f5
Instruction ID: ff6583aac6ec5fbd77ed6955e6aa684402bc14f7d627ca1bad45c4c60ead0408
Opcode Fuzzy Hash: 6376d41a6ef205fd0f97890a720ee625273ab6e9c00ccade9848f151266f90f5
Instruction Fuzzy Hash: E4911733DA4632FBD22136648E49B2669D0FF01B61F1182E2BE29BF2D0D659AC0096D1

Function 00B54D7A Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B534C4: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00B510DD,?,00000000), ref: 00B534E5

CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B54F81
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B54F90
CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B54F9F
CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B54FAA

Strings

Failed to get path for current process., xrefs: 00B54DC4
burn.filehandle.self, xrefs: 00B54E86
Failed to append original command line., xrefs: 00B54EAA
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B54F2B
Failed to allocate full command-line., xrefs: 00B54ECF
"%ls" %ls, xrefs: 00B54EBB
Failed to wait for clean room process: %ls, xrefs: 00B54F64
D, xrefs: 00B54EEA
burn.clean.room, xrefs: 00B54E1F
Failed to cache to clean room., xrefs: 00B54E03
-%ls="%ls", xrefs: 00B54E27
%ls %ls, xrefs: 00B54E96
Failed to launch clean room process: %ls, xrefs: 00B54F38
Failed to append %ls, xrefs: 00B54E5D
burn.filehandle.attached, xrefs: 00B54E58
Failed to allocate parameters for unelevated process., xrefs: 00B54E3B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle$FileModuleName
String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\66\s\src\burn\user\user.cpp
API String ID: 3884789274-3026910944
Opcode ID: d600cd8cd1f2fa0aff018fdd0c17e639efe3f72b1e5e6108acf95b547211c416
Instruction ID: 806900430727b9eec4e9507d6fb6dcdf60c52b272f2564de537b5407e8d82624
Opcode Fuzzy Hash: d600cd8cd1f2fa0aff018fdd0c17e639efe3f72b1e5e6108acf95b547211c416
Instruction Fuzzy Hash: 58718132D01229ABCF11ABA4CC42AEEBBF8EF04715F1141E5FD14B6291D7745A45CBE1

Function 00B6741D Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to initialize internal cache functionality., xrefs: 00B67692
Failed to set source process folder variable., xrefs: 00B67638
Failed to overwrite the %ls built-in variable., xrefs: 00B675AE
Failed to get unique temporary folder for bootstrapper application., xrefs: 00B676C1
Failed to set source process path variable., xrefs: 00B675FC
Failed to extract bootstrapper application payloads., xrefs: 00B676E2
Failed to parse command line., xrefs: 00B6755A
Failed to load catalog files., xrefs: 00B67702
WixBundleSourceProcessPath, xrefs: 00B675EB
WixBundleOriginalSource, xrefs: 00B6764C
Failed to open manifest stream., xrefs: 00B6749E
Failed to initialize variables., xrefs: 00B67464
WixBundleElevated, xrefs: 00B67598, 00B675A9
Failed to load manifest., xrefs: 00B674DB
WixBundleUILevel, xrefs: 00B675C9, 00B675DA
Failed to get manifest stream from container., xrefs: 00B674BF
Failed to set original source variable., xrefs: 00B6765D
WixBundleSourceProcessFolder, xrefs: 00B67627
Failed to open attached UX container., xrefs: 00B67481
Failed to get source process folder from path., xrefs: 00B67618

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: cf068981b6a835c33445ff6f70514aab952168d3e992f68f02ca52112994938a
Instruction ID: 5505adb24f4e4d2cf5fd76d0e4d1463c02d0d12ce05ccb21b3f34ca795d1f970
Opcode Fuzzy Hash: cf068981b6a835c33445ff6f70514aab952168d3e992f68f02ca52112994938a
Instruction Fuzzy Hash: CAA154B2A84616BACF12DAA4CC81FEEB7ECBB14704F1042E6F915E7151DB74AD448BD0

Function 00B72596 Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to get @InstallArguments., xrefs: 00B725E1
Failed to get @DetectCondition., xrefs: 00B725BF
Failed to get @Protocol., xrefs: 00B7270E
Failed to get @Repairable., xrefs: 00B7264F
Protocol, xrefs: 00B7265D
Failed to parse command lines., xrefs: 00B72722
Failed to get @RepairArguments., xrefs: 00B72625
burn, xrefs: 00B7267A
RepairArguments, xrefs: 00B72614
Repairable, xrefs: 00B72636
none, xrefs: 00B726D0
DetectCondition, xrefs: 00B725AE
netfx4, xrefs: 00B726AF
Failed to get @UninstallArguments., xrefs: 00B72603
UninstallArguments, xrefs: 00B725F2
Invalid protocol type: %ls, xrefs: 00B726F6
InstallArguments, xrefs: 00B725D0
Failed to parse exit codes., xrefs: 00B726A6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
API String ID: 760788290-1911311241
Opcode ID: 9184f6e52bf56ee4ecbbf522d2a177e788e9b0b443c85a05bf6863aa7a748613
Instruction ID: b3c81ab02b0fc4332a506e1e258afffa37298575fc49b2186ba7f4034bd1d252
Opcode Fuzzy Hash: 9184f6e52bf56ee4ecbbf522d2a177e788e9b0b443c85a05bf6863aa7a748613
Instruction Fuzzy Hash: 4541F071E48726B6CF1667648D82F6A76D89B06730F2083D1F53C7B2D1D764DD0092E5

Function 00B685B1 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00B54DFD,?,?,00000000,00B54DFD,00000000), ref: 00B685F4
GetLastError.KERNEL32 ref: 00B68601

Part of subcall function 00B93709: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00B9379F

SetFilePointerEx.KERNELBASE(00000000,00B9A4B8,00000000,00000000,00000000,?,00000000,00B9A500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B686AE
GetLastError.KERNEL32 ref: 00B686B8
CloseHandle.KERNELBASE(00000000,?,00000000,00B9A500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B687E3

Strings

Failed to seek to original data in exe burn section header., xrefs: 00B687BC
Failed to update signature offset., xrefs: 00B68702
Failed to seek to signature table in exe header., xrefs: 00B6874D
Failed to seek to beginning of user file: %ls, xrefs: 00B6865A
Failed to copy user from: %ls to: %ls, xrefs: 00B68689
msi.dll, xrefs: 00B686F5
Failed to zero out original data offset., xrefs: 00B687D5
Failed to create user file at path: %ls, xrefs: 00B68632
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B68625, 00B686DC, 00B68743, 00B687B2
Failed to seek to checksum in exe header., xrefs: 00B686E6
cabinet.dll, xrefs: 00B6875C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerRead
String ID: Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\66\s\src\burn\user\cache.cpp$cabinet.dll$msi.dll
API String ID: 3456208997-3887126093
Opcode ID: af25aac4cdc5d8d4d87bb1f204a787f4abdd521a356a4f5072782b7251639e3a
Instruction ID: 3621686c64b0151b232f56c23921b977fdd7231be48f8fa2734c5f4271ee367d
Opcode Fuzzy Hash: af25aac4cdc5d8d4d87bb1f204a787f4abdd521a356a4f5072782b7251639e3a
Instruction Fuzzy Hash: 2851EAB39415327BEB215B649C46F7F36E8EB05B11F1142E5FE00FB291EA58DC0086E2

Function 00B5762D Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00B6745E,00B553FA,00000000,00B55482), ref: 00B5764D

Strings

InstallerVersion, xrefs: 00B57834
WixBundleAction, xrefs: 00B57D77
', xrefs: 00B578EC
#, xrefs: 00B576CC
WixBundleProviderKey, xrefs: 00B57E7F
WixBundleTag, xrefs: 00B57EAF
LogonUser, xrefs: 00B57883
WixBundleExecutePackageAction, xrefs: 00B57DF9
WixBundleVersion, xrefs: 00B57ECF
WixBundleSourceProcessPath, xrefs: 00B57E8F
$, xrefs: 00B57D4A
WixBundleInstalled, xrefs: 00B57E2B
Date, xrefs: 00B57771
WixBundleElevated, xrefs: 00B57E47
WixBundleUILevel, xrefs: 00B57EBF
Failed to add built-in variable: %ls., xrefs: 00B57F1A
WixBundleExecutePackageCacheFolder, xrefs: 00B57D99
WixBundleSourceProcessFolder, xrefs: 00B57E9F
0, xrefs: 00B57664
WixBundleForcedRestartPackage, xrefs: 00B57E15
InstallerName, xrefs: 00B57813
WixBundleActiveParent, xrefs: 00B57E63

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 7d481f4046d3505604d69049c1d7a293af9aa88176ac6b0241edddbe25e11c7a
Instruction ID: 8aafc3a1aecc104b03a5b74e65285e84fd0e79ff57c69919b24694f3d73d4ef8
Opcode Fuzzy Hash: 7d481f4046d3505604d69049c1d7a293af9aa88176ac6b0241edddbe25e11c7a
Instruction Fuzzy Hash: 2E3245B2D156699BDB65CF5AD9887CDFBF4BB48704F9081EED60CA7210C7B00A888F45

Function 00B6819F Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00B554C6), ref: 00B681F5

Part of subcall function 00B90141: OpenProcessToken.ADVAPI32(?,00000008,?,00B553FA,00000000,?,?,?,?,?,?,?,00B67590,00000000), ref: 00B9015F
Part of subcall function 00B90141: GetLastError.KERNEL32(?,?,?,?,?,?,?,00B67590,00000000), ref: 00B90169
Part of subcall function 00B90141: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00B67590,00000000), ref: 00B901F3

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00B6821B
GetLastError.KERNEL32 ref: 00B68225
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00B682A2
GetLastError.KERNEL32 ref: 00B682AC
UuidCreate.RPCRT4(?), ref: 00B682EB

Strings

Failed to convert working folder guid into string., xrefs: 00B6832B
Failed to get windows path for working folder., xrefs: 00B68253
Failed to get temp path for working folder., xrefs: 00B682DA
Failed to ensure windows path for working folder ended in backslash., xrefs: 00B68270
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B68249, 00B682D0, 00B68321
Temp\, xrefs: 00B6827A
4#v, xrefs: 00B682A2
%ls%ls\, xrefs: 00B6833D
Failed to concat Temp directory on windows path for working folder., xrefs: 00B68292
Failed to create working folder guid., xrefs: 00B682F8
Failed to append bundle id on to temp path for working folder., xrefs: 00B68355
Failed to copy working folder path., xrefs: 00B68370

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 266130487-2538238480
Opcode ID: 23c544d5f6b4e7f2d6cba0db86e3dd7a99ea7ba28603b70869e4fec7ed28bc9f
Instruction ID: 1cc2376514a9033c01db8f2c83d740122e5682c80d1ba209a47b368fadaa4f29
Opcode Fuzzy Hash: 23c544d5f6b4e7f2d6cba0db86e3dd7a99ea7ba28603b70869e4fec7ed28bc9f
Instruction Fuzzy Hash: 5B41F672E44624B7DB3096E08D4AFAB77E8AB01B11F1042E1BE05F7250EE78DD4486E9

Function 00B70EA0 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00B70EC2
CoUninitialize.COMBASE ref: 00B7113D

Strings

Failed to set operation complete event., xrefs: 00B71069
Failed to initialize COM., xrefs: 00B70ECE
Failed to initialize cabinet.dll., xrefs: 00B70F44
Failed to reset begin operation event., xrefs: 00B710F5
Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00B7101E
Invalid operation for this state., xrefs: 00B71121
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B70F38, 00B7105F, 00B710AC, 00B710EB, 00B71117
<the>.cab, xrefs: 00B70F62
Failed to wait for begin operation event., xrefs: 00B710B6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: InitializeUninitialize
String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 3442037557-964446333
Opcode ID: c61d2fc752a4c93e491df8f4c314635d2f12140c0e6643b1e68e8b6f44b3435c
Instruction ID: 601da980251d001d86b08c20bc26087f5e5db39e043d25b020390a1a3caddfbc
Opcode Fuzzy Hash: c61d2fc752a4c93e491df8f4c314635d2f12140c0e6643b1e68e8b6f44b3435c
Instruction Fuzzy Hash: 8A515B37D54162E78720666D9C41E7E75E4DB41B20F21C6E6FD39BF290D52A8C80A2F1

Function 00B54326 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00B552A3,?,?,00000000,?,?), ref: 00B54352
InitializeCriticalSection.KERNEL32(000000D0,?,?,00B552A3,?,?,00000000,?,?), ref: 00B5435B
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00B552A3,?,?,00000000,?,?), ref: 00B543A1
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00B552A3,?,?,00000000,?,?), ref: 00B543AB
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B552A3,?,?,00000000,?,?), ref: 00B543BF
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00B552A3,?,?,00000000,?,?), ref: 00B543CF
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B552A3,?,?,00000000,?,?), ref: 00B5441F
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00B552A3,?,?,00000000,?,?), ref: 00B54429
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00B552A3,?,?,00000000,?,?), ref: 00B5443D
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00B552A3,?,?,00000000,?,?), ref: 00B5444D

Strings

burn.filehandle.self, xrefs: 00B5441A, 00B54422, 00B54427, 00B54428, 00B54448, 00B54518
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B544E2, 00B5450E
Missing required parameter for switch: %ls, xrefs: 00B544F1
Failed to initialize user section., xrefs: 00B544B6
burn.filehandle.attached, xrefs: 00B5439C, 00B543A4, 00B543A9, 00B543AA, 00B543CA, 00B544EC
Failed to parse file handle: '%ls', xrefs: 00B544CF

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\66\s\src\burn\user\user.cpp
API String ID: 3039292287-2540856168
Opcode ID: 5b213022560df63aae39edc6e0a99ac695c5e697bb0cd9d3acfd83db3308d2f8
Instruction ID: 40013c50bfffcbcb6ef17e4d9c46d329272519acb6c36bf86b7d2e8e5172e4c3
Opcode Fuzzy Hash: 5b213022560df63aae39edc6e0a99ac695c5e697bb0cd9d3acfd83db3308d2f8
Instruction Fuzzy Hash: 2F51D871A40221BFCB14AB68DC86F5A77D8FF01721F0041E5FA04E7290DB74A954CBE5

Function 00B5C252 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00B5C442,00B55442,?,?,00B55482), ref: 00B5C299
GetLastError.KERNEL32(?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C2AA
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?), ref: 00B5C2F9
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C2FF
DuplicateHandle.KERNELBASE(00000000,?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C302
GetLastError.KERNEL32(?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C30C
SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C35E
GetLastError.KERNEL32(?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B5C368

Strings

c:\agent\_work\66\s\src\burn\user\container.cpp, xrefs: 00B5C2CE, 00B5C330, 00B5C38C
Failed to open file: %ls, xrefs: 00B5C2DB
crypt32.dll, xrefs: 00B5C35A
Failed to move file pointer to container offset., xrefs: 00B5C396
feclient.dll, xrefs: 00B5C35B
Failed to duplicate handle to container: %ls, xrefs: 00B5C33D
Failed to open container., xrefs: 00B5C3B4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\66\s\src\burn\user\container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-1064011499
Opcode ID: 2a5e7704e9009609a1bae6996f12501bcefbfa99d72c951e38b8ff5983af9184
Instruction ID: 9be96df78050cac1c7a8edb92ce625d3a9a718dfe8002f4d8f28a309221da5ee
Opcode Fuzzy Hash: 2a5e7704e9009609a1bae6996f12501bcefbfa99d72c951e38b8ff5983af9184
Instruction Fuzzy Hash: C641D336140305AFDB209F199D45F1B3FEAEBC5722F2180E9FD14AB251EA35C805DBA5

Function 00B92368 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B538D1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B53910
Part of subcall function 00B538D1: GetLastError.KERNEL32 ref: 00B5391A

Part of subcall function 00B94289: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00B942BA

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00B923B2
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00B923D2
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00B923F2
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00B92412
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00B92432
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00B92452
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00B92472

Strings

MsiGetPatchInfoExW, xrefs: 00B92407
Msi.dll, xrefs: 00B9237A
MsiDetermineApplicablePatchesW, xrefs: 00B923C7
MsiEnumProductsExW, xrefs: 00B923E7
MsiSetExternalUIRecord, xrefs: 00B92447
MsiDeterminePatchSequenceW, xrefs: 00B923A7
MsiSourceListAddSourceExW, xrefs: 00B92467
MsiGetProductInfoExW, xrefs: 00B92427

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 0fdd4cd6cdb707b0a6ae9dd425fea03312ab87aea5f43e72c066c8a7b7179873
Instruction ID: 6cf9402110dbeaf273d8c8d28e9f99c21761d0380c323f0ebf689373d2e133d6
Opcode Fuzzy Hash: 0fdd4cd6cdb707b0a6ae9dd425fea03312ab87aea5f43e72c066c8a7b7179873
Instruction Fuzzy Hash: FA31E0B0901A48EFDB229F61EC06FA9BBE1E710708F1043BAE50257670EBF55D64DB91

Function 00B714E3 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00B5C3AE,?,00000000,?,00B5C442), ref: 00B7151A
GetLastError.KERNEL32(?,00B5C3AE,?,00000000,?,00B5C442,00B55442,?,?,00B55482,00B55482,00000000,?,00000000), ref: 00B71523

Strings

wininet.dll, xrefs: 00B714F9
Failed to create extraction thread., xrefs: 00B715E3
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B71547, 00B7158D, 00B715D9
Failed to create operation complete event., xrefs: 00B71597
Failed to create begin operation event., xrefs: 00B71551
Failed to wait for operation complete., xrefs: 00B715F6
Failed to copy file name., xrefs: 00B71505

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp$wininet.dll
API String ID: 545576003-1014644744
Opcode ID: 32c330519dadaf0a6e59ef152213c5a82d095269aeb32655fb3d78cda735828a
Instruction ID: a622668d08d9fd4921e3ea1d6ead169ab664597cee4d41297b9505fb57bee823
Opcode Fuzzy Hash: 32c330519dadaf0a6e59ef152213c5a82d095269aeb32655fb3d78cda735828a
Instruction Fuzzy Hash: 31217B73D4563B77E324127C8D41F2769DCEF51BA0B0185E2BD5ABB280EA58DC0042F0

Function 00B8F58A Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00B8F5B2
GetProcAddress.KERNEL32(SystemFunction041), ref: 00B8F5C4
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00B8F607
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B8F61B
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00B8F653
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00B8F667

Strings

AdvApi32.dll, xrefs: 00B8F591
SystemFunction041, xrefs: 00B8F5B4
Crypt32.dll, xrefs: 00B8F5E8
SystemFunction040, xrefs: 00B8F5A7
CryptProtectMemory, xrefs: 00B8F5FC
c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp, xrefs: 00B8F63C
CryptUnprotectMemory, xrefs: 00B8F648

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp
API String ID: 4214558900-686287438
Opcode ID: fc7d94d025917e528dd84373492bd5cb13f0c0f44114d7942633e9a53a3c844f
Instruction ID: 15d5604992187028f5f8207b9b5c59dafe26ea71b0bd7513d95ea05e00a34f56
Opcode Fuzzy Hash: fc7d94d025917e528dd84373492bd5cb13f0c0f44114d7942633e9a53a3c844f
Instruction Fuzzy Hash: 5C213232941623ABD7316B55AD65FAA29D0AB20751F1243BAED01B7270EBE48C44CF92

Function 00B70671 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 00B706A1
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00B706B9
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00B706BE
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00B706C1
GetLastError.KERNEL32(?,?), ref: 00B706CB
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00B7073A
GetLastError.KERNEL32(?,?), ref: 00B70747

Strings

Failed to duplicate handle to cab container., xrefs: 00B706F9
Failed to add virtual file pointer for cab container., xrefs: 00B70720
Failed to open cabinet file: %hs, xrefs: 00B70778
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B706EF, 00B7076B
<the>.cab, xrefs: 00B7069A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 3030546534-886985619
Opcode ID: 1b79f70d36d535ae2cc6f012084e2aeb1939959dc2db30f524fe0ee0f3d5c2a7
Instruction ID: 9a5bfe7102fea9369c3b795fe8f862d85199b763d1c455c5b3ef591b691e9729
Opcode Fuzzy Hash: 1b79f70d36d535ae2cc6f012084e2aeb1939959dc2db30f524fe0ee0f3d5c2a7
Instruction Fuzzy Hash: 28310776911136FBD7216B548D49E9B7EECEF05B60F1181A2FD18B7250DB24AD00CBE0

Function 00B66955 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00B54E52,?,?), ref: 00B66975
GetCurrentProcess.KERNEL32(?,00000000,?,?,00B54E52,?,?), ref: 00B6697B
DuplicateHandle.KERNELBASE(00000000,?,?,00B54E52,?,?), ref: 00B6697E
GetLastError.KERNEL32(?,?,00B54E52,?,?), ref: 00B66988
CloseHandle.KERNEL32(000000FF,?,00B54E52,?,?), ref: 00B66A01

Strings

Failed to append the file handle to the command line., xrefs: 00B669E9
c:\agent\_work\66\s\src\burn\user\core.cpp, xrefs: 00B669AC
%ls -%ls=%u, xrefs: 00B669D5
Failed to duplicate file handle for attached container., xrefs: 00B669B6
burn.filehandle.attached, xrefs: 00B669CE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateErrorLast
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$c:\agent\_work\66\s\src\burn\user\core.cpp
API String ID: 4224961946-3213253029
Opcode ID: b89586c917ad3ca96f5c0ada2d51cf0dab667dd6ba84784362cdf19c61f1504e
Instruction ID: be163c745723275a36abffc426e9c250f867733501613c073d2457691e02df8a
Opcode Fuzzy Hash: b89586c917ad3ca96f5c0ada2d51cf0dab667dd6ba84784362cdf19c61f1504e
Instruction Fuzzy Hash: 6A11B432941225B7CB109BA88E05E4ABBE8EB45B30F214391FD15F72E0E7B89E0186D0

Function 00B92B5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B92B73
SysAllocString.OLEAUT32(?), ref: 00B92B8F
VariantClear.OLEAUT32(?), ref: 00B92C16
SysFreeString.OLEAUT32(00000000), ref: 00B92C21

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B92BA6
`Dv, xrefs: 00B92C21

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: StringVariant$AllocClearFreeInit
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 760788290-3615271265
Opcode ID: 3485a8cdb208549e17c859fe5fc8feea2e62a4bc11025d89c37086beb7586649
Instruction ID: 145103cf164addbbe9e1fb2ae154b461e914cd751b9501806b448ea8c601fbfd
Opcode Fuzzy Hash: 3485a8cdb208549e17c859fe5fc8feea2e62a4bc11025d89c37086beb7586649
Instruction Fuzzy Hash: 9A218D36D00219BBCF10EF64C948EAEBBF9EF44711F1541E8F905AB220CB309D059B90

Function 00B90141 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00B553FA,00000000,?,?,?,?,?,?,?,00B67590,00000000), ref: 00B9015F
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B67590,00000000), ref: 00B90169
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00B67590,00000000), ref: 00B9019B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B67590,00000000), ref: 00B901B4
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00B67590,00000000), ref: 00B901F3

Strings

c:\agent\_work\66\s\src\libs\dutil\procutil.cpp, xrefs: 00B901E1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: c:\agent\_work\66\s\src\libs\dutil\procutil.cpp
API String ID: 4040495316-2457365779
Opcode ID: 9fe10e4201ffe4e37a9cd07200441e91cc515bfa737c9d3718dd7d5fa673eaf6
Instruction ID: 92c76486c9930776ef1168ec79f4c23e2bcd228a8746682a9592ec59a2cfd989
Opcode Fuzzy Hash: 9fe10e4201ffe4e37a9cd07200441e91cc515bfa737c9d3718dd7d5fa673eaf6
Instruction Fuzzy Hash: CA21DE32D50239EFCF21AB958D44A9EBEF8EF10710F1180A2FD05BB250D6708E40DAD0

Function 00B66A0F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 00B66A43
CloseHandle.KERNEL32(00000000), ref: 00B66AB3

Strings

burn.filehandle.self, xrefs: 00B66A54, 00B66A86
Failed to append the file handle to the command line., xrefs: 00B66A6F
Failed to append the file handle to the obfuscated command line., xrefs: 00B66AA1
%ls -%ls=%u, xrefs: 00B66A5B, 00B66A8D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
API String ID: 3498533004-3263533295
Opcode ID: c717f82d3d82cb769d2619f097373e5071fdb5fe4053bea6e646009131b2926d
Instruction ID: 1c615980dfa5f9c77e4f5ca16a9cf38b1ad97fbedcf0a8252951a02495f881a8
Opcode Fuzzy Hash: c717f82d3d82cb769d2619f097373e5071fdb5fe4053bea6e646009131b2926d
Instruction Fuzzy Hash: 0011B631A41224BBCB21ABE8DD45F5B3FE8EB42B30F118296F925B72E1D7B445118791

Function 00B92DC7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B92DD6
InterlockedIncrement.KERNEL32(00BBB69C), ref: 00B92DF3
CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,00BBB688,?,?,?,?,?,?), ref: 00B92E0E
CLSIDFromProgID.OLE32(MSXML.DOMDocument,00BBB688,?,?,?,?,?,?), ref: 00B92E1A

Strings

MSXML.DOMDocument, xrefs: 00B92E15
Msxml2.DOMDocument, xrefs: 00B92E09

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FromProg$IncrementInitializeInterlocked
String ID: MSXML.DOMDocument$Msxml2.DOMDocument
API String ID: 2109125048-2356320334
Opcode ID: 8b0e5875cd2b57987a438535a7594b5bd4c9542da6973132c928fbef3731c58a
Instruction ID: a4f641aac37aae0d9251839fd1ee0a28df41757be1f914707565c606611ac082
Opcode Fuzzy Hash: 8b0e5875cd2b57987a438535a7594b5bd4c9542da6973132c928fbef3731c58a
Instruction Fuzzy Hash: D3F0A031F45535ABDF221761BD48F6B2EE9DB98B51F4001B6E802C2060DBE09C41CAF1

Function 00B94289 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00B942BA
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00B942E7
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00B94313
GetLastError.KERNEL32(00000000,00B9A800,?,00000000,?,00000000,?,00000000), ref: 00B94351
GlobalFree.KERNEL32(00000000), ref: 00B94382

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B942D5, 00B9432E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 1145190524-1688708105
Opcode ID: 03c31f0d109a14961d3eb45b73f7875ba0c6195d169ebf7cd099e0402b198cf5
Instruction ID: 46d2050d4280d7204f79556e58ef55a68809dd21103adb67e4df80154f44a4e1
Opcode Fuzzy Hash: 03c31f0d109a14961d3eb45b73f7875ba0c6195d169ebf7cd099e0402b198cf5
Instruction Fuzzy Hash: 2D319F36944229ABCF229BA98941EAFBAE9FF45760F1142F6FD04E7240D7349D0186E4

Function 00B7082C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 00B708D2
GetLastError.KERNEL32(?,?,?), ref: 00B708DC

Strings

Failed to move file pointer 0x%x bytes., xrefs: 00B7090D
Invalid seek type., xrefs: 00B70868
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B70900

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2976181284-424406494
Opcode ID: 7365a06891081d21e238c09abe5294bfd07afd7461322fe85c3306f7efdfa168
Instruction ID: 959881fb95517149c16e89bf3e03d294d47becbb94ecffe6c39c050914d21a2c
Opcode Fuzzy Hash: 7365a06891081d21e238c09abe5294bfd07afd7461322fe85c3306f7efdfa168
Instruction Fuzzy Hash: BE31C271A1011AEFCB00EFA8D881E6DB7E8FB04354B04C1A6F928A7251D370ED10CBD1

Function 00B5415F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?), ref: 00B5416D
GetLastError.KERNEL32(?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?,00000000,00000000), ref: 00B5417B
CreateDirectoryW.KERNEL32(?,840F01E8,00B554C6,?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?,00000000), ref: 00B541EB
GetLastError.KERNEL32(?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?,00000000,00000000), ref: 00B541F5

Strings

c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp, xrefs: 00B54225

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp
API String ID: 1375471231-2061300336
Opcode ID: 505c2356dffdddadca86742585a23f89d0f8a094f30695f02639b582826a9451
Instruction ID: d6d4b742700877103ccfedfcf7a653c9a2a129ccc4850c6e10743d696dea3085
Opcode Fuzzy Hash: 505c2356dffdddadca86742585a23f89d0f8a094f30695f02639b582826a9451
Instruction Fuzzy Hash: 0C213836654231A7DB311AA15C40B3BBAE5EF65B6BF1240E5FE04FB240D7268CC992D1

Function 00B556E2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00B565B1,00B565B1,?,00B55678,?,?,00000000), ref: 00B5571E
GetLastError.KERNEL32(?,00B55678,?,?,00000000,?,?,00B565B1,?,00B57F03,?,?,?,?,?), ref: 00B5574D

Strings

Failed to compare strings., xrefs: 00B5577B
version.dll, xrefs: 00B55710
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B55771

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareErrorLastString
String ID: Failed to compare strings.$c:\agent\_work\66\s\src\burn\user\variable.cpp$version.dll
API String ID: 1733990998-1548471634
Opcode ID: e6c1dd38be33f86fbac6240d57c56d85bc1f9a50e1ee2c17d207a4800e74f5ff
Instruction ID: f77542b4c79f0afa847d8b7abda9dd7008b28efb810430b4b281bc65fb1fac2c
Opcode Fuzzy Hash: e6c1dd38be33f86fbac6240d57c56d85bc1f9a50e1ee2c17d207a4800e74f5ff
Instruction Fuzzy Hash: D8210737600921EBC7248FA8CD51B59BBE4EF09773F2503D5ED11AB390E630ED018AA0

Function 00B70797 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B711B1: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B707C6,?,?,?), ref: 00B711D9
Part of subcall function 00B711B1: GetLastError.KERNEL32(?,00B707C6,?,?,?), ref: 00B711E3

ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 00B707D4
GetLastError.KERNEL32 ref: 00B707DE

Strings

c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B70802
Failed to read during cabinet extraction., xrefs: 00B7080C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2170121939-3499834177
Opcode ID: bbc388a0db6965fd608c9b513646ac493d34b51ff7bbbf70b9f075909c730184
Instruction ID: bcf7c58a3d0b32cc6975d393f671c63a99175487025bba7d7cf68893d2be5b7f
Opcode Fuzzy Hash: bbc388a0db6965fd608c9b513646ac493d34b51ff7bbbf70b9f075909c730184
Instruction Fuzzy Hash: 0D01C232A00266FBCB119F54DD04D8A7BE8EF05B64B0141A5FE18A7250D734E900CAE0

Function 00B711B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,00B707C6,?,?,?), ref: 00B711D9
GetLastError.KERNEL32(?,00B707C6,?,?,?), ref: 00B711E3

Strings

Failed to move to virtual file pointer., xrefs: 00B71211
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B71207

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2976181284-1387633737
Opcode ID: e22c8416067b53c2bd0f2432cb81f76f3da6e6ed0a4f5757ab33c88ddc7b99d4
Instruction ID: 7b7764d797241576d43b0d51d3c430827486abe72aedc263a55e70877ba2923e
Opcode Fuzzy Hash: e22c8416067b53c2bd0f2432cb81f76f3da6e6ed0a4f5757ab33c88ddc7b99d4
Instruction Fuzzy Hash: 7501D4329002367787211A9EAC04D4BBF98EF41BB1711C1A5FE2CAA111D6259C1086E0

Function 00B93709 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00B9379F
GetLastError.KERNEL32 ref: 00B93802

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B93826

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 1948546556-1688708105
Opcode ID: 8460bb69d69d12e27f2f720ad76ffea3da55788991fb531704deae6dfe828f5f
Instruction ID: 6a241d4fb1b2c5f2335149b5477b72e3e12d3642c1852c4f7b48ae1bbd90eef5
Opcode Fuzzy Hash: 8460bb69d69d12e27f2f720ad76ffea3da55788991fb531704deae6dfe828f5f
Instruction Fuzzy Hash: 333141B1E002699BDF258F55CD80BDA77E4FB08B51F1040FAE949E7240DBB89EC48B91

Function 00B94650 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00B937C6,?,?,?), ref: 00B94674
GetLastError.KERNEL32(?,?,00B937C6,?,?,?), ref: 00B9467E

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B946A7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 442123175-1688708105
Opcode ID: b266e91948ef51b24626d2f507f0cc4ea7b11e7adb5e306141396fa442d1e739
Instruction ID: f983b350be0de49422cf08b850db4bbb71a8830e0d7305bc12dc3586c47ec359
Opcode Fuzzy Hash: b266e91948ef51b24626d2f507f0cc4ea7b11e7adb5e306141396fa442d1e739
Instruction Fuzzy Hash: 60F06D73A00129ABDB108E9ACD45EDFBBE9EB42761F0101A1BD04E7140D760AD0086E0

Function 00B9412E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00B68651,00000000,00000000,00000000,00000000,00000000), ref: 00B94146
GetLastError.KERNEL32(?,?,?,00B68651,00000000,00000000,00000000,00000000,00000000), ref: 00B94150

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B94174

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 2976181284-1688708105
Opcode ID: 17b8ea14ede42b7ab7b590bff4471ea9df9ee4af0cb2e2f87ffae1815c58f2cd
Instruction ID: 77a95723999b3a6f99c50968e30b5f4e4a22d775815160d6daa6f494a47ade81
Opcode Fuzzy Hash: 17b8ea14ede42b7ab7b590bff4471ea9df9ee4af0cb2e2f87ffae1815c58f2cd
Instruction Fuzzy Hash: 24F08172A0013AAB9F248F85DD05E9B7FE9EF14750B0140A4FD04BB251E730DD50D6E0

Function 00B90823 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B90874
Pi, xrefs: 00B90827

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open
String ID: Pi$c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 71445658-987910225
Opcode ID: 20265cf8bc2884604e1144105df9f7f6ef3e2d288ec8ff5d62928b80ac80d071
Instruction ID: 18289a1a30367f5210a747ce95bd353598bd9e40065bec469b5b40f697f5cee8
Opcode Fuzzy Hash: 20265cf8bc2884604e1144105df9f7f6ef3e2d288ec8ff5d62928b80ac80d071
Instruction Fuzzy Hash: C2F05932B00125EB8F3029968C44BAB7EC9DB40BF0F1541B5BD0DEB220E664CC1083E0

Function 00B538D1 Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B53910
GetLastError.KERNEL32 ref: 00B5391A
LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 00B53983

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 937cd2005c3bbaaccd65643e1a3851bc377ab238be4c84d60486e3421b3e2e07
Instruction ID: 382af308c5bd125920c77927c3e12024fcfd49aaa0382bd24c82d838599e9060
Opcode Fuzzy Hash: 937cd2005c3bbaaccd65643e1a3851bc377ab238be4c84d60486e3421b3e2e07
Instruction Fuzzy Hash: FD21F5F6D0133967CB209BA49C49F9A77E89B44B91F1102E1AE05F7341E670DE488AD1

Function 00B53AA4 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00B8FB87,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00B8FB1B,000001C7), ref: 00B53AAE
RtlFreeHeap.NTDLL(00000000,?,00B8FB87,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00B8FB1B,000001C7,?,?), ref: 00B53AB5
GetLastError.KERNEL32(?,00B8FB87,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,00B8FB1B,000001C7,?,?), ref: 00B53ABF

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$ErrorFreeLastProcess
String ID:
API String ID: 406640338-0
Opcode ID: b7d837887b7ab1f138ff8a3cab2101ae3ff40dfbc1f7ffdf98b11d80c1b0f61b
Instruction ID: f891412c176284f6d7fae8858459ea427b4035300457c8f8bc837a93e0167e8c
Opcode Fuzzy Hash: b7d837887b7ab1f138ff8a3cab2101ae3ff40dfbc1f7ffdf98b11d80c1b0f61b
Instruction Fuzzy Hash: 12D01273A0013957872117E65D0CA5BBED8EF05AE2B014562FD44EB210DE25CD1097E5

Function 00B9506B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,Pi,00000000,80070490,?,?,00B689F4,WiX\Burn,PackageCache,00000000,Pi,00000000,00000000,80070490), ref: 00B950C5

Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B909D4
Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00B90A0C

Strings

Pi, xrefs: 00B95071

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: QueryValue$Close
String ID: Pi
API String ID: 1979452859-3425462916
Opcode ID: ea23dabee6350c73953573b67e8418119e2a106eb3de9dc33339b001a28a0d71
Instruction ID: 0dae6090084e5b97a9a6a0e715eb1aea2950ab29cc3a21890685b0827a061d87
Opcode Fuzzy Hash: ea23dabee6350c73953573b67e8418119e2a106eb3de9dc33339b001a28a0d71
Instruction Fuzzy Hash: E511C23688162AEBDF336FA4CD85AAEBAE5EB04320B2141B9ED8167110C7314D50DBD1

Function 00B539DF Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: b379a74e2d1098e23ca5d6b5790e74292d62004ecc2d57fa0383c3faf3ce1d69
Instruction ID: a92f27b73bf74ad1df3fef83d5649d67a143d9bdc4a1865e392d8c01df604ed5
Opcode Fuzzy Hash: b379a74e2d1098e23ca5d6b5790e74292d62004ecc2d57fa0383c3faf3ce1d69
Instruction Fuzzy Hash: 92C0123219421CAB8B005FF4DC0DC56379CB715602B048401B505D3120CA38E01087A1

Function 00B92E25 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B92E5A

Part of subcall function 00B928BD: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00B92E6B,00000000,?,00000000), ref: 00B928D7
Part of subcall function 00B928BD: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00B7BD14,?,00B55442,?,00000000,?), ref: 00B928E3

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorHandleInitLastModuleVariant
String ID:
API String ID: 52713655-0
Opcode ID: d433e7d0d70029f0f7d160a48fbae7e4091bf289f0b98736301bc43efd76afe7
Instruction ID: e07b5c0cbff83c718a7770d3c1eacdecba821738f693ba8dfb57db4ad370b02a
Opcode Fuzzy Hash: d433e7d0d70029f0f7d160a48fbae7e4091bf289f0b98736301bc43efd76afe7
Instruction Fuzzy Hash: 38311E76D00629ABCB11DFA8C8C4ADEB7F4EF08710F1145BAE915BB311DA709D048BA0

Function 00B535A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00B68AAE,0000001C,80070490,00000000,00000000,80070490), ref: 00B535C8

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 6ffde391a1517ad3741a91ac0a541e86b55d4a0c58a1e7a0ee9e19b8fed4a3a0
Instruction ID: b8ff16a369177f8dd6b03395ee1f0ab6abcdb91d55012ca1ade2e9fce1c97d01
Opcode Fuzzy Hash: 6ffde391a1517ad3741a91ac0a541e86b55d4a0c58a1e7a0ee9e19b8fed4a3a0
Instruction Fuzzy Hash: 18E012723412247BAA016AA56C01EAB7BDCDF2679270094D1FE44D7100EA61D71457B5

Function 00B8ED39 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8ED51

Part of subcall function 00B990AE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B99121
Part of subcall function 00B990AE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B99132

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7da7bbbf89ef779cf1614660da8378a6a7e63931d05fb0a7b8d6d24cbec9acdc
Instruction ID: 8ed651fb78a11a5b6136de4e13eeb8c2192bbab88711d9a52d016399bcd5799c
Opcode Fuzzy Hash: 7da7bbbf89ef779cf1614660da8378a6a7e63931d05fb0a7b8d6d24cbec9acdc
Instruction Fuzzy Hash: CFB0129A29E0027F315821451D06C7606CCC6E1B2033380FEB460D40509CC04D0412B3

Function 00B8ED6A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8ED51

Part of subcall function 00B990AE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B99121
Part of subcall function 00B990AE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B99132

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 96fdc7c4cbeb72d1d10dc195b10b02266fae3a460b86d19e0c6cc625f11d42cf
Instruction ID: 353e4a53ed6b4cc109ed90eedb39eb8aee43115073ebbe9cdfe443f1301a1f9a
Opcode Fuzzy Hash: 96fdc7c4cbeb72d1d10dc195b10b02266fae3a460b86d19e0c6cc625f11d42cf
Instruction Fuzzy Hash: 13B0129629E1026F315861491D06C7606CCC2E1B2033381FEF050C5050DCD04D441373

Function 00B8ED5A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00B8ED51

Part of subcall function 00B990AE: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B99121
Part of subcall function 00B990AE: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B99132

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a2381a5420cc5204d41dc76efe83959b0744344bcb04bf51fd0b138af0d565b8
Instruction ID: 224b81fe235dd475c56a91e2be2b7e15206cc0ace1b3946dab4597ff877e5d83
Opcode Fuzzy Hash: a2381a5420cc5204d41dc76efe83959b0744344bcb04bf51fd0b138af0d565b8
Instruction Fuzzy Hash: 30B012A629E0026F315861491E07C7606CCC2E1B2033340FEB050C5050DCC14D051373

Function 00B514AC Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00B522B1,?,00000000,?,00000000,?,00B539A5,00000000,?,00000104), ref: 00B514DC

Part of subcall function 00B53C5F: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C67
Part of subcall function 00B53C5F: HeapSize.KERNEL32(00000000,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C6E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: 5d7916aeba8b1ffa1742f27231b08555a83f859db7dbd70052b5ec5bc48bfb27
Instruction ID: 18457d349da7f5393c077a1818569163afc87a5c9a58c3591510ef3bbf17fce8
Opcode Fuzzy Hash: 5d7916aeba8b1ffa1742f27231b08555a83f859db7dbd70052b5ec5bc48bfb27
Instruction Fuzzy Hash: 5B012832100224BBCF126E1CEC80FCA7BE9EF51762F1085D1FE156B291D770ED089AA0

Non-executed Functions

Function 00B53D4E Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 309fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00B53DAD
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B53DC0
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 00B53E0C
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B53E16
GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 00B53E5D
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B53E67
FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00B53EB5
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B53EC6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 00B53F98
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,?), ref: 00B53FAC
GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00B53FD5
MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 00B53FF8
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00B54011
FindNextFileW.KERNEL32(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 00B54021
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B54036
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B54065
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B54087
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B540A9
RemoveDirectoryW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00B540B3
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B540BD
MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00B540E1
GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B540FC
FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00B54132

Strings

4#v, xrefs: 00B53E5D
*.*, xrefs: 00B53E93
c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp, xrefs: 00B53DE3, 00B54056
DEL, xrefs: 00B53FC9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
String ID: 4#v$*.*$DEL$c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp
API String ID: 1544372074-2071717422
Opcode ID: a74689eeaeac12d15a6492aa0d193a40dc11902981aea6b20ab09ee54eb40967
Instruction ID: beb5c190bbe9c7e0112817238564ae450beaf4db24eca602a1c1d5837e1c7287
Opcode Fuzzy Hash: a74689eeaeac12d15a6492aa0d193a40dc11902981aea6b20ab09ee54eb40967
Instruction Fuzzy Hash: A0A13B32D01239A7DB3096658C45BAABAF4DF00B66F1542D1EE04B71D0DB75CDC8CAE0

Function 00B90FA6 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 336COMMON

Download Yara Rule

APIs

InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00B9103E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91048
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 00B91095
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B9109B
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 00B910D5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B910DB
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 00B9111B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91121
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 00B91161
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91167
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 00B911A7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B911AD
SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 00B9129E
SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00B912D8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B912E2
SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00B9131A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91324
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B9135D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B91367
CoInitializeSecurity.OLE32(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 00B913A5
LocalFree.KERNEL32(?), ref: 00B913BB

Strings

c:\agent\_work\66\s\src\libs\dutil\srputil.cpp, xrefs: 00B91069

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
String ID: c:\agent\_work\66\s\src\libs\dutil\srputil.cpp
API String ID: 267631441-212431265
Opcode ID: c7d1d8c8da6f6e3be9133131185a03ee96d280e511bc1256e41a6e8a5bd732d0
Instruction ID: accdada593cc5919e41daf2200ccf3bc243321c373d5aab23f2483932d7544e8
Opcode Fuzzy Hash: c7d1d8c8da6f6e3be9133131185a03ee96d280e511bc1256e41a6e8a5bd732d0
Instruction Fuzzy Hash: 2EC16376C4123AABDB308F998D48FDEBAFCEF44750F1145EAA908F7250D6709D409EA1

Function 00B7C01F Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 375COMMON

Download Yara Rule

Strings

Failed to allocate memory for dependency providers., xrefs: 00B7C3CA
Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00B7C0AA
Failed to copy key for pseudo bundle payload., xrefs: 00B7C0DF
Failed to copy local source path for pseudo bundle., xrefs: 00B7C127
Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 00B7C071
Failed to copy display name for pseudo bundle., xrefs: 00B7C43B
Failed to copy uninstall arguments for related bundle package, xrefs: 00B7C30F
Failed to append relation type to install arguments for related bundle package, xrefs: 00B7C294
Failed to copy key for pseudo bundle., xrefs: 00B7C22C
Failed to append relation type to uninstall arguments for related bundle package, xrefs: 00B7C330
Failed to append relation type to repair arguments for related bundle package, xrefs: 00B7C2DD
-%ls, xrefs: 00B7C03C
Failed to copy download source for pseudo bundle., xrefs: 00B7C155
Failed to copy version for pseudo bundle., xrefs: 00B7C419
c:\agent\_work\66\s\src\burn\user\pseudobundle.cpp, xrefs: 00B7C065, 00B7C09E, 00B7C18D, 00B7C3BE
Failed to copy install arguments for related bundle package, xrefs: 00B7C273
Failed to copy filename for pseudo bundle., xrefs: 00B7C103
Failed to copy cache id for pseudo bundle., xrefs: 00B7C24B
Failed to allocate memory for pseudo bundle payload hash., xrefs: 00B7C199
Failed to copy repair arguments for related bundle package, xrefs: 00B7C2BC

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$c:\agent\_work\66\s\src\burn\user\pseudobundle.cpp
API String ID: 1357844191-3959581252
Opcode ID: 0d0de55d3e350ea6d3623bbbbbd8b9d7c7d6b5e109ca67b38b2fba11402b13d0
Instruction ID: 8bb73560f21510559c21ff3d664df2f6adf65f25f331118dd928db9aa4ca0158
Opcode Fuzzy Hash: 0d0de55d3e350ea6d3623bbbbbd8b9d7c7d6b5e109ca67b38b2fba11402b13d0
Instruction Fuzzy Hash: DCC1CE71600656ABEB259F68C892B6A7BD8FB05710F11C1EEFC29EB351D771EC108B90

Function 00B54639 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140sleepshutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 00B54662
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B54669
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B54673
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00B546C3
GetLastError.KERNEL32 ref: 00B546CD
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 00B54711
GetLastError.KERNEL32 ref: 00B5471B
Sleep.KERNEL32(000003E8), ref: 00B54757
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00B54768
GetLastError.KERNEL32 ref: 00B54772
CloseHandle.KERNEL32(?), ref: 00B547C8

Strings

Failed to schedule restart., xrefs: 00B547B3
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B54697, 00B546F1, 00B5473F, 00B547A9
Failed to get process token., xrefs: 00B546A1
Failed to adjust token to add shutdown privileges., xrefs: 00B54749
SeShutdownPrivilege, xrefs: 00B546B6
Failed to get shutdown privilege LUID., xrefs: 00B546FB

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$c:\agent\_work\66\s\src\burn\user\user.cpp
API String ID: 2241679041-3136258258
Opcode ID: 652c7502ddee78b619448884e02baf902ae7385baa6e9a841b44e169e6b899e6
Instruction ID: 8df11a75ee7879efddc7c058974f104dc19bd5e63b1ec96eb196e3148a093037
Opcode Fuzzy Hash: 652c7502ddee78b619448884e02baf902ae7385baa6e9a841b44e169e6b899e6
Instruction Fuzzy Hash: CE414D73940235ABEB205BA45E4AF6F7AE8EB05B56F1200E5FF01F7190D7688C4886E1

Function 00B64E6A Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 164pipeCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00B64E98
GetLastError.KERNEL32(?,00000000,?,?,00B5457C,?), ref: 00B64EA1
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,?,?,00000000,?,?,00B5457C,?), ref: 00B64F43
GetLastError.KERNEL32(?,00B5457C,?), ref: 00B64F50
CreateNamedPipeW.KERNEL32(000000FF,00080003,00000000,00000001,00010000,00010000,00000001,00000000,?,?,?,?,?,?,?,00B5457C), ref: 00B64FCB
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B5457C,?), ref: 00B64FD6
CloseHandle.KERNEL32(00000000,c:\agent\_work\66\s\src\burn\user\pipe.cpp,00000132,00000000,?,?,?,?,?,?,?,00B5457C,?), ref: 00B65016
LocalFree.KERNEL32(00000000,?,00B5457C,?), ref: 00B65044

Strings

Failed to create pipe: %ls, xrefs: 00B64F81, 00B65007
Failed to create the security descriptor for the connection event and pipe., xrefs: 00B64ECF
Failed to allocate full name of cache pipe: %ls, xrefs: 00B64FAD
\\.\pipe\%ls.Cache, xrefs: 00B64F97
D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00B64E93
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B64EC5, 00B64F74, 00B64FFA
\\.\pipe\%ls, xrefs: 00B64EF9
Failed to allocate full name of pipe: %ls, xrefs: 00B64F0F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\66\s\src\burn\user\pipe.cpp
API String ID: 1214480349-1710103387
Opcode ID: 09e6bae999939d25e231a70046e0b303ab94730997deb8277ef1576554610f3e
Instruction ID: cbd3f639132cd5e85b1616c1d3e32fee56fc25dd8cfc43528276d9753908e39a
Opcode Fuzzy Hash: 09e6bae999939d25e231a70046e0b303ab94730997deb8277ef1576554610f3e
Instruction Fuzzy Hash: C451B572D40626BBDB219B94DD46B9EBBE4EF05B11F1101E1FD00B62D0E7BA9E40CAD1

Function 00B8F340 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 172encryptionfileCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000003,F0000040,00000003,00000000,00000000,00B69DDA,00000003,000007D0,00000003,?,000007D0,?,000007D0), ref: 00B8F3A5
GetLastError.KERNEL32 ref: 00B8F3AF
CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?), ref: 00B8F3EC
GetLastError.KERNEL32 ref: 00B8F3F6
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00B8F43D
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00B8F461
GetLastError.KERNEL32 ref: 00B8F46B
CryptDestroyHash.ADVAPI32(00000000), ref: 00B8F4A8
CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00B8F4BF
GetLastError.KERNEL32 ref: 00B8F4D8
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000), ref: 00B8F510
GetLastError.KERNEL32 ref: 00B8F51A
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00008004,00000001), ref: 00B8F553
GetLastError.KERNEL32 ref: 00B8F561

Strings

c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp, xrefs: 00B8F48F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease
String ID: c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp
API String ID: 3955742341-1443093764
Opcode ID: 237a93ab2e384645ae43412f70897b84e1074b8988ae2dfc96c63a15309aae23
Instruction ID: 2a4c2f6311564965ee959db180bef9d4cfa32ace0a806cd264206069555e97f7
Opcode Fuzzy Hash: 237a93ab2e384645ae43412f70897b84e1074b8988ae2dfc96c63a15309aae23
Instruction Fuzzy Hash: FE51B336D40236ABDB319A558D09BFB7AE4EB04751F1540F6BE48FB260E6748D80CBE1

Function 00B69D74 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 180COMMON

Download Yara Rule

Strings

Failed to get cached path for package with cache id: %ls, xrefs: 00B69D9E
copying, xrefs: 00B69F06, 00B69F0E
Failed to move verified file to complete payload path: %ls, xrefs: 00B69F42
Failed to create unverified path., xrefs: 00B69E44
Failed to transfer working path to unverified path for payload: %ls., xrefs: 00B69E7A
Failed to reset permissions on unverified cached payload: %ls, xrefs: 00B69EC7
moving, xrefs: 00B69EFF
Failed to find payload: %ls in working path: %ls and unverified path: %ls, xrefs: 00B69EA1
Failed to concat complete cached path., xrefs: 00B69DCA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID:
String ID: Failed to concat complete cached path.$Failed to create unverified path.$Failed to find payload: %ls in working path: %ls and unverified path: %ls$Failed to get cached path for package with cache id: %ls$Failed to move verified file to complete payload path: %ls$Failed to reset permissions on unverified cached payload: %ls$Failed to transfer working path to unverified path for payload: %ls.$copying$moving
API String ID: 0-1289240508
Opcode ID: dd6646c62e2215378a7d287300ffeb9ce7d7fadce3d7e6fa43362de571c48a2a
Instruction ID: 98fe08e1806d367f0c48bb9e5d8a9953cee27937a779db4b1e45c3fe5052704e
Opcode Fuzzy Hash: dd6646c62e2215378a7d287300ffeb9ce7d7fadce3d7e6fa43362de571c48a2a
Instruction Fuzzy Hash: 47518E32905515BBDF22AB90CD42FAEBAFAAF14700F1141E1F900B5161E7769F64AB80

Function 00B562CC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 143COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C), ref: 00B5631A
GetLastError.KERNEL32 ref: 00B56324

Strings

Failed to get OS info., xrefs: 00B56352
Failed to set variant value., xrefs: 00B56445
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B56348

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastVersion
String ID: Failed to get OS info.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 305913169-1157376746
Opcode ID: a84d7aa91647eb86714fb1b00fbe88fa308e231d8563ea759812b07dbe41b381
Instruction ID: c586d6b40bcc993f2813e95cb59f1f71b4294212ca5a5a90093ad28c12d54c71
Opcode Fuzzy Hash: a84d7aa91647eb86714fb1b00fbe88fa308e231d8563ea759812b07dbe41b381
Instruction Fuzzy Hash: 0541C571A00228ABDB209B69DC45FEF7BF8EB45711F5040DAF945E7280D6309E45CB94

Function 00B5605F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 106timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00B5608A
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00B5609E
GetLastError.KERNEL32 ref: 00B560B0
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000000,?,00000000), ref: 00B56104
GetLastError.KERNEL32 ref: 00B5610E

Strings

Failed to set variant value., xrefs: 00B5614C
Failed to allocate the buffer for the Date., xrefs: 00B560EC
Failed to get the Date., xrefs: 00B56133
Failed to get the required buffer length for the Date., xrefs: 00B560D5
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B560CB, 00B56129

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: DateErrorFormatLast$SystemTime
String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 2700948981-3414009094
Opcode ID: 9c196fbb7df7e9f1b648546dcea50f74e7f0c5ebe4b95c4eaffc8e1a66a258b4
Instruction ID: c57747967d47a9254e878b15a4790339efe181a309a42d3a1a5202f78c30637c
Opcode Fuzzy Hash: 9c196fbb7df7e9f1b648546dcea50f74e7f0c5ebe4b95c4eaffc8e1a66a258b4
Instruction Fuzzy Hash: 2631D932A406296BDF1196A4DD82FBFBBF8AB04751F5100E5FF00F7291DA609D0887E1

Function 00B8F79E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BBB5D4,00000000,?,?,?,?,00B71074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00B8F7CC
GetCurrentProcessId.KERNEL32(00000000,?,00B71074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00B8F7DC
GetCurrentThreadId.KERNEL32 ref: 00B8F7E5
GetLocalTime.KERNEL32(8007139F,?,00B71074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00B8F7FB
LeaveCriticalSection.KERNEL32(00BBB5D4,00B71074,?,00000000,0000FDE9,?,00B71074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00B8F8F2

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00B8F898

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: c57cafa4db0f45d197e413ea02fa61b9df07ff5ab3f137c972b745a6a6ec2617
Instruction ID: 08af7b45054275111c055adc8445314b9325b07c400e79933870d477980a7867
Opcode Fuzzy Hash: c57cafa4db0f45d197e413ea02fa61b9df07ff5ab3f137c972b745a6a6ec2617
Instruction Fuzzy Hash: 8E416E72D0111AEBCF21AFA5D844BBEB7F9EB18701F1441B5F901A71A0DB749D41CBA2

Function 00B69A1D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107filestringCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000,?,*.*,?,?,?,00000000,.unverified,?), ref: 00B69ACC
lstrlenW.KERNEL32(?), ref: 00B69AF3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B69B53
FindClose.KERNEL32(00000000), ref: 00B69B5E

Part of subcall function 00B53D4E: GetFileAttributesW.KERNEL32(?,?,?,?,00000001,00000000,?), ref: 00B53DAD
Part of subcall function 00B53D4E: GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00B53DC0

Strings

*.*, xrefs: 00B69AA6
.unverified, xrefs: 00B69A60

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FileFind$AttributesCloseErrorFirstLastNextlstrlen
String ID: *.*$.unverified
API String ID: 457978746-2528915496
Opcode ID: c494031f9de4166286e6441afad5bf44cd9cce60a830777970ba452f69cb0dc4
Instruction ID: 2fadbc3e872ff9fb9c579f955df6d98a9d8df950feb971271b9ade1a017d38e5
Opcode Fuzzy Hash: c494031f9de4166286e6441afad5bf44cd9cce60a830777970ba452f69cb0dc4
Instruction Fuzzy Hash: 1241503190062CAECF61AB64ED49BEEB7F8EF45701F1441E1E908E20A0EB749E85DF54

Function 00B98039 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 76timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000001,00000000), ref: 00B9808E
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 00B980A0

Strings

crypt32.dll, xrefs: 00B9805E
%04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 00B98077
feclient.dll, xrefs: 00B98068
%04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 00B980EB

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Time$InformationLocalSpecificSystemZone
String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ$crypt32.dll$feclient.dll
API String ID: 1772835396-1985132828
Opcode ID: ef60a7d18d67e954d78b76e9b470b71d7a6c500c0807dfc2a7d785a2ffa6a1b9
Instruction ID: eb4e951189a4102cbd6fe7fb7cf4078e63bd8a9a7ad6aa455d05d5d3ece2c7e4
Opcode Fuzzy Hash: ef60a7d18d67e954d78b76e9b470b71d7a6c500c0807dfc2a7d785a2ffa6a1b9
Instruction Fuzzy Hash: 792139A2901128AEDB20DBA9CC05FBFB3FCEB4C701F044496B945E2080E63CAA84D770

Function 00B56203 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B56233
GetLastError.KERNEL32 ref: 00B5623D

Strings

Failed to get the user name., xrefs: 00B56266
Failed to set variant value., xrefs: 00B56282
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B5625C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastNameUser
String ID: Failed to get the user name.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 2054405381-2744047247
Opcode ID: e8623b4e41b56b72c12ddd114a1e89aea7e8bdc991d03e9dca669a12285521b6
Instruction ID: bd16612bd255533c36d63beb3a2bb9042ead82b1d2304cd6635c941f78fce8f5
Opcode Fuzzy Hash: e8623b4e41b56b72c12ddd114a1e89aea7e8bdc991d03e9dca669a12285521b6
Instruction Fuzzy Hash: BC01D632A003396BCB21AB659C45FAF77E8AF00751F5142E5FC04F7281DE649D4887D1

Function 00B52078 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00B542CC,00B554CB,?,00000000,00000000,00000000,?,80070656,?,?,?,00B6E5B6,00000000,00B554CB,00000000,80070656), ref: 00B520A9
GetLastError.KERNEL32(?,?,?,00B6E5B6,00000000,00B554CB,00000000,80070656,?,?,00B64042,00B554CB,?,80070656,00000001,crypt32.dll), ref: 00B520B6
LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,00B6E5B6,00000000,00B554CB,00000000,80070656,?,?,00B64042,00B554CB), ref: 00B520FD

Strings

c:\agent\_work\66\s\src\libs\dutil\strutil.cpp, xrefs: 00B520DA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: c:\agent\_work\66\s\src\libs\dutil\strutil.cpp
API String ID: 1365068426-792799584
Opcode ID: 0842c801856d56d60240631f31b33fdf682129a90fdd96d553dd3f4a6ed26d6b
Instruction ID: 4cdc841d9fd6aabd11ccf5129093b04cc42bca07b790d4beee895bcb616626f9
Opcode Fuzzy Hash: 0842c801856d56d60240631f31b33fdf682129a90fdd96d553dd3f4a6ed26d6b
Instruction Fuzzy Hash: E4018EB6802129FBDB108B90DD05EDABAECEB05751F1140E2BE01F7240E6348E44DBE0

Function 00B768EE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00B7689A,00000000,00000003), ref: 00B76905
GetLastError.KERNEL32(?,00B7689A,00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,00B76C89,?), ref: 00B7690F

Strings

Failed to set service start type., xrefs: 00B7693D
c:\agent\_work\66\s\src\burn\user\msuuser.cpp, xrefs: 00B76933

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ChangeConfigErrorLastService
String ID: Failed to set service start type.$c:\agent\_work\66\s\src\burn\user\msuuser.cpp
API String ID: 1456623077-3535627199
Opcode ID: 5bf66040af4f0917e660ac52d615e00419ddd5b7718ef4cbba6ab19c5b7e860f
Instruction ID: f20f6af2cbd01d0543879e5b980f12a5ece1c2529d63437d7710d488e5e6ffee
Opcode Fuzzy Hash: 5bf66040af4f0917e660ac52d615e00419ddd5b7718ef4cbba6ab19c5b7e860f
Instruction Fuzzy Hash: E6F0EC376455353786212595AD05F4B7EC89F06BB17114391FF3CB62D0A9298D0083D4

Function 00B834A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00B8359A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B835A4
UnhandledExceptionFilter.KERNEL32(80003CDD,?,?,?,?,?,?), ref: 00B835B1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 250697c6a5c4e5de4abd025a641e6b4e7301066b0a8a382297f9dcbeaa89beac
Instruction ID: 93d25be39108726d9ee9fcf4f31c86fc8998cee55c702744aa91054d1560254a
Opcode Fuzzy Hash: 250697c6a5c4e5de4abd025a641e6b4e7301066b0a8a382297f9dcbeaa89beac
Instruction Fuzzy Hash: 5E31B475901228ABCB21EF64D9897D8BBF4AF08710F6041EAE41CA7261EB709F85CF45

Function 00B84104 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00B840DA,00000000,00BB7908,0000000C,00B84231,00000000,00000002,00000000), ref: 00B84125
TerminateProcess.KERNEL32(00000000,?,00B840DA,00000000,00BB7908,0000000C,00B84231,00000000,00000002,00000000), ref: 00B8412C
ExitProcess.KERNEL32 ref: 00B8413E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d085f6a4e2795531b1bdb22de8a9ff24c431c0eef05e663eba0251d4825559ce
Instruction ID: fc4706d0bb06ac2dc6d44847971b67315893e35cf4f3c019a6d3b17fc4b8dc81
Opcode Fuzzy Hash: d085f6a4e2795531b1bdb22de8a9ff24c431c0eef05e663eba0251d4825559ce
Instruction Fuzzy Hash: 24E0B631011219AFCF117F54DE0DA487FAAEB51755F404055F906AB232CF39DD82CB81

Function 00B87437 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00B87501

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 35809e02750ca134a50f60d536502c55d6a970b0e73cfd265fd558ecd59d71b6
Instruction ID: 0251a8decd489be08d7a23931442930c2e290dd68d771b78f5f520001d18ea6b
Opcode Fuzzy Hash: 35809e02750ca134a50f60d536502c55d6a970b0e73cfd265fd558ecd59d71b6
Instruction Fuzzy Hash: 124107729442196BCB20EF78CC89DAB77E8EB84718F7446A8F90597290EA30DE41CB50

Function 00B932B9 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93448: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00B932E8,?), ref: 00B934B9

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B9330C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B9331D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AllocateCheckCloseInitializeMembershipToken
String ID:
API String ID: 2114926846-0
Opcode ID: 513572f8a0a1d8d28cdecc68d725ff9774ca8bbe4b6f2875b1e6f8a2e3f048b6
Instruction ID: 5f3d9c4102eb7f1fb5cf049eee59a921f0e04fc2054558191a88adadc997db0e
Opcode Fuzzy Hash: 513572f8a0a1d8d28cdecc68d725ff9774ca8bbe4b6f2875b1e6f8a2e3f048b6
Instruction Fuzzy Hash: 961139B190020AEBDF10DFA4DD85BAEB7F8FF08744F60447AA501E7141DB709A44CB95

Function 00B93C72 Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00B78F6B,?,00000100,00000000,00000000), ref: 00B93CAD
FindClose.KERNEL32(00000000), ref: 00B93CB9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59b5f136582941eae88e57957b336b56143331c26ae0360bf863622d61bfe703
Instruction ID: 75775e9ccc8d8cce4bcc075dcec8649b75754da6d19c65e9d72f86c02b4e5794
Opcode Fuzzy Hash: 59b5f136582941eae88e57957b336b56143331c26ae0360bf863622d61bfe703
Instruction Fuzzy Hash: 7801D6716006186BCB10EF699D89DAAB3FCEBC5715F0000A5F519E3280DA349E498764

Function 00B5FF35 Relevance: 86.2, APIs: 1, Strings: 48, Instructions: 482registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000101,?,?,00020006,00000000), ref: 00B6052B

Strings

NoElevateOnModify, xrefs: 00B60370, 00B60383
NoModify, xrefs: 00B60324, 00B60337
VersionMinor, xrefs: 00B600D1, 00B600D7
HelpTelephone, xrefs: 00B60219, 00B6022C
Publisher, xrefs: 00B601CD, 00B601E0
UninstallString, xrefs: 00B60422, 00B60438
"%ls" /modify, xrefs: 00B60349
VersionMajor, xrefs: 00B600A8, 00B600AE
BundleAddonCode, xrefs: 00B60011, 00B60019
ParentKeyName, xrefs: 00B602AB, 00B602BE
"%ls" /uninstall /quiet, xrefs: 00B603E1
"%ls" %ls, xrefs: 00B6041D
SystemComponent, xrefs: 00B603C1, 00B603D4
/uninstall, xrefs: 00B60414, 00B60419
Failed to write software tags., xrefs: 00B6045E
BundleUpgradeCode, xrefs: 00B5FFF3, 00B5FFFB
3.11.2.4516, xrefs: 00B6012C
BundleCachePath, xrefs: 00B5FFD8, 00B5FFDD
Failed to cache bundle from path: %ls, xrefs: 00B5FF8B
%hu.%hu.%hu.%hu, xrefs: 00B60089
crypt32.dll, xrefs: 00B6017A, 00B601BB, 00B60452, 00B60471
NoRemove, xrefs: 00B6039C, 00B603AF
BundleVersion, xrefs: 00B6006B, 00B6008E
Comments, xrefs: 00B602D3, 00B602E6
EstimatedSize, xrefs: 00B604B5, 00B604BA, 00B604C9
ModifyPath, xrefs: 00B6034E, 00B60364
DisplayVersion, xrefs: 00B6019A, 00B601AD
Failed to create registration key., xrefs: 00B5FFB8
URLInfoAbout, xrefs: 00B6023F, 00B60252
BundleTag, xrefs: 00B60114, 00B60119
%s,0, xrefs: 00B60159
Failed to update resume mode., xrefs: 00B60506
BundleDetectCode, xrefs: 00B6002F, 00B60037
URLUpdateInfo, xrefs: 00B60265, 00B60278
Contact, xrefs: 00B602FB, 00B6030E
Failed to write %ls value., xrefs: 00B604CA
DisplayIcon, xrefs: 00B60154, 00B6015E
ParentDisplayName, xrefs: 00B6028B, 00B6029E
/modify, xrefs: 00B6040D
BundlePatchCode, xrefs: 00B6004D, 00B60055
Failed to update name and publisher., xrefs: 00B60187
%hs, xrefs: 00B60131
Failed to write update registration., xrefs: 00B6047E
QuietUninstallString, xrefs: 00B603E6, 00B603FC
EngineVersion, xrefs: 00B60136, 00B6013B
BundleProviderKey, xrefs: 00B600F3, 00B600F8
Failed to register the bundle dependency key., xrefs: 00B604EC
HelpLink, xrefs: 00B601F3, 00B60206

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close
String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.11.2.4516$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayVersion$userVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update name and publisher.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$crypt32.dll
API String ID: 3535843008-3218910351
Opcode ID: 15d9f9e8b79884c9ba6359d5b7d40bf2347b567ae87caa53973f7bebddc212ab
Instruction ID: 61917a73a4c4b104a0c58a2b336507c60f85d643bc41bf1f380a69eae92269fb
Opcode Fuzzy Hash: 15d9f9e8b79884c9ba6359d5b7d40bf2347b567ae87caa53973f7bebddc212ab
Instruction Fuzzy Hash: 79F1C031A65A26FBDF227A65CC42B6B7AE4EF15714F0041E0FD00B6261CB79ED60A6D0

Function 00B5CD76 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 365COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,00B5549A,00000000,00B9BB64,00B55482,00000000), ref: 00B5CEAC

Strings

c:\agent\_work\66\s\src\burn\user\payload.cpp, xrefs: 00B5CDF8
CertificateRootThumbprint, xrefs: 00B5D033
Failed to get payload node count., xrefs: 00B5CDC9
Container, xrefs: 00B5CF04
Hash, xrefs: 00B5D070
LayoutOnly, xrefs: 00B5CF46
Failed to get @Id., xrefs: 00B5D1D8
Failed to get @FilePath., xrefs: 00B5D1D1
Packaging, xrefs: 00B5CE7F
DownloadUrl, xrefs: 00B5CF92
Failed to hex decode the Payload/@Hash., xrefs: 00B5D193
Failed to get @Hash., xrefs: 00B5D19A
FileSize, xrefs: 00B5CFBB
Failed to find catalog., xrefs: 00B5D185
Failed to get @CertificateRootThumbprint., xrefs: 00B5D17E
CertificateRootPublicKeyIdentifier, xrefs: 00B5CFF6
Failed to allocate memory for payload structs., xrefs: 00B5CE02
download, xrefs: 00B5CE9E
Failed to get @Packaging., xrefs: 00B5D1CA
FilePath, xrefs: 00B5CE64
Failed to select payload nodes., xrefs: 00B5CDA4
Failed to parse @FileSize., xrefs: 00B5D158
external, xrefs: 00B5CEDA
Catalog, xrefs: 00B5D0A5
SourcePath, xrefs: 00B5CF69
Failed to get @LayoutOnly., xrefs: 00B5D14E
Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 00B5D170
Failed to get next node., xrefs: 00B5D1DF
Failed to get @SourcePath., xrefs: 00B5D1A8
Invalid value for @Packaging: %ls, xrefs: 00B5D1B7
Failed to to find container: %ls, xrefs: 00B5D13D
Failed to hex decode @CertificateRootThumbprint., xrefs: 00B5D177
embedded, xrefs: 00B5CEBE
Failed to get @Container., xrefs: 00B5D144
Failed to get @FileSize., xrefs: 00B5D162
Payload, xrefs: 00B5CD91
Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 00B5D169
Failed to get @DownloadUrl., xrefs: 00B5D1A1
Failed to get @Catalog., xrefs: 00B5D18C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateCompareProcessString
String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$c:\agent\_work\66\s\src\burn\user\payload.cpp$download$embedded$external
API String ID: 1171520630-705547078
Opcode ID: 87ebb707680c4fd602126be7f060f31299b2389ca2663624888ca50b1f3afc67
Instruction ID: 78c49e7b9509e2cbade4002f6d036c87406041297619365f3e36b0b8bf0b15a9
Opcode Fuzzy Hash: 87ebb707680c4fd602126be7f060f31299b2389ca2663624888ca50b1f3afc67
Instruction Fuzzy Hash: 4CC18171941A2ABBDF21EA50CD41F6DBBE5EB04712F1042F5ED21BB1A0D770EE099790

Function 00B58463 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B55482,?,00000000,80070490,?,?,?,?,?,?,?,?,00B7BEAE,?,00B55482,?), ref: 00B58494
LeaveCriticalSection.KERNEL32(00B55482,?,?,?,?,?,?,?,?,00B7BEAE,?,00B55482,?,00B55482,00B55482,Chain), ref: 00B587F7

Strings

Variable, xrefs: 00B5849E
Invalid value for @Type: %ls, xrefs: 00B5875E
Failed to get @Id., xrefs: 00B587E2
Initializing hidden variable '%ls', xrefs: 00B5865E
version, xrefs: 00B58619
Type, xrefs: 00B58590
Failed to insert variable '%ls'., xrefs: 00B58789
Failed to get variable node count., xrefs: 00B584CE
Initializing numeric variable '%ls' to value '%ls', xrefs: 00B585CF
Failed to set variant encryption, xrefs: 00B58790
Value, xrefs: 00B58552
Initializing string variable '%ls' to value '%ls', xrefs: 00B58607
Attempt to set built-in variable value: %ls, xrefs: 00B587BB
Failed to find variable value '%ls'., xrefs: 00B587C5
Initializing version variable '%ls' to value '%ls', xrefs: 00B58640
Failed to set value of variable: %ls, xrefs: 00B5879A
numeric, xrefs: 00B585A9
Failed to get next node., xrefs: 00B587E9
Failed to get @Hidden., xrefs: 00B587DB
Hidden, xrefs: 00B5851C
string, xrefs: 00B585E4
Failed to get @Persisted., xrefs: 00B587D4
Failed to set variant value., xrefs: 00B58778
Persisted, xrefs: 00B58537
Failed to get @Value., xrefs: 00B5877F
Failed to get @Type., xrefs: 00B58771
Failed to select variable nodes., xrefs: 00B584B1
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B587AC
Failed to change variant type., xrefs: 00B587CD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$c:\agent\_work\66\s\src\burn\user\variable.cpp$numeric$string$version
API String ID: 3168844106-1329848934
Opcode ID: a87efbc5ef96c7d07baaecb0f0b68583ac04e96d1df3e766653d341c1922213f
Instruction ID: d566fd147761e4862b1fbbeff51b9eff95859bece78d6dbefecf33de8b9a563a
Opcode Fuzzy Hash: a87efbc5ef96c7d07baaecb0f0b68583ac04e96d1df3e766653d341c1922213f
Instruction Fuzzy Hash: 66B18F72D00219BBCF11AB94DD85FAEBBF5EF48712F2045E5F910B61A1CB709E049B90

Function 00B76A2D Relevance: 58.1, APIs: 7, Strings: 26, Instructions: 378COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00B6BC99,00000007,?,?,?), ref: 00B76A81

Part of subcall function 00B9038A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00B55EE0,00000000), ref: 00B9039E
Part of subcall function 00B9038A: GetProcAddress.KERNEL32(00000000), ref: 00B903A5
Part of subcall function 00B9038A: GetLastError.KERNEL32(?,?,?,00B55EE0,00000000), ref: 00B903BC

CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00B76E70
CloseHandle.KERNEL32(00000000,?,000001F4,?,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025), ref: 00B76E84

Strings

"%ls" "%ls" /quiet /norestart, xrefs: 00B76BA9
wusa.exe, xrefs: 00B76B01
D, xrefs: 00B76C9C
Failed to append log switch to MSU command-line., xrefs: 00B76C17
"%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 00B76BD6
Failed to determine WOW64 status., xrefs: 00B76A93
Failed to find System32 directory., xrefs: 00B76AF6
Failed to CreateProcess on path: %ls, xrefs: 00B76CFB
Failed to find Windows directory., xrefs: 00B76AC0
/log:, xrefs: 00B76C03
Failed to format MSU uninstall command., xrefs: 00B76BEA
Failed to get action arguments for MSU package., xrefs: 00B76B37
Failed to wait for executable to complete: %ls, xrefs: 00B76DFF
c:\agent\_work\66\s\src\burn\user\msuuser.cpp, xrefs: 00B76CEE, 00B76D83, 00B76DAB
Failed to get cached path for package: %ls, xrefs: 00B76B5D
Failed to allocate WUSA.exe path., xrefs: 00B76B14
Bootstrapper application aborted during MSU progress., xrefs: 00B76DB5
2, xrefs: 00B76D14
Failed to append log path to MSU command-line., xrefs: 00B76C35
SysNative\, xrefs: 00B76ACB
Failed to ensure WU service was enabled to install MSU package., xrefs: 00B76C8F
Failed to get process exit code., xrefs: 00B76D8D
Failed to format MSU install command., xrefs: 00B76BBD
WixBundleExecutePackageCacheFolder, xrefs: 00B76B6C, 00B76E9C
Failed to build MSU path., xrefs: 00B76B96
Failed to append SysNative directory., xrefs: 00B76ADE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Handle$Close$AddressCurrentErrorLastModuleProcProcess
String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$WixBundleExecutePackageCacheFolder$c:\agent\_work\66\s\src\burn\user\msuuser.cpp$wusa.exe
API String ID: 1400713077-2603125353
Opcode ID: 3a68e940eb480bab4acfe871622142618d3a4a457020e5497f1a43f3195ec000
Instruction ID: d79fe38794f25dcbb22923a82de1e066c58f8c7859b0e454b1881ca7704c4ad0
Opcode Fuzzy Hash: 3a68e940eb480bab4acfe871622142618d3a4a457020e5497f1a43f3195ec000
Instruction Fuzzy Hash: 7DD19070A0070AABDF119FE4CD86BAE7BF8EF09700F1084F5B628B6161D7B59D449B51

Function 00B96C19 Relevance: 47.6, APIs: 13, Strings: 14, Instructions: 339COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 00B96D2C
SysFreeString.OLEAUT32(00000000), ref: 00B96EF5
SysFreeString.OLEAUT32(00000000), ref: 00B96F92

Strings

subtitle, xrefs: 00B96D9B
generator, xrefs: 00B96D1F
category, xrefs: 00B96C87, 00B96E34
`Dv, xrefs: 00B96EF5, 00B96F92
(, xrefs: 00B96ED0
link, xrefs: 00B96CC1, 00B96EA3
logo, xrefs: 00B96D7F
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B96C46, 00B96F7C
updated, xrefs: 00B96DD3
title, xrefs: 00B96DB7
author, xrefs: 00B96C6A, 00B96DFB
icon, xrefs: 00B96D43
@, xrefs: 00B96E9B
entry, xrefs: 00B96CA4, 00B96E6D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$FreeHeap$AllocateCompareProcess
String ID: ($@$`Dv$author$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp$category$entry$generator$icon$link$logo$subtitle$title$updated
API String ID: 1555028553-2206689201
Opcode ID: 18f1139a8a609521c7f038a8464d6b0d4be13a881406452d491c4ac6d5e54a95
Instruction ID: fb2ce16389cc6dbcf06a6899bc7d220dbf5554d3e9719ddc4abfe5f08375eb7c
Opcode Fuzzy Hash: 18f1139a8a609521c7f038a8464d6b0d4be13a881406452d491c4ac6d5e54a95
Instruction Fuzzy Hash: 11B14C75A44616BBDF219B64CC91FAEB7E4AB04720F2043F5F521AA2E1DB70EE40D790

Function 00B968DE Relevance: 47.5, APIs: 11, Strings: 16, Instructions: 297COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,00BB6470,000000FF,?,?,?), ref: 00B969A5
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,summary,000000FF), ref: 00B969CA
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00B969EA
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,published,000000FF), ref: 00B96A06
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,updated,000000FF), ref: 00B96A2E
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,author,000000FF), ref: 00B96A4A
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,category,000000FF), ref: 00B96A83
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,content,000000FF), ref: 00B96ABC

Part of subcall function 00B96527: SysFreeString.OLEAUT32(00000000), ref: 00B96660
Part of subcall function 00B96527: SysFreeString.OLEAUT32(00000000), ref: 00B9669F

SysFreeString.OLEAUT32(00000000), ref: 00B96B40
SysFreeString.OLEAUT32(00000000), ref: 00B96BF0

Strings

clbcatq.dll, xrefs: 00B96A13
(, xrefs: 00B96B1B
summary, xrefs: 00B969BC
category, xrefs: 00B96926, 00B96A75
`Dv, xrefs: 00B96B40, 00B96BF0
link, xrefs: 00B96943, 00B96AEE
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B96BDD
version.dll, xrefs: 00B96904
updated, xrefs: 00B96A20
title, xrefs: 00B969DC
author, xrefs: 00B96909, 00B96A3C
msi.dll, xrefs: 00B96908
content, xrefs: 00B96AAE
feclient.dll, xrefs: 00B969D7
published, xrefs: 00B969F8
cabinet.dll, xrefs: 00B96921

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$Compare$Free
String ID: ($`Dv$author$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp$cabinet.dll$category$clbcatq.dll$content$feclient.dll$link$msi.dll$published$summary$title$updated$version.dll
API String ID: 318886736-1888923897
Opcode ID: bacc5769cf86487a38ea12288410d586146b65218f3987460f13de871bdf0aba
Instruction ID: 796bf5e8e6456a9e780b115bee933ba6173bc9a52e4f2851cc6f4f6048f68c24
Opcode Fuzzy Hash: bacc5769cf86487a38ea12288410d586146b65218f3987460f13de871bdf0aba
Instruction Fuzzy Hash: F4A14D72944616BBDF219B54CC82FA977E4EB04720F2043B5F521AA2D1EB74EE50DB90

Function 00B7D10E Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 283synchronizationprocessCOMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 00B7D183
StringFromGUID2.OLE32(?,?,00000027), ref: 00B7D1AC
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?), ref: 00B7D295
GetLastError.KERNEL32(?,?,?,?), ref: 00B7D29F
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 00B7D338
WaitForSingleObject.KERNEL32(00B9A500,000000FF,?,?,?,?), ref: 00B7D343
ReleaseMutex.KERNEL32(00B9A500,?,?,?,?), ref: 00B7D36D
GetExitCodeProcess.KERNEL32(?,?), ref: 00B7D38E
GetLastError.KERNEL32(?,?,?,?), ref: 00B7D39C
GetLastError.KERNEL32(?,?,?,?), ref: 00B7D3D4

Part of subcall function 00B7D016: WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,00B7D312,?), ref: 00B7D035
Part of subcall function 00B7D016: ReleaseMutex.KERNEL32(?,?,?,00B7D312,?), ref: 00B7D049
Part of subcall function 00B7D016: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B7D08E
Part of subcall function 00B7D016: ReleaseMutex.KERNEL32(?), ref: 00B7D0A1
Part of subcall function 00B7D016: SetEvent.KERNEL32(?), ref: 00B7D0AA

CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B7D47D
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B7D495

Strings

Failed to wait for netfx chainer process to complete, xrefs: 00B7D402
Failed to CreateProcess on path: %ls, xrefs: 00B7D2CE
Failed to allocate netfx chainer arguments., xrefs: 00B7D263
Failed to allocate event name., xrefs: 00B7D20F
Failed to allocate section name., xrefs: 00B7D1ED
Failed to create netfx chainer., xrefs: 00B7D22E
Failed to process netfx chainer message., xrefs: 00B7D318
NetFxSection.%ls, xrefs: 00B7D1D9
Failed to convert netfx chainer guid into string., xrefs: 00B7D1CB
c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp, xrefs: 00B7D1C1, 00B7D2C3, 00B7D3C0, 00B7D3F8
D, xrefs: 00B7D27A
NetFxEvent.%ls, xrefs: 00B7D1FB
%ls /pipe %ls, xrefs: 00B7D24F
Failed to create netfx chainer guid., xrefs: 00B7D190
Failed to get netfx return code., xrefs: 00B7D3CA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Wait$ErrorLastMutexObjectReleaseSingle$CloseCreateHandleProcess$CodeEventExitFromMultipleObjectsStringUuid
String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxEvent.%ls$NetFxSection.%ls$c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp
API String ID: 1533322865-308814414
Opcode ID: 1ffef921bad851101226c88052643ab0f385a9333edda1a9e50764c38d9e9f6c
Instruction ID: 0c0923d836b578eedd39f23efa2031dac89853619c337f7eb7f91e68f730170d
Opcode Fuzzy Hash: 1ffef921bad851101226c88052643ab0f385a9333edda1a9e50764c38d9e9f6c
Instruction Fuzzy Hash: ADA1AC32D04229ABEB219BA4CD41BAEBBF8AF04750F1181E5ED18FB251E7359D448F91

Function 00B6545D Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,00B9A500,?,00000000,?,00B5457C,?,00B9A500), ref: 00B6547E
GetCurrentProcessId.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B65489
SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B654C0
ConnectNamedPipe.KERNEL32(?,00000000,?,00B5457C,?,00B9A500), ref: 00B654D5
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B654DF
Sleep.KERNEL32(00000064,?,00B5457C,?,00B9A500), ref: 00B65514
SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65537
WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65552
WriteFile.KERNEL32(?,00B5457C,00B9A500,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B6556D
WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65588
ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B655A3
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B655FE
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B65632
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B65666
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B6569A
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B656CB
GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B656FC

Strings

crypt32.dll, xrefs: 00B65550
Failed to write our process id to pipe., xrefs: 00B6565C
Failed to reset pipe to blocking., xrefs: 00B656F5
Failed to write secret length to pipe., xrefs: 00B656C4
Failed to read ACK from pipe., xrefs: 00B65628
Failed to write secret to pipe., xrefs: 00B65690
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B655EA, 00B6561E, 00B65652, 00B65686, 00B656BA, 00B656EB, 00B6571C
Failed to set pipe to non-blocking., xrefs: 00B65726
Failed to wait for child to connect to pipe., xrefs: 00B655F4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\66\s\src\burn\user\pipe.cpp$crypt32.dll
API String ID: 2944378912-152052350
Opcode ID: 4f362345e9f589a2574a919116b6f3dec3b0287ff8cee61ea9a5b743fe05e62a
Instruction ID: 9173b3816501156b902cdac0c23c91cf868899983f512f1b464f6ebf4f762598
Opcode Fuzzy Hash: 4f362345e9f589a2574a919116b6f3dec3b0287ff8cee61ea9a5b743fe05e62a
Instruction Fuzzy Hash: A561D673D40635BBD7309AA48D49FAEB6E8AF10B51F1141A1BE01FB290DA7CDD1087E5

Function 00B5A3D4 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5A418
_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5A440
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00B5A73F

Strings

Failed to format key string., xrefs: 00B5A425
Failed to allocate memory registry value., xrefs: 00B5A54F
Failed to change value type., xrefs: 00B5A6E3, 00B5A706
Failed to set variable., xrefs: 00B5A701
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00B5A717
Failed to format value string., xrefs: 00B5A44D
Registry key not found. Key = '%ls', xrefs: 00B5A478
Failed to get expand environment string., xrefs: 00B5A6AD
Failed to query registry key value., xrefs: 00B5A5A4
c:\agent\_work\66\s\src\burn\user\search.cpp, xrefs: 00B5A510, 00B5A545, 00B5A598, 00B5A6A1
Failed to clear variable., xrefs: 00B5A49E
Failed to read registry value., xrefs: 00B5A6C8
Unsupported registry key value type. Type = '%u', xrefs: 00B5A5D2
Failed to allocate string buffer., xrefs: 00B5A633
Failed to query registry key value size., xrefs: 00B5A51C
Failed to open registry key., xrefs: 00B5A4B3
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00B5A4E2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\66\s\src\burn\user\search.cpp
API String ID: 2348241696-2754605460
Opcode ID: 9ec7cc38b917ac772845b8d0d5db28fab91ecf00e408766cedd70785aa252bd3
Instruction ID: e511e532a48556c6343a41412182c5468fd74f7f631e1cd28dfacf5523d2f939
Opcode Fuzzy Hash: 9ec7cc38b917ac772845b8d0d5db28fab91ecf00e408766cedd70785aa252bd3
Instruction Fuzzy Hash: 2FA1C772E00125ABCF129AE4D855FAE7AF9EF08712F1582E1FD01B7250D7719D089BE2

Function 00B557A7 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,00B5A889,00000100,000002C0,000002C0,00000100), ref: 00B557CC
lstrlenW.KERNEL32(000002C0,?,00B5A889,00000100,000002C0,000002C0,00000100), ref: 00B557D6
_wcschr.LIBVCRUNTIME ref: 00B559DB
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00B5A889,00000100,000002C0,000002C0,00000100), ref: 00B55C7E

Strings

Failed to get formatted length., xrefs: 00B55BC6
Failed to append string., xrefs: 00B55852
Failed to set record format string., xrefs: 00B55B08
Failed to allocate variable array., xrefs: 00B55AB9
Failed to reallocate variable array., xrefs: 00B55A60
Failed to get variable name., xrefs: 00B55AC0
Failed to format placeholder string., xrefs: 00B55A8B
Failed to append placeholder., xrefs: 00B55A81
Failed to set variable value., xrefs: 00B55A95
*****, xrefs: 00B5594D
Failed to determine variable visibility: '%ls'., xrefs: 00B55A6E
Failed to format record., xrefs: 00B55C42
Failed to allocate string., xrefs: 00B55BF5
Failed to allocate buffer for format string., xrefs: 00B557F4
Failed to set record string., xrefs: 00B55B94
[%d], xrefs: 00B55996
Failed to allocate record., xrefs: 00B55A3F
Failed to copy string., xrefs: 00B55C62
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B55A32, 00B55A53, 00B55AAC, 00B55AFE, 00B55B8A, 00B55BBC, 00B55C38

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 1026845265-1173883696
Opcode ID: 2c0844cff88ee4dd0c9ac7ce90d85407e5f5d185434e9821476ec40d24127f38
Instruction ID: 5bbdab430cfafa4cd2fd97267278418844bcd32a7fa965c05abde13c07531ebf
Opcode Fuzzy Hash: 2c0844cff88ee4dd0c9ac7ce90d85407e5f5d185434e9821476ec40d24127f38
Instruction Fuzzy Hash: 4EF1B471D00625ABDF209F648891FAF7BF4EF04B53F1581E9BD15AB250D7349E098BA0

Function 00B7CB5D Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 239synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000000,00000018,00000001,?,00000000,?,?,00B7D228,?,?,?), ref: 00B7CBA3
GetLastError.KERNEL32(?,?,00B7D228,?,?,?), ref: 00B7CBB0
ReleaseMutex.KERNEL32(?), ref: 00B7CE18

Strings

%ls_mutex, xrefs: 00B7CC51
Failed to allocate memory for NetFxChainer struct., xrefs: 00B7CB89
c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp, xrefs: 00B7CB7F, 00B7CBD1, 00B7CC36, 00B7CCA5, 00B7CCF7, 00B7CD3F
Failed to memory map cabinet file: %ls, xrefs: 00B7CD04
failed to allocate memory for event name, xrefs: 00B7CBF6
failed to allocate memory for mutex name, xrefs: 00B7CC65
%ls_send, xrefs: 00B7CBE2
failed to copy event name to shared memory structure., xrefs: 00B7CD76
Failed to create mutex: %ls, xrefs: 00B7CCB2
Failed to create event: %ls, xrefs: 00B7CC43
Failed to MapViewOfFile for %ls., xrefs: 00B7CD4C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
API String ID: 3944734951-2874813099
Opcode ID: 7a15a30bb8f3336d7ce9d1f7c3dbe0eed472dcc7893bd9799ae01274c162294b
Instruction ID: 7d20a95b1f865a6f5a9e1225999eb67edcebc9663f86e7ffcaa02f9c42e8d74e
Opcode Fuzzy Hash: 7a15a30bb8f3336d7ce9d1f7c3dbe0eed472dcc7893bd9799ae01274c162294b
Instruction Fuzzy Hash: 6381F072A41622BBC7228BA88D49F9A7EE4FF05750F0181FDFD18AB361D624DD00C6E1

Function 00B5E9FC Relevance: 40.5, APIs: 4, Strings: 19, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00B92B5D: VariantInit.OLEAUT32(?), ref: 00B92B73
Part of subcall function 00B92B5D: SysAllocString.OLEAUT32(?), ref: 00B92B8F
Part of subcall function 00B92B5D: VariantClear.OLEAUT32(?), ref: 00B92C16
Part of subcall function 00B92B5D: SysFreeString.OLEAUT32(00000000), ref: 00B92C21

CompareStringW.KERNEL32(0000007F,00000000,000000FF,000000FF,Detect,000000FF,?,00B9BB64,?,?,Action,?,?,?,00000000,00B55482), ref: 00B5EACD
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,Upgrade,000000FF), ref: 00B5EB17

Strings

Failed to resize Detect code array in registration, xrefs: 00B5EBE8
comres.dll, xrefs: 00B5EAE0
Failed to resize Upgrade code array in registration, xrefs: 00B5EBEF
Failed to get RelatedBundle nodes, xrefs: 00B5EA2C
Failed to resize Addon code array in registration, xrefs: 00B5EBF6
RelatedBundle, xrefs: 00B5EA0A
Invalid value for @Action: %ls, xrefs: 00B5EC0C
Upgrade, xrefs: 00B5EB0A
Failed to get RelatedBundle element count., xrefs: 00B5EA51
Failed to get @Id., xrefs: 00B5EC1C
version.dll, xrefs: 00B5EB2A
Failed to resize Patch code array in registration, xrefs: 00B5EBFD
Failed to get next RelatedBundle element., xrefs: 00B5EC2A
Addon, xrefs: 00B5EB54
Action, xrefs: 00B5EA8A
Detect, xrefs: 00B5EABE
Patch, xrefs: 00B5EB97
Failed to get @Action., xrefs: 00B5EC23
cabinet.dll, xrefs: 00B5EB74

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$CompareVariant$AllocClearFreeInit
String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade$cabinet.dll$comres.dll$version.dll
API String ID: 702752599-259800149
Opcode ID: a44b278cd02449b3cb09850d322b3d094ab0dfa8ace238b70fc3e6b9a6ecb656
Instruction ID: 034bf217b5c724c2685bdeef46e85f031295b2015d7c56496e913e89e0cbdc6a
Opcode Fuzzy Hash: a44b278cd02449b3cb09850d322b3d094ab0dfa8ace238b70fc3e6b9a6ecb656
Instruction Fuzzy Hash: 0B717C31A4562ABBCB249B54C981FAEB7F4FB05722F2042D5ED21B7690D730EE05CB90

Function 00B64668 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 184fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,00B64B7B,00B9A4E8,?,feclient.dll,00000000,?,?), ref: 00B6467F
ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,00B64B7B,00B9A4E8,?,feclient.dll,00000000,?,?), ref: 00B646A0
GetLastError.KERNEL32(?,00B64B7B,00B9A4E8,?,feclient.dll,00000000,?,?), ref: 00B646A6
ReadFile.KERNEL32(feclient.dll,00000000,00B9A518,?,00000000,00000000,00B9A519,?,00B64B7B,00B9A4E8,?,feclient.dll,00000000,?,?), ref: 00B64734
GetLastError.KERNEL32(?,00B64B7B,00B9A4E8,?,feclient.dll,00000000,?,?), ref: 00B6473A

Strings

Verification secret from parent is too big., xrefs: 00B64701
msasn1.dll, xrefs: 00B647B7
Failed to inform parent process that child is running., xrefs: 00B64847
feclient.dll, xrefs: 00B6466E, 00B6469E, 00B6469F, 00B64733, 00B647B8, 00B6480E
Failed to read size of verification secret from parent pipe., xrefs: 00B646D4
Verification secret from parent does not match., xrefs: 00B647A2
Failed to allocate buffer for verification secret., xrefs: 00B6471D
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B646CA, 00B646F5, 00B6475E, 00B64796, 00B647E3, 00B6483D, 00B6487B
Failed to read verification secret from parent pipe., xrefs: 00B64768
Failed to read verification process id from parent pipe., xrefs: 00B647ED
Verification process id from parent does not match., xrefs: 00B64887

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastRead$CurrentProcess
String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$c:\agent\_work\66\s\src\burn\user\pipe.cpp$feclient.dll$msasn1.dll
API String ID: 1233551569-1273669510
Opcode ID: d203680a77aa771fb74339834b3ce547f04bb8cf86fb3b45cfb14bb5dfd36238
Instruction ID: 1907f5a544d9d5b48ac8dc0baa5c0085f1884165a50711e8ba2be921941716b1
Opcode Fuzzy Hash: d203680a77aa771fb74339834b3ce547f04bb8cf86fb3b45cfb14bb5dfd36238
Instruction Fuzzy Hash: 2551D736D44626B7DB119A948D46FBFB6E8AF02F51F1101E5BE10BB290D77C8E0087E5

Function 00B58F3F Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 430COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,5600B9CC,00000001,?,00B5990B,?,00000000,00000000,?,?,00B598F3,?,?,00000000,?), ref: 00B58F7D

Strings

Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 00B59391
Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 00B5920F
Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 00B5934D
Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 00B591AB
-, xrefs: 00B590E5
NOT, xrefs: 00B592A8
Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 00B593D5
Failed to set symbol value., xrefs: 00B5902D
Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 00B59065
AND, xrefs: 00B59289
Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 00B5912F
c:\agent\_work\66\s\src\burn\user\condition.cpp, xrefs: 00B59051, 00B5911B, 00B59197, 00B591FB, 00B59339, 00B5937D, 00B593C1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: StringType
String ID: -$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$c:\agent\_work\66\s\src\burn\user\condition.cpp
API String ID: 4177115715-1494984065
Opcode ID: 1a0c1bee0eee1b1e6b17abf64dcb36b4c9fbbf2438082073479b6167088280a8
Instruction ID: 3c110d0e76062bebc826b6d1ecdead349e42a9c982bd69273d36e57807c71a0d
Opcode Fuzzy Hash: 1a0c1bee0eee1b1e6b17abf64dcb36b4c9fbbf2438082073479b6167088280a8
Instruction Fuzzy Hash: 08F1E271500311FBDB28CF54C999BBA7BE9FB05702F1085D6FD059A285C3B6DA8ACB90

Function 00B71951 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,success,000000FF,?,Type,00000000,?,?,00000000,?,00000001,?), ref: 00B71A58
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,error,000000FF), ref: 00B71A76

Strings

success, xrefs: 00B71A49
error, xrefs: 00B71A69
Failed to select exit code nodes., xrefs: 00B7197E
Code, xrefs: 00B71AC5
Failed to get exit code node count., xrefs: 00B719A3
Failed to get @Code., xrefs: 00B71B38
Failed to allocate memory for exit code structs., xrefs: 00B719E3
scheduleReboot, xrefs: 00B71A85
forceReboot, xrefs: 00B71AA3
ExitCode, xrefs: 00B7195F
Failed to parse @Code value: %ls, xrefs: 00B71B31
Failed to get next node., xrefs: 00B71B5E
c:\agent\_work\66\s\src\burn\user\exeuser.cpp, xrefs: 00B719D9
Type, xrefs: 00B71A30
Failed to get @Type., xrefs: 00B71B57
Invalid exit code type: %ls, xrefs: 00B71B47

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: Code$ExitCode$Failed to allocate memory for exit code structs.$Failed to get @Code.$Failed to get @Type.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$Invalid exit code type: %ls$Type$c:\agent\_work\66\s\src\burn\user\exeuser.cpp$error$forceReboot$scheduleReboot$success
API String ID: 2664528157-2974551199
Opcode ID: fad001b1ce25f914464ddea908a0f7d642495a5964fa6e90497c8dea7f4e1bba
Instruction ID: 6686a40ad9c78e94331b3503c9a5bcb94aca46d0878378b1e92a2286c612f991
Opcode Fuzzy Hash: fad001b1ce25f914464ddea908a0f7d642495a5964fa6e90497c8dea7f4e1bba
Instruction Fuzzy Hash: 67618231A45216BBCB109B5CCC81E6EBBE5EF51720F2086D5F439BB2E0D7709A01D7A1

Function 00B66AC2 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 355synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5D461: EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00B66F37,000000B8,00000000,?,00000000,7694B390), ref: 00B5D470
Part of subcall function 00B5D461: InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 00B5D47F
Part of subcall function 00B5D461: LeaveCriticalSection.KERNEL32(000000D0,?,00B66F37,000000B8,00000000,?,00000000,7694B390), ref: 00B5D494

ReleaseMutex.KERNEL32(00000000,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00B66E86
CloseHandle.KERNEL32(00000000), ref: 00B66E8F
CloseHandle.KERNEL32(?,?,00000000,crypt32.dll,00000000,00000001,00000000), ref: 00B66EAF

Part of subcall function 00B7B9F8: SetThreadExecutionState.KERNEL32(80000001), ref: 00B7B9FD

Strings

Failed to create cache thread., xrefs: 00B66D65
Failed while caching, aborting execution., xrefs: 00B66D8D
c:\agent\_work\66\s\src\burn\user\core.cpp, xrefs: 00B66B8A, 00B66D5B
comres.dll, xrefs: 00B66ED5
Failed to cache user to working directory., xrefs: 00B66C68
user cannot start apply because it is busy with another action., xrefs: 00B66B23
Failed to register bundle., xrefs: 00B66CEB
UX aborted apply begin., xrefs: 00B66B94
crypt32.dll, xrefs: 00B66BC6
Another per-machine setup is already executing., xrefs: 00B66CC8
Failed to elevate., xrefs: 00B66C8E
Failed to set initial apply variables., xrefs: 00B66BFE
Another per-user setup is already executing., xrefs: 00B66BD4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCriticalHandleSection$CompareEnterExchangeExecutionInterlockedLeaveMutexReleaseStateThread
String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$user cannot start apply because it is busy with another action.$Failed to cache user to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to set initial apply variables.$Failed while caching, aborting execution.$UX aborted apply begin.$c:\agent\_work\66\s\src\burn\user\core.cpp$comres.dll$crypt32.dll
API String ID: 1740103319-621563166
Opcode ID: 81c004d2a7751b1fd12722a50dade09ad0d987da844fdce0903e31482e907cce
Instruction ID: cfc5503bf0fadc36be6fe10310ab968500d10931da6e403c1b0f090f331f0e25
Opcode Fuzzy Hash: 81c004d2a7751b1fd12722a50dade09ad0d987da844fdce0903e31482e907cce
Instruction Fuzzy Hash: EEC16CB1901215EBDF159FA4C885FEA3BE8FF04701F1481FAFD09AA251DB399944CBA4

Function 00B96FC4 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 205COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 00B97024
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 00B97049
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 00B97069
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 00B9709C
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 00B970B8
SysFreeString.OLEAUT32(00000000), ref: 00B970E3
SysFreeString.OLEAUT32(00000000), ref: 00B9715A
SysFreeString.OLEAUT32(00000000), ref: 00B971A6

Strings

title, xrefs: 00B9708E
msasn1.dll, xrefs: 00B97194
msi.dll, xrefs: 00B97142
comres.dll, xrefs: 00B97073
feclient.dll, xrefs: 00B97056
`Dv, xrefs: 00B970E3, 00B9715A, 00B971A6
href, xrefs: 00B9703B
rel, xrefs: 00B97017
version.dll, xrefs: 00B970C7
type, xrefs: 00B970AA
length, xrefs: 00B9705B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$Compare$Free
String ID: `Dv$comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
API String ID: 318886736-1313079583
Opcode ID: 40f994df9bfb9ca9322479e6295896476a67219d9cb126558168014090993f46
Instruction ID: 28a3cf92e447911ae49d91fd9bb57dc1eb309ce63c78665747470466b8d14001
Opcode Fuzzy Hash: 40f994df9bfb9ca9322479e6295896476a67219d9cb126558168014090993f46
Instruction Fuzzy Hash: 77612D31958229BBCF15DBA4CC45FAEB7F8AB04720F2042E5E521A71A1DB31AE14DB90

Function 00B978F7 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 308COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,00000410), ref: 00B97924
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF), ref: 00B9793F
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,upgrade,000000FF), ref: 00B979E2
CompareStringW.KERNEL32(0000007F,00000000,00700079,000000FF,version,000000FF,000002D8,00B9A518,00000000), ref: 00B97A21
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,exclusive,000000FF), ref: 00B97A74
CompareStringW.KERNEL32(0000007F,00000000,00B9A518,000000FF,true,000000FF), ref: 00B97A92
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,version,000000FF), ref: 00B97ACA
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,enclosure,000000FF), ref: 00B97C0E

Strings

enclosure, xrefs: 00B97BFC
upgrade, xrefs: 00B979D4
http://appsyndication.org/2006/appsyn, xrefs: 00B97917
version, xrefs: 00B97A13, 00B97ABC
c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp, xrefs: 00B97B31
exclusive, xrefs: 00B97A66
application, xrefs: 00B97931
type, xrefs: 00B9796A
true, xrefs: 00B97A84

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: application$c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp$enclosure$exclusive$http://appsyndication.org/2006/appsyn$true$type$upgrade$version
API String ID: 1825529933-3624447555
Opcode ID: 44b604792f3f156a2c2a2ecf2f0b81d7ce7e610137ec9439822e44d4214415f7
Instruction ID: 9a1e2beba3c19590797efe740dd7179ef4c38d6062a02897ff486cc808f1d070
Opcode Fuzzy Hash: 44b604792f3f156a2c2a2ecf2f0b81d7ce7e610137ec9439822e44d4214415f7
Instruction Fuzzy Hash: 53B19D31598206ABDF20DF54CC82F5A7BF6EB44720F2186A5F925AB2E5DF74E840CB04

Function 00B6E226 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 145registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E10F: LoadBitmapW.USER32(?,00000001), ref: 00B6E145
Part of subcall function 00B6E10F: GetLastError.KERNEL32 ref: 00B6E151

LoadCursorW.USER32(00000000,00007F00), ref: 00B6E287
RegisterClassW.USER32(?), ref: 00B6E29B
GetLastError.KERNEL32 ref: 00B6E2A6
UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 00B6E3AB
DeleteObject.GDI32(00000000), ref: 00B6E3BA

Strings

Failed to create window., xrefs: 00B6E33D
c:\agent\_work\66\s\src\burn\user\splashscreen.cpp, xrefs: 00B6E2CA, 00B6E333
Failed to register window., xrefs: 00B6E2D4
WixBurnSplashScreen, xrefs: 00B6E294, 00B6E3A6
Failed to load splash screen., xrefs: 00B6E25F
Unexpected return value from message pump., xrefs: 00B6E395

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$c:\agent\_work\66\s\src\burn\user\splashscreen.cpp
API String ID: 164797020-1158544062
Opcode ID: 4f915dcf5455fa159923b141709604876829ec99ccd36a5febe6ef4930ae46d0
Instruction ID: 078ea68ab7a96094380ea75e2c9bfa79f221417e90d8892ea864d8d61297b8c5
Opcode Fuzzy Hash: 4f915dcf5455fa159923b141709604876829ec99ccd36a5febe6ef4930ae46d0
Instruction Fuzzy Hash: 2141A276904225BFDB119BE4DD49EAEBBF9FF04700B104165FA10B72A0EB38AD048B95

Function 00B79B0F Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 232threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000001,00B7B978,00000000,000000FF,00000001,00000000,00000000,00B7B978,00000001,?), ref: 00B79B74
GetLastError.KERNEL32 ref: 00B79CE4
GetExitCodeThread.KERNEL32(?,00000001), ref: 00B79D24
GetLastError.KERNEL32 ref: 00B79D2E

Strings

Failed to execute MSU package., xrefs: 00B79C29
Failed to load compatible package on per-machine package., xrefs: 00B79C8A
Failed to execute MSI package., xrefs: 00B79BD4
Failed to get cache thread exit code., xrefs: 00B79D5F
Failed to wait for cache check-point., xrefs: 00B79D15
Failed to execute compatible package action., xrefs: 00B79CA1
Failed to execute dependency action., xrefs: 00B79C64
Cache thread exited unexpectedly., xrefs: 00B79D75
Failed to execute MSP package., xrefs: 00B79BF9
c:\agent\_work\66\s\src\burn\user\apply.cpp, xrefs: 00B79D0B, 00B79D55
Failed to execute package provider registration action., xrefs: 00B79C45
Failed to execute EXE package., xrefs: 00B79BAB
Invalid execute action., xrefs: 00B79D84

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$c:\agent\_work\66\s\src\burn\user\apply.cpp
API String ID: 3703294532-2335230991
Opcode ID: 33650359878b1c6c36b054f4a1163fb5462184bdb39fe909b473397a0d21b15a
Instruction ID: 3ace1672ce2389ca2e4baee46b34fc5537654f02b619cc4454e1131473811189
Opcode Fuzzy Hash: 33650359878b1c6c36b054f4a1163fb5462184bdb39fe909b473397a0d21b15a
Instruction Fuzzy Hash: 00717E71A01219EFDB11DF64CD41EBE7BF8EB45B10F1081EAF829E7250D670AE009BA0

Function 00B5F1BA Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 182registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93349: GetVersionExW.KERNEL32(?,?,?,00000000), ref: 00B93398

RegCloseKey.ADVAPI32(00000000,?,00B9FF38,00020006,00000000,?,00000000,00000000,00000000,?,00000000,00000001,00000000,00000000), ref: 00B5F3EA

Part of subcall function 00B90D39: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00B5F237,00B9FF38,Resume,00000005,?,00000000,00000000,00000000), ref: 00B90D4E

Strings

Failed to delete run key value., xrefs: 00B5F378
Resume, xrefs: 00B5F22C
Failed to write Resume value., xrefs: 00B5F23D
Failed to format resume command line for RunOnce., xrefs: 00B5F2A3
"%ls" /%ls, xrefs: 00B5F28F
c:\agent\_work\66\s\src\burn\user\registration.cpp, xrefs: 00B5F36E, 00B5F3BC
Installed, xrefs: 00B5F24F
Failed to delete resume command line value., xrefs: 00B5F3C6
burn.runonce, xrefs: 00B5F284
Failed to write run key value., xrefs: 00B5F2E5
Failed to create run key., xrefs: 00B5F2C7
Failed to write resume command line value., xrefs: 00B5F307
Failed to write Installed value., xrefs: 00B5F260
BundleResumeCommandLine, xrefs: 00B5F2F2, 00B5F385

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseValueVersion
String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$burn.runonce$c:\agent\_work\66\s\src\burn\user\registration.cpp
API String ID: 2348918689-1350441746
Opcode ID: dc858ded067b525bcc9241c33f62658124b2ab726b73d597ab8ae1d439619026
Instruction ID: 0b893c842508f7c54612298ec4f06aba3b09f3f82b4cc2d7be08b80e30174dce
Opcode Fuzzy Hash: dc858ded067b525bcc9241c33f62658124b2ab726b73d597ab8ae1d439619026
Instruction Fuzzy Hash: F6510372D55227BBEF11ABA4CC42BBEF6E4AF00712F0401F5BD00B61A1D7B59D189B94

Function 00B7C96F Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 173processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(76228FB0,00000000,00000000), ref: 00B7C97B

Part of subcall function 00B64D1A: UuidCreate.RPCRT4(?), ref: 00B64D4D

CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,08000000,00000000,00000000,?,00B7219D,?,?,00000000,?,?,?), ref: 00B7CA59
GetLastError.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B7CA63
GetProcessId.KERNEL32(00B7219D,?,?,00000000,?,?,?,?), ref: 00B7CA9B

Part of subcall function 00B6545D: lstrlenW.KERNEL32(?,?,00000000,?,00B9A500,?,00000000,?,00B5457C,?,00B9A500), ref: 00B6547E
Part of subcall function 00B6545D: GetCurrentProcessId.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B65489
Part of subcall function 00B6545D: SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B654C0
Part of subcall function 00B6545D: ConnectNamedPipe.KERNEL32(?,00000000,?,00B5457C,?,00B9A500), ref: 00B654D5
Part of subcall function 00B6545D: GetLastError.KERNEL32(?,00B5457C,?,00B9A500), ref: 00B654DF
Part of subcall function 00B6545D: Sleep.KERNEL32(00000064,?,00B5457C,?,00B9A500), ref: 00B65514
Part of subcall function 00B6545D: SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65537
Part of subcall function 00B6545D: WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65552
Part of subcall function 00B6545D: WriteFile.KERNEL32(?,00B5457C,00B9A500,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B6556D
Part of subcall function 00B6545D: WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00B5457C,?,00B9A500), ref: 00B65588

Part of subcall function 00B902EC: WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00B54F5D,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00B902F8
Part of subcall function 00B902EC: GetLastError.KERNEL32(?,00B54F5D,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B90306

CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00B7C8CF,?,?,?,?,?,00000000,?,?,?,?), ref: 00B7CB1F
CloseHandle.KERNEL32(00000000,?,000000FF,00000000,?,00B7C8CF,?,?,?,?,?,00000000,?,?,?,?), ref: 00B7CB2E
CloseHandle.KERNEL32(00000000,?,?,000000FF,00000000,?,00B7C8CF,?,?,?,?,?,00000000,?,?,?), ref: 00B7CB45

Strings

Failed to create embedded pipe., xrefs: 00B7CA05
Failed to process messages from embedded message., xrefs: 00B7CAE2
Failed to wait for embedded process to connect to pipe., xrefs: 00B7CABD
%ls -%ls %ls %ls %u, xrefs: 00B7CA1E
Failed to create embedded process at path: %ls, xrefs: 00B7CA91
c:\agent\_work\66\s\src\burn\user\embedded.cpp, xrefs: 00B7CA84
burn.embedded, xrefs: 00B7CA16
Failed to wait for embedded executable: %ls, xrefs: 00B7CB02
Failed to create embedded pipe name and client token., xrefs: 00B7C9DE
Failed to allocate embedded command., xrefs: 00B7CA32

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Handle$Process$CloseErrorFileLastNamedPipeWrite$CreateCurrentState$ConnectObjectSingleSleepUuidWaitlstrlen
String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process at path: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$c:\agent\_work\66\s\src\burn\user\embedded.cpp
API String ID: 875070380-1877421928
Opcode ID: bda19649bb94209970d483edc438e92599ef8f90092484a581d20d2d96bf7b5e
Instruction ID: 73cf356ef293c323332f21cb5ebd69e97b7c167baa0b7a2af9c54c56166706d1
Opcode Fuzzy Hash: bda19649bb94209970d483edc438e92599ef8f90092484a581d20d2d96bf7b5e
Instruction Fuzzy Hash: FE518272D4022DBBDF12DBD4DC42FEE7EF8AB04710F1041A9FA14B62A0D7749A448B91

Function 00B5EC76 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 172COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00B5EE04

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

SysFreeString.OLEAUT32(?), ref: 00B5EDBC

Strings

Failed to get @Filename., xrefs: 00B5EE5F
Path, xrefs: 00B5ED6A
Failed to get SoftwareTag text., xrefs: 00B5EE41
Failed to allocate memory for software tag structs., xrefs: 00B5ED03
SoftwareTag, xrefs: 00B5EC85
Failed to select software tag nodes., xrefs: 00B5ECA6
`Dv, xrefs: 00B5EDBC, 00B5EE04
c:\agent\_work\66\s\src\burn\user\registration.cpp, xrefs: 00B5ECF9
Failed to get next node., xrefs: 00B5EE69
Failed to get software tag count., xrefs: 00B5ECCB
Failed to get @Regid., xrefs: 00B5EE55
Filename, xrefs: 00B5ED37
Failed to get @Path., xrefs: 00B5EE4B
Failed to convert SoftwareTag text to UTF-8, xrefs: 00B5EE37
Regid, xrefs: 00B5ED52

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeHeapString$AllocateProcess
String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Path.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Path$Regid$SoftwareTag$`Dv$c:\agent\_work\66\s\src\burn\user\registration.cpp
API String ID: 336948655-2094125471
Opcode ID: 2a8499b695723f147bbe8d6c018208197715d5cedf996fbb2f508f0a5b22939e
Instruction ID: 9f0e4f3018c74ded851e0791db27c504848e4afc1542c74f5f11180e54460bc4
Opcode Fuzzy Hash: 2a8499b695723f147bbe8d6c018208197715d5cedf996fbb2f508f0a5b22939e
Instruction Fuzzy Hash: 64518F31A11219EBDB19AF64C991F6EB7F9EF04B52F1041E9BC25AB250D670DE088790

Function 00B97741 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 153stringCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,msi.dll,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000000,00000000,000002C0,?,00B97C2B,00000001,?), ref: 00B97761
CompareStringW.KERNEL32(0000007F,00000000,digest,000000FF,002E0069,000000FF,?,00B97C2B,00000001,?), ref: 00B9777C
CompareStringW.KERNEL32(0000007F,00000000,name,000000FF,002E0069,000000FF,?,00B97C2B,00000001,?), ref: 00B97797
CompareStringW.KERNEL32(0000007F,00000000,algorithm,000000FF,?,000000FF,?,00B97C2B,00000001,?), ref: 00B97803
CompareStringW.KERNEL32(0000007F,00000001,md5,000000FF,?,000000FF,?,00B97C2B,00000001,?), ref: 00B97827
CompareStringW.KERNEL32(0000007F,00000001,sha1,000000FF,?,000000FF,?,00B97C2B,00000001,?), ref: 00B9784B
CompareStringW.KERNEL32(0000007F,00000001,sha256,000000FF,?,000000FF,?,00B97C2B,00000001,?), ref: 00B9786B
lstrlenW.KERNEL32(006C0064,?,00B97C2B,00000001,?), ref: 00B97886

Strings

md5, xrefs: 00B9781E
msi.dll, xrefs: 00B9775B
name, xrefs: 00B9778E
digest, xrefs: 00B97773
http://appsyndication.org/2006/appsyn, xrefs: 00B97754
c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp, xrefs: 00B9789E
sha1, xrefs: 00B97842
algorithm, xrefs: 00B977FA
sha256, xrefs: 00B97862

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString$lstrlen
String ID: algorithm$c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp$digest$http://appsyndication.org/2006/appsyn$md5$msi.dll$name$sha1$sha256
API String ID: 1657112622-124732866
Opcode ID: 8bd0463a746e2eb32e2cffc9f347af953c8f46479004ed353b66ef580454ef46
Instruction ID: 07a65936355039385557a28505e77ee4ceaec0bd76857cc94e8dab0fc431ed02
Opcode Fuzzy Hash: 8bd0463a746e2eb32e2cffc9f347af953c8f46479004ed353b66ef580454ef46
Instruction Fuzzy Hash: A551A431698612BBDF205F558CC6F617BE1AB11B30F2043A5F935AA2E5CBA8EC40C791

Function 00B59FFE Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 214COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5A076

Strings

Failed to change value type., xrefs: 00B5A1DD
Failed to set variable., xrefs: 00B5A1FC
VersionString, xrefs: 00B5A066, 00B5A0F1, 00B5A107, 00B5A11B, 00B5A134, 00B5A148
State, xrefs: 00B5A058
AssignmentType, xrefs: 00B5A051
Failed to copy upgrade code., xrefs: 00B5A0D6
Unsupported product search type: %u, xrefs: 00B5A03E
Language, xrefs: 00B5A05F
Failed to enumerate related products for upgrade code., xrefs: 00B5A0B1
Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00B5A135
Product or related product not found: %ls, xrefs: 00B5A161
Failed to get product info., xrefs: 00B5A1A3
Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00B5A108
MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00B5A20F
Failed to format GUID string., xrefs: 00B5A081

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open@16
String ID: AssignmentType$Failed to change value type.$Failed to copy upgrade code.$Failed to enumerate related products for upgrade code.$Failed to format GUID string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$Product or related product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
API String ID: 3613110473-2134270738
Opcode ID: 4d37ca64b2208fa1488a8608c8aee328937fdea342fe37062c1b3c7f3a5a7824
Instruction ID: 9d0e50fb912240b0247558248fad4749848224b8eab2c6d2c07a1f83a606686a
Opcode Fuzzy Hash: 4d37ca64b2208fa1488a8608c8aee328937fdea342fe37062c1b3c7f3a5a7824
Instruction Fuzzy Hash: A861C332D40519BBCF12AE998986FAE7BE4EB05705F2442E5FD04BB291D232DE049792

Function 00B64AB0 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 157sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?), ref: 00B64B0A
GetLastError.KERNEL32 ref: 00B64B18
Sleep.KERNEL32(00000064), ref: 00B64B3C

Strings

Failed to allocate name of parent cache pipe., xrefs: 00B64BB1
Failed to open parent pipe: %ls, xrefs: 00B64B62
feclient.dll, xrefs: 00B64B6F, 00B64C0A, 00B64C1E, 00B64C62
Failed to verify parent pipe: %ls, xrefs: 00B64B84
Failed to allocate name of parent pipe., xrefs: 00B64AD6
\\.\pipe\%ls.Cache, xrefs: 00B64B9D
Failed to open companion process with PID: %u, xrefs: 00B64C64
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B64B55, 00B64C58
\\.\pipe\%ls, xrefs: 00B64AC2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateErrorFileLastSleep
String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$c:\agent\_work\66\s\src\burn\user\pipe.cpp$feclient.dll
API String ID: 408151869-2029237024
Opcode ID: 74d572517ad21f562eed2a043e0caad32d3a23214db4dc12aa614a4355f85b71
Instruction ID: 2148512fde8e44f214c3681bb7c83d9827ba8e74a8f30e1ac0f759cf29d9ba04
Opcode Fuzzy Hash: 74d572517ad21f562eed2a043e0caad32d3a23214db4dc12aa614a4355f85b71
Instruction Fuzzy Hash: 2D41F932D42A32BBDB2157A0DD46F5ABAD4EF01B20F2542E1FE01BB290D76DDE0096D5

Function 00B5F52B Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 151registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000000,00B60478,InstallerVersion,InstallerVersion,00000000,00B60478,InstallerName,InstallerName,00000000,00B60478,Date,InstalledDate,00000000,00B60478,LogonUser), ref: 00B5F6D9

Part of subcall function 00B90D87: RegSetValueExW.ADVAPI32(00020006,00B9FF38,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00B5F2DF,00000000,?,00020006), ref: 00B90DBA

Strings

InstallerVersion, xrefs: 00B5F6A7, 00B5F6AC, 00B5F6AD, 00B5F6BD
Publisher, xrefs: 00B5F5E5, 00B5F5F8
Failed to write %ls value., xrefs: 00B5F6C2
ThisVersionInstalled, xrefs: 00B5F585, 00B5F598
ReleaseType, xrefs: 00B5F630, 00B5F635, 00B5F644
LogonUser, xrefs: 00B5F64F
InstalledDate, xrefs: 00B5F66A, 00B5F683
PackageName, xrefs: 00B5F5A5, 00B5F5B8
PublishingGroup, xrefs: 00B5F60D, 00B5F620
Date, xrefs: 00B5F66F
Failed to get the formatted key path for update registration., xrefs: 00B5F54D
PackageVersion, xrefs: 00B5F5C5, 00B5F5D8
InstalledBy, xrefs: 00B5F64A, 00B5F663
InstallerName, xrefs: 00B5F68A, 00B5F68F, 00B5F690, 00B5F6A0
Failed to create the key for update registration., xrefs: 00B5F579

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseValue
String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
API String ID: 3132538880-2703781546
Opcode ID: 5c4d623cd350e8f706472d43a00c303eeabfaf85aa1571535a3199c3f3905a8c
Instruction ID: df36391a9d6c3d952c9fc1b1736732dacbdb1cbc04c1d7283cecc06ce3e6bdd1
Opcode Fuzzy Hash: 5c4d623cd350e8f706472d43a00c303eeabfaf85aa1571535a3199c3f3905a8c
Instruction Fuzzy Hash: E441C332A48626BBCF126A58DD02F7EB9E4EB11B52F1145F1FC00B7270D7A09E14E6C8

Function 00B6E60C Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134registryCOMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00B6E652
RegisterClassW.USER32(?), ref: 00B6E67E
GetLastError.KERNEL32 ref: 00B6E689
CreateWindowExW.USER32(00000080,00BA91B4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00B6E6F0
GetLastError.KERNEL32 ref: 00B6E6FA
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00B6E798

Strings

Failed to create window., xrefs: 00B6E728
c:\agent\_work\66\s\src\burn\user\uithread.cpp, xrefs: 00B6E6AD, 00B6E71E
Failed to register window., xrefs: 00B6E6B7
WixBurnMessageWindow, xrefs: 00B6E677, 00B6E793
Unexpected return value from message pump., xrefs: 00B6E783

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\66\s\src\burn\user\uithread.cpp
API String ID: 213125376-1202977178
Opcode ID: d7d513143a63fce81159f6cc127052d018c1c5053be238185076e2fe1ca86cad
Instruction ID: ec584a214183fd2e446fce2eb0f42e4a79c75f4908551b7930db06d0b00fe99b
Opcode Fuzzy Hash: d7d513143a63fce81159f6cc127052d018c1c5053be238185076e2fe1ca86cad
Instruction Fuzzy Hash: F441937A900225ABDB208BA4DD48AEEBFF8EF05750F1141A6F915BB150EB34DD04CBE1

Function 00B7C45E Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 271COMMON

Download Yara Rule

Strings

Failed to allocate space for burn payload inside of related bundle struct, xrefs: 00B7C6D1
Failed to copy filename for passthrough pseudo bundle., xrefs: 00B7C6A8
Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 00B7C49E
Failed to copy cache id for passthrough pseudo bundle., xrefs: 00B7C6EF
Failed to copy key for passthrough pseudo bundle., xrefs: 00B7C672
Failed to copy install arguments for passthrough bundle package, xrefs: 00B7C74C
Failed to recreate command-line arguments., xrefs: 00B7C72D
c:\agent\_work\66\s\src\burn\user\pseudobundle.cpp, xrefs: 00B7C492, 00B7C68B, 00B7C6C5
Failed to copy uninstall arguments for passthrough bundle package, xrefs: 00B7C796
Failed to copy key for passthrough pseudo bundle payload., xrefs: 00B7C6AF
Failed to copy download source for passthrough pseudo bundle., xrefs: 00B7C679
Failed to copy local source path for passthrough pseudo bundle., xrefs: 00B7C6A1
Failed to copy related arguments for passthrough bundle package, xrefs: 00B7C76C
Failed to allocate memory for pseudo bundle payload hash., xrefs: 00B7C697

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$c:\agent\_work\66\s\src\burn\user\pseudobundle.cpp
API String ID: 1357844191-1911474293
Opcode ID: c408d51b37f67a7847cde2ce5504f95ca155f41df05222325d18356294b57f70
Instruction ID: 4a60c82273630094ff04ac3f3e3b41e6efcb1e3cc448376ca5a474e8f7500419
Opcode Fuzzy Hash: c408d51b37f67a7847cde2ce5504f95ca155f41df05222325d18356294b57f70
Instruction Fuzzy Hash: 3AB14875A01616EFDB21DF68C881F65BBE1BF09710F1181EAED28AB361D731E850DB90

Function 00B7DAF8 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 203stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00B7DB13

Strings

Failed to set callback interface for BITS job., xrefs: 00B7DC4B
Falied to start BITS job., xrefs: 00B7DCCB
c:\agent\_work\66\s\src\burn\user\bitsuser.cpp, xrefs: 00B7DB29, 00B7DC1C
Failed to complete BITS job., xrefs: 00B7DCBD
Invalid BITS user URL: %ls, xrefs: 00B7DB35
Failed to copy download URL., xrefs: 00B7DB5A
Failed while waiting for BITS download., xrefs: 00B7DCC4
Failed to download BITS job., xrefs: 00B7DCAA
Failed to create BITS job., xrefs: 00B7DBA2
Failed to set credentials for BITS job., xrefs: 00B7DBC1
Failed to create BITS job callback., xrefs: 00B7DC26
Failed to add file to BITS job., xrefs: 00B7DBE0
Failed to initialize BITS job callback., xrefs: 00B7DC34

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: lstrlen
String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS user URL: %ls$c:\agent\_work\66\s\src\burn\user\bitsuser.cpp
API String ID: 1659193697-397540975
Opcode ID: dc340bebb9f33047d2603f48566f7253833755961a7df0f4df21b54b36ed6fbf
Instruction ID: 61b31f4293cc33951bc39a7e4ba3441d602bf6a0d3ea2a6f1c218576d9ff2ed3
Opcode Fuzzy Hash: dc340bebb9f33047d2603f48566f7253833755961a7df0f4df21b54b36ed6fbf
Instruction Fuzzy Hash: 17519431A04225EBCB12AB64C985EAE7BF4EF15790B21C1D5FD19BB261D7B0DD00EB90

Function 00B5BC5E Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 189processCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5BCB0
CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000200,00000000,?,00000044,?,?,?,?,?), ref: 00B5BDBD
GetLastError.KERNEL32(?,?,?,?), ref: 00B5BDC7
WaitForInputIdle.USER32(?,?), ref: 00B5BE1B
CloseHandle.KERNEL32(?,?,?), ref: 00B5BE66
CloseHandle.KERNEL32(?,?,?), ref: 00B5BE73

Strings

Failed to create obfuscated executable command., xrefs: 00B5BD5B
"%ls", xrefs: 00B5BD2D, 00B5BD47
c:\agent\_work\66\s\src\burn\user\approvedexe.cpp, xrefs: 00B5BDEB
Failed to format argument string., xrefs: 00B5BCBB
"%ls" %s, xrefs: 00B5BCD6, 00B5BD17
Failed to CreateProcess on path: %ls, xrefs: 00B5BDF8
Failed to format obfuscated argument string., xrefs: 00B5BD07
Failed to create executable command., xrefs: 00B5BCEA
D, xrefs: 00B5BD9C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle$CreateErrorIdleInputLastOpen@16ProcessWait
String ID: "%ls"$"%ls" %s$D$Failed to CreateProcess on path: %ls$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$c:\agent\_work\66\s\src\burn\user\approvedexe.cpp
API String ID: 155678114-3058035682
Opcode ID: f43764f3272b473c140b7dc78823d1a115a5bf74f7bfaefd075bdb005e38b5c0
Instruction ID: 99394d0775eee0cbfddf3b12785aa09bcb427519c9afc00e3a1c3102c8740d49
Opcode Fuzzy Hash: f43764f3272b473c140b7dc78823d1a115a5bf74f7bfaefd075bdb005e38b5c0
Instruction Fuzzy Hash: 27514B72D0021ABBDF129F90CD42EAEBBF4FF14702B1445E5EE1476160E7319E589B91

Function 00B7673A Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,00000000,?,?,?,?,?,?,?,?,00B76C89,?), ref: 00B76773
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00B76C89,?,?,?), ref: 00B76780
OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,00B76C89,?,?,?), ref: 00B767C8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00B76C89,?,?,?), ref: 00B767D4
QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,00B76C89,?,?,?), ref: 00B7680E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00B76C89,?,?,?), ref: 00B76818
CloseServiceHandle.ADVAPI32(00000000), ref: 00B768CF
CloseServiceHandle.ADVAPI32(?), ref: 00B768D9

Strings

Failed to open WU service., xrefs: 00B76802
Failed to open service control manager., xrefs: 00B767AE
Failed to mark WU service to start on demand., xrefs: 00B768A0
wuauserv, xrefs: 00B767C2
c:\agent\_work\66\s\src\burn\user\msuuser.cpp, xrefs: 00B767A4, 00B767F8, 00B7683C
Failed to read configuration for WU service., xrefs: 00B7687F
Failed to query status of WU service., xrefs: 00B76846

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Service$ErrorLast$CloseHandleOpen$ManagerQueryStatus
String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$c:\agent\_work\66\s\src\burn\user\msuuser.cpp$wuauserv
API String ID: 971853308-110228879
Opcode ID: 340c82abc63df8ab5fe9254b2fb3dec25c4dff3cbacde8d1f3a79b59716bca1d
Instruction ID: 08012e808730564c1c8b27d47a0364123198f04ab59b58aa224c58608d668fe2
Opcode Fuzzy Hash: 340c82abc63df8ab5fe9254b2fb3dec25c4dff3cbacde8d1f3a79b59716bca1d
Instruction Fuzzy Hash: 1F410832E047259BDB21DBA4CD45AAEBBE4EF04750F1180E6FD19FB251EA74DC0486E1

Function 00B5B1D7 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 137COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,00B5BACA,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B1DF
GetLastError.KERNEL32(?,00B5BACA,00000008,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B5B1EB
_memcmp.LIBVCRUNTIME ref: 00B5B293

Strings

.wix, xrefs: 00B5B2B2
Bundle guid didn't match the guid in the PE Header in memory., xrefs: 00B5B36A
Failed to get module handle to process., xrefs: 00B5B219
burn, xrefs: 00B5B2BA
Failed to find valid NT image header in buffer., xrefs: 00B5B277
Failed to read section info, unsupported version: %08x, xrefs: 00B5B32D
.wixburn, xrefs: 00B5B28D
Failed to find valid DOS image header in buffer., xrefs: 00B5B24C
Failed to read section info, data to short: %u, xrefs: 00B5B2E3
Failed to find Burn section., xrefs: 00B5B301
c:\agent\_work\66\s\src\burn\user\section.cpp, xrefs: 00B5B20F, 00B5B240, 00B5B26B, 00B5B2D4, 00B5B2F5, 00B5B31E, 00B5B35E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorHandleLastModule_memcmp
String ID: .wix$.wixburn$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$c:\agent\_work\66\s\src\burn\user\section.cpp
API String ID: 3888311042-3868660166
Opcode ID: f284bc75aa638d077a81b8f1e8e6f990b5ccf293080c7307406118524a7e1dd8
Instruction ID: 7c547753842e70fd62eca7f6352ed0d538056eb207ed54082cc22b8907567ff1
Opcode Fuzzy Hash: f284bc75aa638d077a81b8f1e8e6f990b5ccf293080c7307406118524a7e1dd8
Instruction Fuzzy Hash: BB414932280211A7DB215A518C87F2A26D1EF91B63F2540F9FD027F291D7A9C80AC3B9

Function 00B63AD7 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 129COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,00000000,crypt32.dll), ref: 00B63B2B
GetLastError.KERNEL32(?,00000000,crypt32.dll), ref: 00B63B35
GetCurrentProcessId.KERNEL32(?,?,?,00000104,?,?,00000000,crypt32.dll), ref: 00B63B9E
ProcessIdToSessionId.KERNEL32(00000000,?,00000000,crypt32.dll), ref: 00B63BA5
CompareStringW.KERNEL32(00000000,00000000,?,?,?,?,?,7FFFFFFF,?,?,?,?,?,00000000,crypt32.dll), ref: 00B63C2F

Strings

%u\, xrefs: 00B63BBF
crypt32.dll, xrefs: 00B63AEA
Failed to get temp folder., xrefs: 00B63B63
Failed to format session id as a string., xrefs: 00B63BD3
4#v, xrefs: 00B63B2B
Failed to get length of session id string., xrefs: 00B63BFA
Failed to get length of temp folder., xrefs: 00B63B8F
Failed to copy temp folder., xrefs: 00B63C58
c:\agent\_work\66\s\src\burn\user\logging.cpp, xrefs: 00B63B59

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Process$CompareCurrentErrorLastPathSessionStringTemp
String ID: 4#v$%u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$c:\agent\_work\66\s\src\burn\user\logging.cpp$crypt32.dll
API String ID: 2407829081-592026938
Opcode ID: 2360edd20f1d1293ecf8dcff0e11ad9bcf5d1a59a4ceee52a2be03494cc9e681
Instruction ID: 295439c7812ad2db4fb9c7a6bf972d5f4065620ea5bfc19e1a6253acd53d2682
Opcode Fuzzy Hash: 2360edd20f1d1293ecf8dcff0e11ad9bcf5d1a59a4ceee52a2be03494cc9e681
Instruction Fuzzy Hash: 76419F72D8123DABCB219B609C49FD9B7E8EB11B10F1001E1F908B7251DA749F848B90

Function 00B5A249 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5A271
RegCloseKey.ADVAPI32(00000000,00000100,00000000,000002C0,?,00000001,00000000,00000000,?,00000000,?,000002C0,000002C0,?,00000000,00000000), ref: 00B5A3C5

Strings

Failed to format key string., xrefs: 00B5A27C
Failed to set variable., xrefs: 00B5A388
Failed to format value string., xrefs: 00B5A2FD
Registry key not found. Key = '%ls', xrefs: 00B5A2B2
Failed to query registry key value., xrefs: 00B5A353
RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00B5A39D
c:\agent\_work\66\s\src\burn\user\search.cpp, xrefs: 00B5A349
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00B5A360
Failed to open registry key. Key = '%ls', xrefs: 00B5A2C6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseOpen@16
String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$c:\agent\_work\66\s\src\burn\user\search.cpp
API String ID: 1561904661-635686934
Opcode ID: b7a593e612960b5a622b1937c62a758a83af86e1a220351f683c8308b5bde602
Instruction ID: 6d520c4e4cd3bc2f8f998c8b8dcecbfbcc97ff17ae1071ba332e4704083b52f5
Opcode Fuzzy Hash: b7a593e612960b5a622b1937c62a758a83af86e1a220351f683c8308b5bde602
Instruction Fuzzy Hash: 5F41F132D00125BBCF12AFA5DC02FAEBAE9EF04711F1042E1FD04B6162D6719E18DB95

Function 00B5695F Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,ntdll,?), ref: 00B569AF
GetLastError.KERNEL32 ref: 00B569B9
GetProcAddress.KERNEL32(?,RtlGetVersion), ref: 00B569FC
GetLastError.KERNEL32 ref: 00B56A06
FreeLibrary.KERNEL32(00000000,00000000,?), ref: 00B56B17

Strings

Failed to get OS info., xrefs: 00B56A57
Failed to locate NTDLL., xrefs: 00B569E7
Failed to set variant value., xrefs: 00B56AFB
Failed to locate RtlGetVersion., xrefs: 00B56A34
ntdll, xrefs: 00B569A9
RtlGetVersion, xrefs: 00B569F1
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B569DD, 00B56A2A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$AddressFreeHandleLibraryModuleProc
String ID: Failed to get OS info.$Failed to locate NTDLL.$Failed to locate RtlGetVersion.$Failed to set variant value.$RtlGetVersion$c:\agent\_work\66\s\src\burn\user\variable.cpp$ntdll
API String ID: 3057421322-3993976954
Opcode ID: caf06616d73191a03febbc5698d4a5861c11c42d72534f726ac075abb35cea38
Instruction ID: 9346a42a969f21bf7aacb34574f3ac643887164b2b9d27952f1729c114a343ff
Opcode Fuzzy Hash: caf06616d73191a03febbc5698d4a5861c11c42d72534f726ac075abb35cea38
Instruction Fuzzy Hash: E141B372D402399BDB219B659D45BEA7BF4EB08712F4041E5ED48F7190EB748E88CBD0

Function 00B54936 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 129memorysynchronizationCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00000001,00000001,00000000,00000000,?,?,?,00B554A3,?,?,?,?), ref: 00B54967
GetLastError.KERNEL32(?,?,?,00B554A3,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B54978
ReleaseMutex.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B54AB5
CloseHandle.KERNEL32(?,?,?,?,00B554A3,?,?,?,?,?,?,?,?,?,?,?), ref: 00B54ABE

Strings

Failed to allocate thread local storage for logging., xrefs: 00B549A6
Failed to pump messages from parent process., xrefs: 00B54A89
Failed to create the message window., xrefs: 00B54A13
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B5499C, 00B549E5
comres.dll, xrefs: 00B54A24
Failed to set elevated pipe into thread local storage for logging., xrefs: 00B549EF
Failed to connect to unelevated process., xrefs: 00B5495D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AllocCloseErrorHandleLastMutexRelease
String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create the message window.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$c:\agent\_work\66\s\src\burn\user\user.cpp$comres.dll
API String ID: 687263955-55126310
Opcode ID: c29acfefc34e219025b77f428cc126d40f639511e6f9c9c546635ee696d1c3eb
Instruction ID: a8524f71185868545b079e1f48cf75d6bfa346ef063e4add62824cf43a09b459
Opcode Fuzzy Hash: c29acfefc34e219025b77f428cc126d40f639511e6f9c9c546635ee696d1c3eb
Instruction Fuzzy Hash: 1B41D473A40626BBCB11ABE08C46FDBB6ECFF04715F1002E6BE05E3151DB24A98487E1

Function 00B57FA2 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 215COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 00B57FBF
LeaveCriticalSection.KERNEL32(?), ref: 00B581E7

Strings

Failed to get string., xrefs: 00B581B2
Failed to write variable value as string., xrefs: 00B581AB
Failed to write variable count., xrefs: 00B57FDA
Failed to write variable name., xrefs: 00B581CE
Failed to get numeric., xrefs: 00B581B9
Failed to get version., xrefs: 00B58198
Failed to write variable value type., xrefs: 00B581C7
feclient.dll, xrefs: 00B5809A, 00B580F0, 00B58131
Failed to write included flag., xrefs: 00B581D5
Unsupported variable type., xrefs: 00B581A4
Failed to write variable value as number., xrefs: 00B58191
Failed to write literal flag., xrefs: 00B581C0

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get numeric.$Failed to get string.$Failed to get version.$Failed to write included flag.$Failed to write literal flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.$feclient.dll
API String ID: 3168844106-2118673349
Opcode ID: c20e004551b2d438e6723ed320190f0e593cf77440bef57a9fcfe24edaec7f0b
Instruction ID: 5b9ed9d4e0cee2174365b05e81fc3e8712aff7452b3ad33b318e4793fd87f1ff
Opcode Fuzzy Hash: c20e004551b2d438e6723ed320190f0e593cf77440bef57a9fcfe24edaec7f0b
Instruction Fuzzy Hash: 10717032901A1AEBDF12AEA4CD45BAE7BE5FF08312F1441E1ED0177161DB31DD199B90

Function 00B69692 Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00B6A724,?,00000000,00000000,00000000,?), ref: 00B696AD
GetLastError.KERNEL32(?,00B6A724,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B696BD

Part of subcall function 00B93933: Sleep.KERNEL32(?,00000000,?,00B684D1,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00B54DFD), ref: 00B9394A

CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00B697C9

Strings

Failed to verify payload signature: %ls, xrefs: 00B69718
Failed to copy %ls to %ls, xrefs: 00B697B7
Failed to open payload in working path: %ls, xrefs: 00B696EC
Copying, xrefs: 00B69768, 00B69773
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B696E1
Moving, xrefs: 00B6975F
Failed to verify payload hash: %ls, xrefs: 00B69755
%ls payload from working path '%ls' to path '%ls', xrefs: 00B69774
Failed to move %ls to %ls, xrefs: 00B697A1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 1275171361-540362316
Opcode ID: 0d0264d26fd6a17d37cacd830dd63217835855936a0487ac2798169147089972
Instruction ID: f0a578b3b233e5c580d98166bd7ea13a6a43b8a4050cdf3a4635bea5e24b4721
Opcode Fuzzy Hash: 0d0264d26fd6a17d37cacd830dd63217835855936a0487ac2798169147089972
Instruction Fuzzy Hash: 773144B2951231BBDB222E148C86FBB2ADCDF42F61F0901D5FD10BB291E7788D0086E1

Function 00B565DC Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00B56618

Part of subcall function 00B9038A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00B55EE0,00000000), ref: 00B9039E
Part of subcall function 00B9038A: GetProcAddress.KERNEL32(00000000), ref: 00B903A5
Part of subcall function 00B9038A: GetLastError.KERNEL32(?,?,?,00B55EE0,00000000), ref: 00B903BC

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B56644
GetLastError.KERNEL32 ref: 00B56652
GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 00B5668A
GetLastError.KERNEL32 ref: 00B56694
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00B566D7
GetLastError.KERNEL32 ref: 00B566E1

Strings

Failed to backslash terminate system folder., xrefs: 00B56724
Failed to get 64-bit system folder., xrefs: 00B56680
Failed to set system folder variant value., xrefs: 00B56740
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B56676, 00B566B8
Failed to get 32-bit system folder., xrefs: 00B566C2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 325818893-3341528362
Opcode ID: 8ae574aedc7a733e6d23dc09524c112bd532ada88c67f6448fc7f47a65a1c021
Instruction ID: 57d13744a399b92a4c1ba5964fd76acc3b6969c9872158bd08d42dfd73229934
Opcode Fuzzy Hash: 8ae574aedc7a733e6d23dc09524c112bd532ada88c67f6448fc7f47a65a1c021
Instruction Fuzzy Hash: 21314772D41235A7DB2167648C4DFDA77E8AF04B56F4141E5BD04F7180EA788D488AE1

Function 00B63F22 Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 225sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B63A2C: RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00B63F3C,feclient.dll,?,00000000,?,?,?,00B54B57), ref: 00B63ACD

Sleep.KERNEL32(000007D0,00000001,feclient.dll,?,00000000,?,?,?,00B54B57,?,?,00B9A488,?,00000001,00000000,00000000), ref: 00B63FD3

Strings

clbcatq.dll, xrefs: 00B64112
msasn1.dll, xrefs: 00B640EF, 00B64130
Failed to open log: %ls, xrefs: 00B6404B
crypt32.dll, xrefs: 00B63F79, 00B63FDE, 00B63FE6, 00B64049, 00B6408B, 00B640CE, 00B640ED, 00B6412B, 00B64155
Failed to get non-session specific TEMP folder., xrefs: 00B64081
Setup, xrefs: 00B63F80
feclient.dll, xrefs: 00B63F36, 00B63FE3
Failed to copy log path to prefix., xrefs: 00B640FB
Failed to copy log extension to extension., xrefs: 00B6411E
log, xrefs: 00B63F7A
Failed to get current directory., xrefs: 00B63FB5
Failed to copy full log path to prefix., xrefs: 00B6413C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseSleep
String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$clbcatq.dll$crypt32.dll$feclient.dll$log$msasn1.dll
API String ID: 2834455192-2673269691
Opcode ID: 93bc0b63c3733514ee7b4db584d395b81e4824be64ac940d861fbb7d31007d2e
Instruction ID: c7c9be0e0abd43f9e160277f0cc255f4c6a8ed359f967be60d3ae68ba83cd581
Opcode Fuzzy Hash: 93bc0b63c3733514ee7b4db584d395b81e4824be64ac940d861fbb7d31007d2e
Instruction Fuzzy Hash: 6A61C171A00626AEDF269B64CC82B3A7BF8EF12750F1485E5FC01DB150E779ED4087A1

Function 00B56DCB Relevance: 19.7, APIs: 2, Strings: 11, Instructions: 164COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00B553FA,00000000,00B55482,00000000,?,00B582B1,?,?,?,00000000,00000000), ref: 00B56DDA

Part of subcall function 00B556E2: CompareStringW.KERNELBASE(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,00B565B1,00B565B1,?,00B55678,?,?,00000000), ref: 00B5571E
Part of subcall function 00B556E2: GetLastError.KERNEL32(?,00B55678,?,?,00000000,?,?,00B565B1,?,00B57F03,?,?,?,?,?), ref: 00B5574D

LeaveCriticalSection.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00B56F6A

Strings

Setting numeric variable '%ls' to value %lld, xrefs: 00B56F0B
Setting string variable '%ls' to value '%ls', xrefs: 00B56EFA, 00B56F02
Attempt to set built-in variable value: %ls, xrefs: 00B56E68
Failed to insert variable '%ls'., xrefs: 00B56E1F
Failed to find variable value '%ls'., xrefs: 00B56DF5
Unsetting variable '%ls', xrefs: 00B56EF3, 00B56F26
Failed to set value of variable: %ls, xrefs: 00B56F52
Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00B56EDF
Setting hidden variable '%ls', xrefs: 00B56E98
Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00B56F7C
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B56E5D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$CompareEnterErrorLastLeaveString
String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 2716280545-3393465121
Opcode ID: 9e8db929b0e4d97bddf3ca8169ef0354677004a0875d52b1165b883b3f34c89f
Instruction ID: f4ecd1b6e666e59daaef06e5d15c3a3e447d49adf50e00515c685239735d15e1
Opcode Fuzzy Hash: 9e8db929b0e4d97bddf3ca8169ef0354677004a0875d52b1165b883b3f34c89f
Instruction Fuzzy Hash: 9E51C071A01251ABCF309E54DC8AF6B7BE8EB95706F6401E9FC405B292C375DD49CAA0

Function 00B88C92 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B88CD6

Part of subcall function 00B8880C: _free.LIBCMT ref: 00B88829
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B8883B
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B8884D
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B8885F
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B88871
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B88883
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B88895
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B888A7
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B888B9
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B888CB
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B888DD
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B888EF
Part of subcall function 00B8880C: _free.LIBCMT ref: 00B88901

_free.LIBCMT ref: 00B88CCB

Part of subcall function 00B85CE8: HeapFree.KERNEL32(00000000,00000000,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?), ref: 00B85CFE
Part of subcall function 00B85CE8: GetLastError.KERNEL32(?,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?,?), ref: 00B85D10

_free.LIBCMT ref: 00B88CED
_free.LIBCMT ref: 00B88D02
_free.LIBCMT ref: 00B88D0D
_free.LIBCMT ref: 00B88D2F
_free.LIBCMT ref: 00B88D42
_free.LIBCMT ref: 00B88D50
_free.LIBCMT ref: 00B88D5B
_free.LIBCMT ref: 00B88D93
_free.LIBCMT ref: 00B88D9A
_free.LIBCMT ref: 00B88DB7
_free.LIBCMT ref: 00B88DCF

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 507d75ff42ab32fa6673c4c12e545af66c2f37f66a1349880a758a0eb1bd5941
Instruction ID: e4c8f662214d474d9201aeb2815f003d0e92c975d1ac2103dde48bf2539900b4
Opcode Fuzzy Hash: 507d75ff42ab32fa6673c4c12e545af66c2f37f66a1349880a758a0eb1bd5941
Instruction Fuzzy Hash: C73106326007059FEB31BA69D945B5AB3E9FF10310FA044AAE459D61B2DE71A890CF20

Function 00B62C15 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 298COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,006C0064,000000FF,00007070,000000FF,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00B62C83

Strings

Failed to add self-dependent to ignore dependents., xrefs: 00B62D07
crypt32.dll, xrefs: 00B62CCE, 00B62DC8, 00B62EBD, 00B62F32
wininet.dll, xrefs: 00B62ED0
Failed to create the string dictionary., xrefs: 00B62CBC
Failed to add dependent bundle provider key to ignore dependents., xrefs: 00B62DED
Failed to allocate registration action., xrefs: 00B62CEC
Failed to check for remaining dependents during planning., xrefs: 00B62E29
Failed to add registration action for dependent related bundle., xrefs: 00B62F85
Failed to add dependents ignored from command-line., xrefs: 00B62D38
Failed to add registration action for self dependent., xrefs: 00B62F50

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.$crypt32.dll$wininet.dll
API String ID: 1825529933-1705955799
Opcode ID: 87fae19c994adbb610b88f5fee41d1ff39e452b4807fc8605e3f8b581b2eb04c
Instruction ID: bced98195e808a9bb2353705dda545e5c72ceff52bd73b9501cd79a003d0c643
Opcode Fuzzy Hash: 87fae19c994adbb610b88f5fee41d1ff39e452b4807fc8605e3f8b581b2eb04c
Instruction Fuzzy Hash: 26B18B71A04A26EFEF299F54C881AAE7BF5FF04310F1081B9F818AB251D739D951CB91

Function 00B6F748 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 186COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B6F784
UuidCreate.RPCRT4(?), ref: 00B6F867
StringFromGUID2.OLE32(?,?,00000027), ref: 00B6F888
LeaveCriticalSection.KERNEL32(?,?), ref: 00B6F931

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6F89D
Failed to default local update source, xrefs: 00B6F7F4
Failed to convert bundle update guid into string., xrefs: 00B6F8A7
update\%ls, xrefs: 00B6F7E0
Failed to set update bundle., xrefs: 00B6F90B
Failed to recreate command-line for update bundle., xrefs: 00B6F84F
Failed to create bundle update guid., xrefs: 00B6F874

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$CreateEnterFromLeaveStringUuid
String ID: Failed to convert bundle update guid into string.$Failed to create bundle update guid.$Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp$update\%ls
API String ID: 171215650-494903540
Opcode ID: 56f3eb4ace354c972baed4e66661c00445b6f9be566e9c121acb096b144e0a29
Instruction ID: bf94cd08541dbd25a7778b8f05fcc20462443ad390c82a7e76f2cb4c81a507af
Opcode Fuzzy Hash: 56f3eb4ace354c972baed4e66661c00445b6f9be566e9c121acb096b144e0a29
Instruction Fuzzy Hash: 60515A31940216EBCF219FA4E885EBE7BF4EB09750F1541F9F909AB261D7399C40DB90

Function 00B54B2A Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 143windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00B54CA9
PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B54CBA

Strings

Failed to create the message window., xrefs: 00B54BDD
Failed while running , xrefs: 00B54C6F
Failed to check global conditions, xrefs: 00B54B8E
Failed to set action variables., xrefs: 00B54C09
Failed to query registration., xrefs: 00B54BF3
Failed to set registration variables., xrefs: 00B54C23
WixBundleLayoutDirectory, xrefs: 00B54C3A
Failed to set layout directory variable to value provided from command-line., xrefs: 00B54C4B
Failed to open log., xrefs: 00B54B5D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: MessagePostWindow
String ID: Failed to check global conditions$Failed to create the message window.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
API String ID: 3618638489-3051724725
Opcode ID: 0b101b5ceb8f7c8405f57e1fd33d5ba522955410826c803d834be8eb3408324f
Instruction ID: 6ed04ec5cac0289592cafa0f2aef0d9935070ea54c4e933fe9c9b20cc2ce2756
Opcode Fuzzy Hash: 0b101b5ceb8f7c8405f57e1fd33d5ba522955410826c803d834be8eb3408324f
Instruction Fuzzy Hash: B5411771A01A16BBDF265A20CC85FBAB6ECFF0075AF0042E5BC15A2150DBB0ED98D7D1

Function 00B6EE9A Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

EnterCriticalSection.KERNEL32(?,00000014,00000001), ref: 00B6EEB7
LeaveCriticalSection.KERNEL32(?), ref: 00B6EFE4

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6EFC5
user is active, cannot change user state., xrefs: 00B6EED2
Failed to post launch approved exe message., xrefs: 00B6EFCF
Failed to copy the id., xrefs: 00B6EF49
Failed to copy the arguments., xrefs: 00B6EF76
UX requested unknown approved exe with id: %ls, xrefs: 00B6EF17

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalHeapSection$AllocateEnterLeaveProcess
String ID: user is active, cannot change user state.$Failed to copy the arguments.$Failed to copy the id.$Failed to post launch approved exe message.$UX requested unknown approved exe with id: %ls$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 1367039788-2920183924
Opcode ID: 90573490e3c5a63dfe03767a29991f8b67a4e2a370323a16d19d2d3debce794e
Instruction ID: 59a659f20159610665513adc960ad8d9cac732f4e9a01243e1cb12991e74a38d
Opcode Fuzzy Hash: 90573490e3c5a63dfe03767a29991f8b67a4e2a370323a16d19d2d3debce794e
Instruction Fuzzy Hash: A631F736A00225AFEB219F74DC45E6A7BE8EF01761B0180E1FD15EB251EA79DD00D7E0

Function 00B6957D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,00B6A6B7,?,00000000,00000000,00000000,?), ref: 00B69598
GetLastError.KERNEL32(?,00B6A6B7,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B695A6

Part of subcall function 00B93933: Sleep.KERNEL32(?,00000000,?,00B684D1,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00B54DFD), ref: 00B9394A

CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 00B69684

Strings

Failed to copy %ls to %ls, xrefs: 00B69672
Copying, xrefs: 00B69623, 00B6962E
Failed to verify container hash: %ls, xrefs: 00B69607
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B695CA
Failed to open container in working path: %ls, xrefs: 00B695D5
Moving, xrefs: 00B6961A
Failed to move %ls to %ls, xrefs: 00B6965C
%ls container from working path '%ls' to path '%ls', xrefs: 00B6962F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLastSleep
String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 1275171361-3604842143
Opcode ID: 22e38e9999836174bc3496f1afc1361d6e4947566fcd14d2094f324914bca921
Instruction ID: 6b0e46ff55e6a9c954ebf61f0630170016a2787af50871ce172c3d4c6cdf8cd3
Opcode Fuzzy Hash: 22e38e9999836174bc3496f1afc1361d6e4947566fcd14d2094f324914bca921
Instruction Fuzzy Hash: 972106B2E813257BDB221A14DC46FAB26DCDB92B20F1501D5FE017B2D1D6B99D00C6E5

Function 00B56F94 Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 226COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00B56FC1
LeaveCriticalSection.KERNEL32(?), ref: 00B571CD

Strings

Failed to read variable included flag., xrefs: 00B571BD
Failed to set variable., xrefs: 00B571A1
Failed to read variable name., xrefs: 00B571B6
Failed to read variable value type., xrefs: 00B571AF
Failed to read variable literal flag., xrefs: 00B571A8
Unsupported variable type., xrefs: 00B57193
Failed to set variable value., xrefs: 00B57180
Failed to read variable count., xrefs: 00B56FE1
Failed to read variable value as string., xrefs: 00B5719A
Failed to read variable value as number., xrefs: 00B57187

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable literal flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable value.$Failed to set variable.$Unsupported variable type.
API String ID: 3168844106-528957463
Opcode ID: 9d3c1f83078f5588122cc0a7da60dbc67723799e634e7c8b4f5e2156808f7fc6
Instruction ID: d39fbd3cb683c9e9efa58634df5fbd865c8405f7bab761582b3fd91e552036aa
Opcode Fuzzy Hash: 9d3c1f83078f5588122cc0a7da60dbc67723799e634e7c8b4f5e2156808f7fc6
Instruction Fuzzy Hash: 24716F31E4461ABBDF11AEA4EC45FAE7BF9EB04711F1081E1FD10B6160DA31DE099BA0

Function 00B93D01 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 00B93D7E
GetLastError.KERNEL32 ref: 00B93D94
GetFileSizeEx.KERNEL32(00000000,?), ref: 00B93DE4
GetLastError.KERNEL32 ref: 00B93DEE
SetFilePointer.KERNEL32(00000000,?,?,00000001), ref: 00B93E42
GetLastError.KERNEL32 ref: 00B93E4D
ReadFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,00000001), ref: 00B93F3C
CloseHandle.KERNEL32(?), ref: 00B93FAF

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B93D21, 00B93DCD, 00B93E0E, 00B93F92

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandlePointerReadSize
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 3286166115-1688708105
Opcode ID: 5a5b71bdd387f518055cf2e48295a726424d2001793f858f1c76056a45490ecc
Instruction ID: fe5ab1d72fa6ec8186beabc4d9ce0a7f1cc676c03250be72b79a87db68be2b0d
Opcode Fuzzy Hash: 5a5b71bdd387f518055cf2e48295a726424d2001793f858f1c76056a45490ecc
Instruction Fuzzy Hash: CD81C532E40616ABDF218F698C45B6A7AE8EF40F60F1541F9FD15EB290D678CF0087A5

Function 00B53171 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 209COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000040,00000000,00000000), ref: 00B531BC
GetLastError.KERNEL32 ref: 00B531C2
ExpandEnvironmentStringsW.KERNEL32(00000040,00000000,00000040,00000000,00000000), ref: 00B5321C
GetLastError.KERNEL32 ref: 00B53222
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B532D6
GetLastError.KERNEL32 ref: 00B532E0
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B53336
GetLastError.KERNEL32 ref: 00B53340

Strings

c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp, xrefs: 00B531E6
@, xrefs: 00B53196

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
String ID: @$c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp
API String ID: 1547313835-1835649624
Opcode ID: 120b5c81e7c4f92c61e0e19d1e0cbfca835b7f28c6e64f3f73c648e0b9dedca1
Instruction ID: 7854b31af60e7aa3529f0cc56b63908423a1d10d9b016f05e2d6db5770e5b508
Opcode Fuzzy Hash: 120b5c81e7c4f92c61e0e19d1e0cbfca835b7f28c6e64f3f73c648e0b9dedca1
Instruction Fuzzy Hash: 0061B573D00629ABDB219AE48845B9E7BF4AF04BD2F1141D5EE00BB350EB369F0897D4

Function 00B52EBC Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 202sleepfiletimeCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000000,00000000,00000000), ref: 00B52F5C
GetLastError.KERNEL32 ref: 00B52F66
GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00B53006
CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 00B53093
GetLastError.KERNEL32 ref: 00B530A0
Sleep.KERNEL32(00000064), ref: 00B530B4
CloseHandle.KERNEL32(?), ref: 00B5311C

Strings

c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp, xrefs: 00B52F8A
4#v, xrefs: 00B52F5C
%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 00B53063

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime
String ID: 4#v$%ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp
API String ID: 3480017824-1603677465
Opcode ID: 90395f7ecd5a4419bbc36c13cfb4f3b66fc009461607ce54d4921d2ce04c1ddf
Instruction ID: f400814b0b47f03548500146b57742b5b1f6850c63a1e39ba2168c935615fdc4
Opcode Fuzzy Hash: 90395f7ecd5a4419bbc36c13cfb4f3b66fc009461607ce54d4921d2ce04c1ddf
Instruction Fuzzy Hash: A7718272D02239ABDB309B64DD89BA9B7F8EB08B51F1401E5BD08B7290D7349E85CF50

Function 00B96527 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,7622DFD0,?,00B96A99,?,?), ref: 00B9657D
SysFreeString.OLEAUT32(00000000), ref: 00B965E8
SysFreeString.OLEAUT32(00000000), ref: 00B96660
SysFreeString.OLEAUT32(00000000), ref: 00B9669F

Strings

label, xrefs: 00B9656F
term, xrefs: 00B965B0
`Dv, xrefs: 00B965E8, 00B96660, 00B9669F
scheme, xrefs: 00B96590

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$label$scheme$term
API String ID: 1324494773-22456348
Opcode ID: a68b78119e64f9a5c34429163a71b5996ca6c17164fe458d98dfffc0a13dc8e6
Instruction ID: 0220259b3f0c4796ba631b62ec7ac616ca17f133407bab13f8831aa2311f1e6d
Opcode Fuzzy Hash: a68b78119e64f9a5c34429163a71b5996ca6c17164fe458d98dfffc0a13dc8e6
Instruction Fuzzy Hash: 02513B31901219EBCF15DBA4C984FEEBBF9EF04715F2142E9E911AB1A1DB31AE00DB50

Function 00B64D1A Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON

Download Yara Rule

APIs

UuidCreate.RPCRT4(?), ref: 00B64D4D
StringFromGUID2.OLE32(?,?,00000027), ref: 00B64D7C
UuidCreate.RPCRT4(?), ref: 00B64DC7
StringFromGUID2.OLE32(?,?,00000027), ref: 00B64DF3

Strings

Failed to create pipe guid., xrefs: 00B64D5A
Failed to allocate pipe name., xrefs: 00B64DBC
Failed to allocate pipe secret., xrefs: 00B64E1C
Failed to convert pipe guid into string., xrefs: 00B64D99
BurnPipe.%s, xrefs: 00B64DA8
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B64D8D, 00B64DDA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateFromStringUuid
String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$c:\agent\_work\66\s\src\burn\user\pipe.cpp
API String ID: 4041566446-1070039060
Opcode ID: 4bbcc72057ab7a0f2dfb836c39f27744b8ff564cf33825711818f7bd25fc976b
Instruction ID: 7d561a35a7753030777713e1cc84c4eb4e62380dd38752b69a3e1e6b0b03497d
Opcode Fuzzy Hash: 4bbcc72057ab7a0f2dfb836c39f27744b8ff564cf33825711818f7bd25fc976b
Instruction Fuzzy Hash: 96418D32D04708ABDB11DBE4C945EDEB7F8AB55B11F2041B6F905BB250DB799E08CB90

Function 00B6E8CE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00B554CB,?,?), ref: 00B6E8EE
GetLastError.KERNEL32(?,00B554CB,?,?), ref: 00B6E8FB
CreateThread.KERNEL32(00000000,00000000,00B6E60C,?,00000000,00000000), ref: 00B6E954
GetLastError.KERNEL32(?,00B554CB,?,?), ref: 00B6E961
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00B554CB,?,?), ref: 00B6E99C
CloseHandle.KERNEL32(00000000,?,00B554CB,?,?), ref: 00B6E9BB
CloseHandle.KERNEL32(?,?,00B554CB,?,?), ref: 00B6E9C8

Strings

Failed to create the UI thread., xrefs: 00B6E98C
Failed to create initialization event., xrefs: 00B6E926
c:\agent\_work\66\s\src\burn\user\uithread.cpp, xrefs: 00B6E91C, 00B6E982

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\66\s\src\burn\user\uithread.cpp
API String ID: 2351989216-1290259148
Opcode ID: 2f2e6cca4fdfb4c91ac884c23ac88546a8ff65f7b3e18ea5741facb062c93b76
Instruction ID: 189cfcfea3baeb60e598661d314342e28759c011dc1de78ad548d142ca60fcce
Opcode Fuzzy Hash: 2f2e6cca4fdfb4c91ac884c23ac88546a8ff65f7b3e18ea5741facb062c93b76
Instruction Fuzzy Hash: 3B31A77AD00226BBDB109F998D84A9FBAF8FF04750F1140A6F915F7290E638DE0087E1

Function 00B6E4A1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00B554CB,?,?), ref: 00B6E4C2
GetLastError.KERNEL32(?,?,00B554CB,?,?), ref: 00B6E4CF
CreateThread.KERNEL32(00000000,00000000,00B6E226,00000000,00000000,00000000), ref: 00B6E52E
GetLastError.KERNEL32(?,?,00B554CB,?,?), ref: 00B6E53B
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00B554CB,?,?), ref: 00B6E576
CloseHandle.KERNEL32(?,?,?,00B554CB,?,?), ref: 00B6E58A
CloseHandle.KERNEL32(?,?,?,00B554CB,?,?), ref: 00B6E597

Strings

Failed to create UI thread., xrefs: 00B6E566
c:\agent\_work\66\s\src\burn\user\splashscreen.cpp, xrefs: 00B6E4F0, 00B6E55C
Failed to create modal event., xrefs: 00B6E4FA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create UI thread.$Failed to create modal event.$c:\agent\_work\66\s\src\burn\user\splashscreen.cpp
API String ID: 2351989216-1795443032
Opcode ID: 28facaea6b912a7db567db87dac00efc1088d54fe4da8ff6bd3915a6c5b88f47
Instruction ID: a71a459371d7be3320f1dc5caa17197b8017f89ae2506ce6f714d611413da817
Opcode Fuzzy Hash: 28facaea6b912a7db567db87dac00efc1088d54fe4da8ff6bd3915a6c5b88f47
Instruction Fuzzy Hash: 4E31977AD00226BBD7219B99DC05A9FBBF8EB45750F1041A6FD11F7250EA389A00CB91

Function 00B71286 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,76232F60,?,?), ref: 00B712AA
GetLastError.KERNEL32 ref: 00B712BD
GetExitCodeThread.KERNEL32(00B9A488,00000000), ref: 00B712FF
GetLastError.KERNEL32 ref: 00B7130D
ResetEvent.KERNEL32(00B9A460), ref: 00B71348
GetLastError.KERNEL32 ref: 00B71352

Strings

Failed to reset operation complete event., xrefs: 00B71383
Failed to get extraction thread exit code., xrefs: 00B7133E
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B712E4, 00B71334, 00B71379
Failed to wait for operation complete event., xrefs: 00B712EE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2979751695-3513947302
Opcode ID: 1a6e87535a076bd5bb39d5dab62352d1c828668abd8d046b5f54bf6085ab7edd
Instruction ID: 1aa2bdd5127542b9cb19a55ba83866dd889ebc2ffdc8426f15713877c8ad24dd
Opcode Fuzzy Hash: 1a6e87535a076bd5bb39d5dab62352d1c828668abd8d046b5f54bf6085ab7edd
Instruction Fuzzy Hash: 7F316470A40306FBE7109F6D8D05BBE76E8EB04701F1085E5F959EA1A0EA39DA049B65

Function 00B713A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00B9A478,?,00000000,?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000,?), ref: 00B713BD
GetLastError.KERNEL32(?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000,?,00B554C6,FFF9E89D,00B554C6), ref: 00B713C7
WaitForSingleObject.KERNEL32(00B9A488,000000FF,?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000,?,00B554C6), ref: 00B71401
GetLastError.KERNEL32(?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000,?,00B554C6,FFF9E89D,00B554C6), ref: 00B7140B
CloseHandle.KERNEL32(00000000,00B554C6,?,00000000,?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000), ref: 00B71456
CloseHandle.KERNEL32(00000000,00B554C6,?,00000000,?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000), ref: 00B71465
CloseHandle.KERNEL32(00000000,00B554C6,?,00000000,?,00B5C198,?,00B553FA,00000000,?,00B67740,?,00B556AA,00B554B6,00B554B6,00000000), ref: 00B71474

Strings

Failed to set begin operation event., xrefs: 00B713F5
Failed to wait for thread to terminate., xrefs: 00B71439
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B713EB, 00B7142F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle$ErrorLast$EventObjectSingleWait
String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 1206859064-3195532870
Opcode ID: 1dccfc1223bab1856344db94a8c46e1705cc5ba64a271e03ac69171d80ec0d35
Instruction ID: e1bddb8f7e412b858ce329e56a791c300a50dad7569540e93e410cda2930297a
Opcode Fuzzy Hash: 1dccfc1223bab1856344db94a8c46e1705cc5ba64a271e03ac69171d80ec0d35
Instruction Fuzzy Hash: D3213533500A22B7D7215B2DDD09B45BAE4FF04722F0182A1E91C36AA0D779EC60CEE4

Function 00B64177 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00B8FDEF: EnterCriticalSection.KERNEL32(00BBB5D4,00000000,?,?,?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?), ref: 00B8FDFF
Part of subcall function 00B8FDEF: LeaveCriticalSection.KERNEL32(00BBB5D4,?,?,00BBB5CC,?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?), ref: 00B8FF46

OpenEventLogW.ADVAPI32(00000000,Application), ref: 00B6419D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B641A9
ReportEventW.ADVAPI32(00000000,00000001,00000001,00000001,00000000,00000001,00000000,00BA2C44,00000000), ref: 00B641F6
CloseEventLog.ADVAPI32(00000000), ref: 00B641FD

Strings

_Failed, xrefs: 00B64182
Failed to open Application event log, xrefs: 00B641D7
Application, xrefs: 00B64197
Setup, xrefs: 00B64187
txt, xrefs: 00B6417D
c:\agent\_work\66\s\src\burn\user\logging.cpp, xrefs: 00B641CD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Event$CriticalSection$CloseEnterErrorLastLeaveOpenReport
String ID: Application$Failed to open Application event log$Setup$_Failed$c:\agent\_work\66\s\src\burn\user\logging.cpp$txt
API String ID: 1844635321-1705914837
Opcode ID: 1ea229a15e5aa3a05f85e6907817b1faee67477ec6bedb92bdad1abcfb57be3a
Instruction ID: 24af1112597144d782272d52100d395b63ef539ae4b5c15bad4428c6cfda7f69
Opcode Fuzzy Hash: 1ea229a15e5aa3a05f85e6907817b1faee67477ec6bedb92bdad1abcfb57be3a
Instruction Fuzzy Hash: DEF0A436989A723A6336272A6D1AD7B1DECDAC3F7171101E9FD40F6161EB4C4C4181F1

Function 00B692CD Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 232COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00B69380
GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 00B693A8

Strings

$, xrefs: 00B6947F
Could not verify file %ls., xrefs: 00B694E9
Failed to get file hash., xrefs: 00B693D2
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B693C8, 00B694DC, 00B6952D
Could not close verify handle., xrefs: 00B69537
Failed to encode file hash., xrefs: 00B69433
Failed to allocate string., xrefs: 00B69416
0, xrefs: 00B69440
Failed to allocate memory, xrefs: 00B6933E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast
String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 1452528299-3123085469
Opcode ID: 9336950ae09d41fa7491eea6daa8f0fc70e044d775851ccd90ea77f6f63f974f
Instruction ID: fb11e81af262b176da2e70db66f1bfbe8e89c8a8fd7842e4c24ad997c6b5126f
Opcode Fuzzy Hash: 9336950ae09d41fa7491eea6daa8f0fc70e044d775851ccd90ea77f6f63f974f
Instruction Fuzzy Hash: 85818472D002299BDF21DBA4C841BEEB7F8EF08750F1541A5ED15BB291E7389D45CBA0

Function 00B6E3C8 Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00B6E3D3
DefWindowProcW.USER32(?,00000082,?,?), ref: 00B6E411
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00B6E41E
SetWindowLongW.USER32(?,000000EB,?), ref: 00B6E42D
DefWindowProcW.USER32(?,?,?,?), ref: 00B6E43B
CreateCompatibleDC.GDI32(?), ref: 00B6E447
SelectObject.GDI32(00000000,00000000), ref: 00B6E458
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00B6E47A
SelectObject.GDI32(00000000,00000000), ref: 00B6E482
DeleteDC.GDI32(00000000), ref: 00B6E485
PostQuitMessage.USER32(00000000), ref: 00B6E493

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
String ID:
API String ID: 409979828-0
Opcode ID: 1dbd53e6f66f10c7a946fd81fb1ebfaab6b5900a7f28675e44d72428e82bd03d
Instruction ID: 5566fd4e18e519bccd85d1a203ad7e2ea06b113aa3f9b8b4bd1eb3879e6f005b
Opcode Fuzzy Hash: 1dbd53e6f66f10c7a946fd81fb1ebfaab6b5900a7f28675e44d72428e82bd03d
Instruction Fuzzy Hash: CA21AC36104204FFDB155FB8DD9CE7F3FA9FB49320B05455AF626972A0CA358810DBA1

Function 00B6A00C Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 226COMMON

Download Yara Rule

Strings

Failed to get bundle layout directory property., xrefs: 00B6A164
WixBundleOriginalSource, xrefs: 00B6A090
Failed to combine last source with source., xrefs: 00B6A0EE
WixBundleLastUsedSource, xrefs: 00B6A075
WixBundleLayoutDirectory, xrefs: 00B6A149
Failed to get current process directory., xrefs: 00B6A0CF
Failed to combine layout source with source., xrefs: 00B6A183
Failed to copy source path., xrefs: 00B6A1FD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Find$CloseFileFirstlstrlen
String ID: Failed to combine last source with source.$Failed to combine layout source with source.$Failed to copy source path.$Failed to get bundle layout directory property.$Failed to get current process directory.$WixBundleLastUsedSource$WixBundleLayoutDirectory$WixBundleOriginalSource
API String ID: 2767606509-3003062821
Opcode ID: 650f3d4d5ba6013b9826aeaad6a453e623be072a428910b5b53e0a3ad154e05d
Instruction ID: 377052ae37c27d573b2713bc71c8befb4cd67a5c2e5ea4bc1abd457cacbcaa35
Opcode Fuzzy Hash: 650f3d4d5ba6013b9826aeaad6a453e623be072a428910b5b53e0a3ad154e05d
Instruction Fuzzy Hash: A2816C72D01219AFCF11DFA8D981AAEBBF5EF09710F1041A9E911B7260DB79AD01CF61

Function 00B5CB82 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 143COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,FFFEB88D,000000FF,00000001,000000FF,?,00000001,00B553FA,00000000,00B554C6,00B55482,WixBundleUILevel,840F01E8,?,00000001), ref: 00B5CBD9

Strings

Failed to ensure directory exists, xrefs: 00B5CCAB
Failed to find embedded payload: %ls, xrefs: 00B5CC05
c:\agent\_work\66\s\src\burn\user\payload.cpp, xrefs: 00B5CCDA
Failed to extract file., xrefs: 00B5CCA4
Failed to get next stream., xrefs: 00B5CCC0
Failed to concat file paths., xrefs: 00B5CCB9
Payload was not found in container: %ls, xrefs: 00B5CCE6
Failed to get directory portion of local file path, xrefs: 00B5CCB2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$c:\agent\_work\66\s\src\burn\user\payload.cpp
API String ID: 1825529933-3317369491
Opcode ID: ae22734664d6eb9343e2c6b59152a4cb2c11208631eeb646a1056a47058608b4
Instruction ID: 74bd7aa66dc8e2b5ce71e335c14181b93301dab8b410da239a1ec46931938ede
Opcode Fuzzy Hash: ae22734664d6eb9343e2c6b59152a4cb2c11208631eeb646a1056a47058608b4
Instruction Fuzzy Hash: 8A419D31901315AFCF15DF94C981BAEBFE6EF40712B1081E6EC19AB251D6719D48DB90

Function 00B547DF Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00B54804
GetCurrentThreadId.KERNEL32 ref: 00B5480A
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B54898

Strings

c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00B548E4
wininet.dll, xrefs: 00B54837
Failed to create user for UX., xrefs: 00B54824
Failed to load UX., xrefs: 00B5484D
Unexpected return value from message pump., xrefs: 00B548EE
Failed to start bootstrapper application., xrefs: 00B54866

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\66\s\src\burn\user\user.cpp$wininet.dll
API String ID: 673430819-1140212773
Opcode ID: 6b60af254eee0186fd9ff9108d395488a718ec21aa3b9fc3e376b8fb3d172fa6
Instruction ID: 7bccdc6f6bdc79bc7714451707140c80262370df7d3933dfeca2e8fb631e77a3
Opcode Fuzzy Hash: 6b60af254eee0186fd9ff9108d395488a718ec21aa3b9fc3e376b8fb3d172fa6
Instruction Fuzzy Hash: F241B071600615BFEB149BA4DC86FBBB3ECEF0431AF1001E5F915E7290DB24AD8987A0

Function 00B799B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 127COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00B7AD39,?,00000001,00000000), ref: 00B79A3F
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00B7AD39,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00B79A49
CopyFileExW.KERNEL32(00000000,00000000,00B7988D,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00B79A97
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00B7AD39,?,00000001,00000000,00000000,00000000,00000001,00000000), ref: 00B79AC6

Strings

Failed attempt to copy payload from: '%ls' to: %ls., xrefs: 00B79AF8
c:\agent\_work\66\s\src\burn\user\apply.cpp, xrefs: 00B79A6D, 00B79AB1, 00B79AEA
copy, xrefs: 00B79A0D
BA aborted copy of payload from: '%ls' to: %ls., xrefs: 00B79ABF
Failed to clear readonly bit on payload destination path: %ls, xrefs: 00B79A78

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLast$AttributesCopy
String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\66\s\src\burn\user\apply.cpp$copy
API String ID: 1969131206-3140072123
Opcode ID: 7ddc047b9cb90f3bc1d41922db6c3d07f07d516007c56a8969b236132ab71032
Instruction ID: 59d1ae824796380244304beefbc6adfbd9b833d6ba3b7c5a6b6a14444e492796
Opcode Fuzzy Hash: 7ddc047b9cb90f3bc1d41922db6c3d07f07d516007c56a8969b236132ab71032
Instruction Fuzzy Hash: 76311772702121B7EB209A558C86E6B77E8EF82B51B15C1E9FD2DEB250D664CD00C7E0

Function 00B68D91 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 125COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,00000001,80000005,?,00000000,00000000,00000000,00000003,000007D0), ref: 00B68EDC

Strings

Failed to allocate access for Users group to path: %ls, xrefs: 00B68E47
Failed to allocate access for Administrators group to path: %ls, xrefs: 00B68DE4
Failed to create ACL to secure cache path: %ls, xrefs: 00B68E90
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B68E85
Failed to allocate access for Everyone group to path: %ls, xrefs: 00B68E26
Failed to allocate access for SYSTEM group to path: %ls, xrefs: 00B68E05
Failed to secure cache path: %ls, xrefs: 00B68EBF

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeLocal
String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 2826327444-3220527011
Opcode ID: a4f7f488bee6b77d0709d407a07a6d6a7576b3981a8637365fc0372ed9b1f0f4
Instruction ID: 549676a541446f28e768c03608c4c2876608a9b8085382710100a431b5d5dea0
Opcode Fuzzy Hash: a4f7f488bee6b77d0709d407a07a6d6a7576b3981a8637365fc0372ed9b1f0f4
Instruction Fuzzy Hash: DB31F572E40229B7DB3196508C46FBF76E8AB41B50F5142E5FA04BB1C0DEBA9D44C790

Function 00B96402 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,7622DFD0), ref: 00B96461
CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 00B9647E
SysFreeString.OLEAUT32(00000000), ref: 00B964BC
SysFreeString.OLEAUT32(00000000), ref: 00B96500

Strings

name, xrefs: 00B96453
uri, xrefs: 00B9648C
`Dv, xrefs: 00B964BC, 00B96500
email, xrefs: 00B96470

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$CompareFree
String ID: `Dv$email$name$uri
API String ID: 3589242889-3963012511
Opcode ID: 5e3fa4e9381637298a40eb450d314d534d7f070cc30514aeabdf2bd5e782b353
Instruction ID: 7a47cb5c4bde4ffce4840614bdcf3bb4d9cb89a9d93e5aea0b28bb53772b286b
Opcode Fuzzy Hash: 5e3fa4e9381637298a40eb450d314d534d7f070cc30514aeabdf2bd5e782b353
Instruction Fuzzy Hash: 08412C35905219BBCF119BD4CD45FAEB7B4EF04725F2182A4E911AB3A0CB759E04DB50

Function 00B5F3F9 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108stringCOMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5F432

Part of subcall function 00B5415F: CreateDirectoryW.KERNELBASE(?,840F01E8,00000000,00000000,?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?), ref: 00B5416D
Part of subcall function 00B5415F: GetLastError.KERNEL32(?,00B69FBC,00000000,00000000,?,00000000,00B553FA,00000000,?,?,00B5D567,?,00000000,00000000), ref: 00B5417B

lstrlenA.KERNEL32(002E0032,00000000,00000094,00000000,00000094,crypt32.dll,crypt32.dll,00B60458,swidtag,00000094,00B9A500,00330074,00B60458,00000000,crypt32.dll,00000000), ref: 00B5F485

Part of subcall function 00B945C9: CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00B60458,00000000,?,00B5F49C,00B9A500,00000080,002E0032,00000000), ref: 00B945E1
Part of subcall function 00B945C9: GetLastError.KERNEL32(?,00B5F49C,00B9A500,00000080,002E0032,00000000,?,00B60458,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00B945EE

Strings

crypt32.dll, xrefs: 00B5F422, 00B5F45F, 00B5F460
Failed to write tag xml to file: %ls, xrefs: 00B5F4C3
swidtag, xrefs: 00B5F445
Failed to create regid folder: %ls, xrefs: 00B5F4CD
Failed to format tag folder path., xrefs: 00B5F4EB
Failed to allocate regid folder path., xrefs: 00B5F4E4
Failed to allocate regid file path., xrefs: 00B5F4DD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$crypt32.dll$swidtag
API String ID: 904508749-2959304021
Opcode ID: 049cc134022b56da18b114f29723ff3c9846855173e4f3a08886f9776069a08d
Instruction ID: 31aeb0ed6de4b3e76e4938e46a58b6b43cb13f84f6b162f85d7bacc8448731be
Opcode Fuzzy Hash: 049cc134022b56da18b114f29723ff3c9846855173e4f3a08886f9776069a08d
Instruction Fuzzy Hash: 39317E31D40226BBCF11ABA4DC41BAEFBF5EF04711F1081F6ED14AA261E7709E549B90

Function 00B6E10F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(?,00000001), ref: 00B6E145
GetLastError.KERNEL32 ref: 00B6E151
GetObjectW.GDI32(00000000,00000018,?), ref: 00B6E198
GetCursorPos.USER32(?), ref: 00B6E1B9
MonitorFromPoint.USER32(?,?,00000002), ref: 00B6E1CB
GetMonitorInfoW.USER32(00000000,?), ref: 00B6E1E1

Strings

(, xrefs: 00B6E1D8
Failed to load splash screen bitmap., xrefs: 00B6E17F
c:\agent\_work\66\s\src\burn\user\splashscreen.cpp, xrefs: 00B6E175

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
String ID: ($Failed to load splash screen bitmap.$c:\agent\_work\66\s\src\burn\user\splashscreen.cpp
API String ID: 2342928100-3540601290
Opcode ID: c22f2a089719f4dc189c5fe5e284fe9442f281f3dfea290a78a83094d357a32a
Instruction ID: 880cb9a5a8867a186b273dbbadc6a36ced2e3b925f229a17e7dcbc95c257128f
Opcode Fuzzy Hash: c22f2a089719f4dc189c5fe5e284fe9442f281f3dfea290a78a83094d357a32a
Instruction Fuzzy Hash: 8D315E75A00215AFDB10DFA8D989A9EBBF5FF08710F158165F914EB281EB74E904CBA0

Function 00B65053 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 83COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,?,?,00B9A500), ref: 00B6505C
GetProcessId.KERNEL32(000000FF,?,?,open,00000000,00000000,?,000000FF,?,?), ref: 00B650FA
CloseHandle.KERNEL32(00000000), ref: 00B65113

Strings

Failed to launch elevated child process: %ls, xrefs: 00B650E7
Failed to allocate parameters for elevated process., xrefs: 00B65095
runas, xrefs: 00B650BA
-q -%ls %ls %ls %u, xrefs: 00B65081
burn.elevated, xrefs: 00B6507C
open, xrefs: 00B650C4, 00B650D2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Process$CloseCurrentHandle
String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
API String ID: 2815245435-1352204306
Opcode ID: ed85417c5f9e2cf220b800e0a8e6c8077fb533fa7b491a3a25226d360524fc16
Instruction ID: 17a7b031766361dfb5ed93083be0c5b74da75c3f59e5999e913a8d32276f456f
Opcode Fuzzy Hash: ed85417c5f9e2cf220b800e0a8e6c8077fb533fa7b491a3a25226d360524fc16
Instruction Fuzzy Hash: 522148B1900619FFCF11AF94DC818AEBBF8EF06754F1080AAF801A2211DB359F60DB90

Function 00B56898 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00B568C2
GetProcAddress.KERNEL32(00000000), ref: 00B568C9
GetLastError.KERNEL32 ref: 00B568D3

Strings

Failed to get msi.dll version info., xrefs: 00B5691B
Failed to set variant value., xrefs: 00B5693F
Failed to find DllGetVersion entry point in msi.dll., xrefs: 00B56901
DllGetVersion, xrefs: 00B568B4
msi, xrefs: 00B568B9
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B568F7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp$msi
API String ID: 4275029093-3573271201
Opcode ID: 881c5e1b8c45853ddfcaf848476bb206eaa5162a9edf5d68782d2c5c62046b83
Instruction ID: 8726a29f53af07bf72d4030c1af7824406239e3e0b48bdbdfefa79d1ceca949a
Opcode Fuzzy Hash: 881c5e1b8c45853ddfcaf848476bb206eaa5162a9edf5d68782d2c5c62046b83
Instruction Fuzzy Hash: 9711B472A0063567DB1077689D52BBEBBE4EB08B11B5101E5BE05F7291DA749C0882E1

Function 00B5D679 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00B54847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B554CB,?), ref: 00B5D68A
GetLastError.KERNEL32(?,00B54847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B554CB,?,?), ref: 00B5D697
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00B5D6CF
GetLastError.KERNEL32(?,00B54847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00B554CB,?,?), ref: 00B5D6DB

Strings

Failed to load UX DLL., xrefs: 00B5D6C2
BootstrapperApplicationCreate, xrefs: 00B5D6C9
Failed to create UX., xrefs: 00B5D71F
c:\agent\_work\66\s\src\burn\user\userexperience.cpp, xrefs: 00B5D6B8, 00B5D6FC
Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00B5D706

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\66\s\src\burn\user\userexperience.cpp
API String ID: 1866314245-3967977479
Opcode ID: 8d06aaefba565f07bf60979fd813c55edb55c01447860f3af74b89636d1f748b
Instruction ID: 473891827762d8f0beb182637b1b093f4ab73268650f24ae52a0199281eac74d
Opcode Fuzzy Hash: 8d06aaefba565f07bf60979fd813c55edb55c01447860f3af74b89636d1f748b
Instruction Fuzzy Hash: CC11E337A80B33A7DB315AA49C15F6B3AD4AF04B62F0142F6FE05FB290EA14DC044AD0

Function 00B51173 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 52libraryloadermemoryCOMMON

Download Yara Rule

APIs

HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B51184
GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B5118F
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B5119D
GetLastError.KERNEL32(?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B511B8
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B511C0
GetLastError.KERNEL32(?,?,?,?,?,00B5111A,cabinet.dll,00000009,?,?,00000000), ref: 00B511D5

Strings

SetDefaultDllDirectories, xrefs: 00B51197
SetDllDirectoryW, xrefs: 00B511BA
kernel32, xrefs: 00B5118A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorLastProc$HandleHeapInformationModule
String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
API String ID: 3104334766-1824683568
Opcode ID: 29f2693c149869cc7881dc70ac5a9be4c96b3514855c9ac0d75f1f2f34b24fab
Instruction ID: 04691a468e14d710889ef8c015797e29ab769c61ff4e9a436d3d596015814087
Opcode Fuzzy Hash: 29f2693c149869cc7881dc70ac5a9be4c96b3514855c9ac0d75f1f2f34b24fab
Instruction Fuzzy Hash: 2C017531300616BB9B106B6A9C05F5B7B9CEB5076271140E1BE05A2050DA74D9498BF2

Function 00B6F47A Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 154COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B6F48F
LeaveCriticalSection.KERNEL32(?), ref: 00B6F60A

Strings

user is active, cannot change user state., xrefs: 00B6F4A9
UX requested unknown payload with id: %ls, xrefs: 00B6F4E4
UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00B6F4FA
Failed to set download password., xrefs: 00B6F5B8
UX did not provide container or payload id., xrefs: 00B6F5F9
Failed to set download URL., xrefs: 00B6F569
UX requested unknown container with id: %ls, xrefs: 00B6F534
Failed to set download user., xrefs: 00B6F592

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-2615595102
Opcode ID: 34a9cc5763da1dec05e98edc54157e12ed09c5f26573bf5ffdb625fdc384a409
Instruction ID: d09e4fc251d9cd20acd4175a8fb1f1ba861f31ba1046bfc8724f232f7905b6d2
Opcode Fuzzy Hash: 34a9cc5763da1dec05e98edc54157e12ed09c5f26573bf5ffdb625fdc384a409
Instruction Fuzzy Hash: 4F41DA72905213ABCB119F64E946B7A77E8EF21711F1581F6FC06A7250EB78ED40C7A0

Function 00B85835 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B85849

Part of subcall function 00B85CE8: HeapFree.KERNEL32(00000000,00000000,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?), ref: 00B85CFE
Part of subcall function 00B85CE8: GetLastError.KERNEL32(?,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?,?), ref: 00B85D10

_free.LIBCMT ref: 00B85855
_free.LIBCMT ref: 00B85860
_free.LIBCMT ref: 00B8586B
_free.LIBCMT ref: 00B85876
_free.LIBCMT ref: 00B85881
_free.LIBCMT ref: 00B8588C
_free.LIBCMT ref: 00B85897
_free.LIBCMT ref: 00B858A2
_free.LIBCMT ref: 00B858B0

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5495dfa285b08603ac3259fefdf7fa3ef390f709c03a198fa5f956e453aabe2c
Instruction ID: dc4159d356c84f8512cbe7df7934597ec4f83fb64cec78e8fb03e49fc253e8e4
Opcode Fuzzy Hash: 5495dfa285b08603ac3259fefdf7fa3ef390f709c03a198fa5f956e453aabe2c
Instruction Fuzzy Hash: 6D114476510608AFCB51FF55C942CDD7BA5FF05350B9181A5BA089B632DA31EEA0DF80

Function 00B95253 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 00B95290
GetLastError.KERNEL32 ref: 00B9529E
VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00B952DF
GetLastError.KERNEL32 ref: 00B952EC
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B9545F
CloseHandle.KERNEL32(?), ref: 00B9546E

Strings

c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp, xrefs: 00B952C2
GET, xrefs: 00B95393

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
String ID: GET$c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp
API String ID: 2028584396-547604341
Opcode ID: 90c6615c9269bfa415333a55e0a3e517a7c478576e5cb8933e62b22f2d96e7df
Instruction ID: a2aff7b609d013a821c6e92edbf5d176eb27e95a026611878960ab7f2d15d392
Opcode Fuzzy Hash: 90c6615c9269bfa415333a55e0a3e517a7c478576e5cb8933e62b22f2d96e7df
Instruction Fuzzy Hash: 67618A7298061AABDF22CFA4C884BEE7BF8EF08351F1141A9FD05B7250D7B4D8408B94

Function 00B60BE7 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00B60FB3: CompareStringW.KERNEL32(00000000,00000000,feclient.dll,000000FF,00000000,000000FF,00000000,00000000,?,?,00B60C06,?,00000000,?,00000000,00000000), ref: 00B60FE2

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,00000000,?,00000000,00000001,?,?,00000000,?,00000000), ref: 00B60D8A
GetLastError.KERNEL32 ref: 00B60D97

Strings

Failed to append rollback cache action., xrefs: 00B60C66
Failed to append cache action., xrefs: 00B60CE1
Failed to append payload cache action., xrefs: 00B60D41
Failed to append package start action., xrefs: 00B60C2C
c:\agent\_work\66\s\src\burn\user\plan.cpp, xrefs: 00B60DBB
Failed to create syncpoint event., xrefs: 00B60DC5

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareCreateErrorEventLastString
String ID: Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$c:\agent\_work\66\s\src\burn\user\plan.cpp
API String ID: 801187047-574661624
Opcode ID: fd501e15ae05dae7dbe37b1e4d45e057ef233141ea432b626d099535f6f514c2
Instruction ID: 251164ac9c9868eab4c6cbcaa56892f7a86b023c1f53db5b86916ea184ea1de7
Opcode Fuzzy Hash: fd501e15ae05dae7dbe37b1e4d45e057ef233141ea432b626d099535f6f514c2
Instruction Fuzzy Hash: 96615A75510605AFCB05EF59C980AAEBBF9FF84310F2184AAEC059B311EB35EE41DB50

Function 00B966D4 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 158COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,7622DFD0,000000FF,type,000000FF,?,7622DFD0,7622DFD0,7622DFD0), ref: 00B9672A
SysFreeString.OLEAUT32(00000000), ref: 00B96775
SysFreeString.OLEAUT32(00000000), ref: 00B967F1
SysFreeString.OLEAUT32(00000000), ref: 00B9683D

Strings

`Dv, xrefs: 00B96775, 00B967F1, 00B9683D
url, xrefs: 00B9673D
type, xrefs: 00B9671C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$Free$Compare
String ID: `Dv$type$url
API String ID: 1324494773-3411263640
Opcode ID: 0faf6143120958b1fa687da34d571aec2f4f3730f27547b6022bdb447ff9cca9
Instruction ID: 1e58b79e2f5f520df5da1292f1e8e6127fbf74173141591d93530c4a34f0a056
Opcode Fuzzy Hash: 0faf6143120958b1fa687da34d571aec2f4f3730f27547b6022bdb447ff9cca9
Instruction Fuzzy Hash: AB511A35901219EFCF15DBA4C884EAEBBF8EF04715F2442FAE811AB1A0DB359E00DB50

Function 00B59E89 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 146COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59EAF
_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59ED4

Strings

Failed to set variable., xrefs: 00B59FB8
Failed to format product code string., xrefs: 00B59EDF
Failed to format component id string., xrefs: 00B59EBA
Failed to get component path: %d, xrefs: 00B59F38
MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00B59FC8

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open@16
String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
API String ID: 3613110473-1671347822
Opcode ID: b145f2dd75347df412cc39b529f7a9dfce0c5a522b735f88f1bf8c73dc054538
Instruction ID: 692c18b87c56205ba906eb75939a3ff360d85c8f48f865b0f184aa0be2b86adc
Opcode Fuzzy Hash: b145f2dd75347df412cc39b529f7a9dfce0c5a522b735f88f1bf8c73dc054538
Instruction Fuzzy Hash: 5441E672904305FBCF25AB688C86BBEB7E9EF04311F2445E2FD04E11A1D771A958D791

Function 00B648B9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 116fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000001,00000008,?,00000000,?,00000000,00000000,00000001,00000000,?,?,?,00000000,crypt32.dll,00000000), ref: 00B648E4
GetLastError.KERNEL32 ref: 00B648F1
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 00B6499C
GetLastError.KERNEL32 ref: 00B649A6

Strings

Failed to read data for message., xrefs: 00B649D4
Failed to allocate data for message., xrefs: 00B6495A
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B64950, 00B64967, 00B649CA
Failed to read message from pipe., xrefs: 00B64971

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$c:\agent\_work\66\s\src\burn\user\pipe.cpp
API String ID: 1948546556-3469126999
Opcode ID: 3daf5113ede0b5c2aafdb44a77c77c433c5135eba13da0435545b835705d4319
Instruction ID: 7ac5fda43ea2a054f13ab523c921171d594f3eca301b4532a13a3d95d408d6a2
Opcode Fuzzy Hash: 3daf5113ede0b5c2aafdb44a77c77c433c5135eba13da0435545b835705d4319
Instruction Fuzzy Hash: 0031C632E84626BFD7109AA5CD45BAFF6E8EF01B51F1081E5BD41B62C0D7789E0087D1

Function 00B65365 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00B554CB,00000000,00000000,?,00000000), ref: 00B6540E
GetLastError.KERNEL32(?,?,?,00B54CA6,?,?,00000000,?,?,?,?,?,?,00B9A4A0,?,?), ref: 00B65419

Strings

Failed to write restart to message buffer., xrefs: 00B653B1
Failed to write exit code to message buffer., xrefs: 00B65389
Failed to post terminate message to child process cache thread., xrefs: 00B653DD
Failed to post terminate message to child process., xrefs: 00B653F9
Failed to wait for child process exit., xrefs: 00B65447
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B6543D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastObjectSingleWait
String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$c:\agent\_work\66\s\src\burn\user\pipe.cpp
API String ID: 1211598281-389050287
Opcode ID: ea6ec139bdfdc04b95fc287bcd74b186cbe4800a4ff80caa23f4476a17112202
Instruction ID: ab6143728d301f680456a048e6594bfc3151c081ad0467c46c6fe8a5e4b82b0f
Opcode Fuzzy Hash: ea6ec139bdfdc04b95fc287bcd74b186cbe4800a4ff80caa23f4476a17112202
Instruction Fuzzy Hash: 75212D33944A26BBCB215A50DC01E9EB7E9EF00765F1042D1F90076290DB78AE60D7D4

Function 00B68F6B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000101,?,00B69DDA,00000003,000007D0,00000003,?,000007D0), ref: 00B68F85
GetLastError.KERNEL32(?,00B69DDA,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001,?), ref: 00B68F92
CloseHandle.KERNEL32(00000000,?,00B69DDA,00000003,000007D0,00000003,?,000007D0,?,000007D0,00000000,00000003,00000000,00000003,000007D0,00000001), ref: 00B6905A

Strings

Failed to verify hash of payload: %ls, xrefs: 00B69045
Failed to verify signature of payload: %ls, xrefs: 00B69002
Failed to open payload at path: %ls, xrefs: 00B68FD6
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B68FC9
Failed to verify catalog signature of payload: %ls, xrefs: 00B69021

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 2528220319-1480445316
Opcode ID: 72ad4caef6e5c0d72aea82d1fed20dfaaee4d6805c0d605f7e522ff5e3f105ff
Instruction ID: 8d5edeeec17b8a4f775fef37e11cb56534aa468c6c3e7de12228c6217647fbcb
Opcode Fuzzy Hash: 72ad4caef6e5c0d72aea82d1fed20dfaaee4d6805c0d605f7e522ff5e3f105ff
Instruction Fuzzy Hash: 3C213232940525F7CB321A649C45FAA3BEDFF05774F1082A2FE10662A0973D9C60DAD1

Function 00B56B30 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00B56B7B
GetLastError.KERNEL32 ref: 00B56B85
GetVolumePathNameW.KERNEL32(?,?,00000104), ref: 00B56BC9
GetLastError.KERNEL32 ref: 00B56BD3

Strings

Failed to set variant value., xrefs: 00B56C1D
Failed to get windows directory., xrefs: 00B56BB3
Failed to get volume path name., xrefs: 00B56C01
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B56BA9, 00B56BF7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$DirectoryNamePathVolumeWindows
String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 124030351-26183806
Opcode ID: c2a02251301ec7c1163b4b92a98bbd2b0a2864ce68518f80eb86ac066b6c4a56
Instruction ID: 1c3a5a568c40bf9ca70511a8731f2114d5ce8fb26566450935d729615c4aae14
Opcode Fuzzy Hash: c2a02251301ec7c1163b4b92a98bbd2b0a2864ce68518f80eb86ac066b6c4a56
Instruction Fuzzy Hash: EB21F7B3E4123967DB20A6649D06F9A77ECDF40B11F5141F6BE04F7281EA38DE0486E5

Function 00B59C2D Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59C46
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00B5A86A,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00B59C5E
GetLastError.KERNEL32(?,00B5A86A,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00B59C6B

Strings

Failed to set variable., xrefs: 00B59CF4
Failed get to file attributes. '%ls', xrefs: 00B59CA8
c:\agent\_work\66\s\src\burn\user\search.cpp, xrefs: 00B59C9B
File search: %ls, did not find path: %ls, xrefs: 00B59CBD
Failed to format variable string., xrefs: 00B59C51

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$c:\agent\_work\66\s\src\burn\user\search.cpp
API String ID: 1811509786-3902182656
Opcode ID: 79f3c84f069c19b08e386598c6bd4f7b99ac68283cbf144afdedf4fef9aea6dc
Instruction ID: f9779b4bd862b5423b807da5cfb19d5f4a8daf8fe04334cb75a1ec3c7f1f4d9b
Opcode Fuzzy Hash: 79f3c84f069c19b08e386598c6bd4f7b99ac68283cbf144afdedf4fef9aea6dc
Instruction Fuzzy Hash: B5210432900121FBDF1267649D46BAEBAE5EF01722F2142F5FD01B61A1EB719D0496D0

Function 00B6AC12 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,?), ref: 00B6AC29
GetLastError.KERNEL32 ref: 00B6AC33
CoInitializeEx.OLE32(00000000,00000000), ref: 00B6AC72
CoUninitialize.OLE32(?,00B6C5CA,?,?), ref: 00B6ACAF

Strings

Failed to set elevated cache pipe into thread local storage for logging., xrefs: 00B6AC61
Failed to initialize COM., xrefs: 00B6AC7E
c:\agent\_work\66\s\src\burn\user\elevation.cpp, xrefs: 00B6AC57
Failed to pump messages in child process., xrefs: 00B6AC9D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorInitializeLastUninitializeValue
String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$c:\agent\_work\66\s\src\burn\user\elevation.cpp
API String ID: 876858697-588708458
Opcode ID: 7b12d7afd50b8a4c0ce54ab2faa202d7443ecbcc589b9437e07de30e64366500
Instruction ID: 1a3f4adcf3a11665d12ff98d13cc5342ab73002d2252fabfe58d6f5c2395983c
Opcode Fuzzy Hash: 7b12d7afd50b8a4c0ce54ab2faa202d7443ecbcc589b9437e07de30e64366500
Instruction Fuzzy Hash: B51106739455317BCB112764DC09D6BBFE8EF01B60B1141E6FD01B7250EB68AD008BD6

Function 00B55D14 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00B55D9A

Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B909D4
Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00B90A0C

Strings

CommonFilesDir, xrefs: 00B55D22, 00B55D56, 00B55D65
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00B55D37
Failed to read folder path for '%ls'., xrefs: 00B55D66
Failed to ensure path was backslash terminated., xrefs: 00B55D84
ProgramFilesDir, xrefs: 00B55D29
Failed to open Windows folder key., xrefs: 00B55D4C
+, xrefs: 00B55D1C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: QueryValue$Close
String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
API String ID: 1979452859-3209209246
Opcode ID: 719f73f9801d15ce1a53191a311e9606724d2bc9e4aeffc19866a99146b4fc45
Instruction ID: 605183101fd23a74e5ab9b74f2a1ae8969046a9f1dd9ed509f0b0ec1361b2dcc
Opcode Fuzzy Hash: 719f73f9801d15ce1a53191a311e9606724d2bc9e4aeffc19866a99146b4fc45
Instruction Fuzzy Hash: 2E019233A40628BBCF216A54ED6AF9E7EF8DB41762F1081F5FC08762A1D6719A04D6D0

Function 00B79FA3 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 173COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000000,00000000,?), ref: 00B7A070
GetLastError.KERNEL32(?,?,?,00000000,00000000,?), ref: 00B7A07A

Strings

Failed attempt to download URL: '%ls' to: '%ls', xrefs: 00B7A157
c:\agent\_work\66\s\src\burn\user\apply.cpp, xrefs: 00B7A09E
download, xrefs: 00B7A03A
:, xrefs: 00B7A0F3
Failed to clear readonly bit on payload destination path: %ls, xrefs: 00B7A0A9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: :$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$c:\agent\_work\66\s\src\burn\user\apply.cpp$download
API String ID: 1799206407-2514864748
Opcode ID: 07f32c2acd3ec9a2f73e2315ecda1e76e2e1281aee155d77546a269b9ad24a40
Instruction ID: d341e44170d2a2022ff910e113fce98556af5e65b07442c5dfbf8199eb5f4195
Opcode Fuzzy Hash: 07f32c2acd3ec9a2f73e2315ecda1e76e2e1281aee155d77546a269b9ad24a40
Instruction Fuzzy Hash: 1351B071A00219ABDB10DFA8C891AAEB7F4FF45710F10C499E829FB250E375EA40CB91

Function 00B97C88 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000410,?,?,00B78D9E,000002C0,00000100), ref: 00B97CB6
CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,00B78D9E,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 00B97CD1

Strings

http://appsyndication.org/2006/appsyn, xrefs: 00B97CA9
c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp, xrefs: 00B97D6C
application, xrefs: 00B97CC3
type, xrefs: 00B97CF8

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareHeapString$AllocateProcess
String ID: application$c:\agent\_work\66\s\src\libs\dutil\apuputil.cpp$http://appsyndication.org/2006/appsyn$type
API String ID: 2664528157-536847345
Opcode ID: d644f078bed6082a8323eb71eab5c0a8dd7d17303372c14fa046b2a970ac3d49
Instruction ID: eac988ff13fd5c5221daaa6c959d87561630a794d7059b3f6c3ff1e749212f09
Opcode Fuzzy Hash: d644f078bed6082a8323eb71eab5c0a8dd7d17303372c14fa046b2a970ac3d49
Instruction Fuzzy Hash: A751C071698601ABEF209F14CC82F6A77E5EF04760F2085E8F925AB2D1DA74ED408B50

Function 00B95C9E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B95CFA
DeleteFileW.KERNEL32(00000410,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00B95DF1
CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000410,?,?,?,00000078,000000FF,?,?,00000078), ref: 00B95E00

Strings

c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp, xrefs: 00B95D1E
Burn, xrefs: 00B95CE9
DownloadTimeout, xrefs: 00B95D33
WiX\Burn, xrefs: 00B95D38

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseDeleteErrorFileHandleLast
String ID: Burn$DownloadTimeout$WiX\Burn$c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp
API String ID: 3522763407-1474791565
Opcode ID: 0a1d1aa287f0ef4c39e767651f46cf32b8c3bfc401bed5efe889289d3b761688
Instruction ID: d9a0554ee67ba09d8ea4168fb26861109268397ebf062a9a5f5b7989c1b64ee8
Opcode Fuzzy Hash: 0a1d1aa287f0ef4c39e767651f46cf32b8c3bfc401bed5efe889289d3b761688
Instruction Fuzzy Hash: 43515A72D40619BBDF22DFA4CC45EEEBBF9EF08710F1041A5FA14E6190E7359A109BA0

Function 00B69158 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B691E6

Part of subcall function 00B94ED0: GetLastError.KERNEL32(?,?,00B6920B,?,00000003,00B554C6,?), ref: 00B94EEF

_memcmp.LIBVCRUNTIME ref: 00B69220
GetLastError.KERNEL32 ref: 00B69298

Strings

Failed to get certificate public key identifier., xrefs: 00B692C6
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B692BC
Failed to find expected public key in certificate chain., xrefs: 00B6925B
Failed to read certificate thumbprint., xrefs: 00B6928C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 3428363238-3038490147
Opcode ID: f8a7a2f58aed80f3c60b35e8874408f0cd81b7a2d198b38bf9f3768362933dcb
Instruction ID: f552b3f92d958e8a20bbd8b8cc9e91a31b04a77a8d743b56143cc485a08c5148
Opcode Fuzzy Hash: f8a7a2f58aed80f3c60b35e8874408f0cd81b7a2d198b38bf9f3768362933dcb
Instruction Fuzzy Hash: 38414E72E0021AABDB10DBA5C891EAEB7FCFF08750F1541A5EA14F7251D678ED04CBA4

Function 00B60539 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00B6066A
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 00B60679

Part of subcall function 00B904A5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00B605B1,?,00000000,00020006), ref: 00B904CA

Strings

Failed to delete registration key: %ls, xrefs: 00B60618
Failed to update resume mode., xrefs: 00B6064E
Failed to open registration key., xrefs: 00B606AF
%ls.RebootRequired, xrefs: 00B60587
Failed to write volatile reboot required registry key., xrefs: 00B605B5

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close$Create
String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
API String ID: 359002179-2517785395
Opcode ID: 595a6fb30e61218c2eacea936abfff043f3bc6a8f1dd50b2e4f98f0024e198a2
Instruction ID: e8c48cb6d34cd20a7caeff50a6b445b49901e29cbb17b2c1bd797e1dfe4a20b6
Opcode Fuzzy Hash: 595a6fb30e61218c2eacea936abfff043f3bc6a8f1dd50b2e4f98f0024e198a2
Instruction Fuzzy Hash: 2E418D32910315FADF22BFA1DC42EAF7BF9EF90711F1040A9F90162161D7759A60DB61

Function 00B5F7B4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B5F8E4
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00B5F8F1

Strings

Failed to format pending restart registry key to read., xrefs: 00B5F7E8
Resume, xrefs: 00B5F858
Failed to open registration key., xrefs: 00B5F84D
%ls.RebootRequired, xrefs: 00B5F7D1
Failed to read Resume value., xrefs: 00B5F87A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 9b08333cf59a2685060228fc31411b8ba41ac848f87237ce5082f8c218481b14
Instruction ID: 4f0161f04ab0f72f70844007eb2c6f2e0959daf00784f3726c7588165ea331e4
Opcode Fuzzy Hash: 9b08333cf59a2685060228fc31411b8ba41ac848f87237ce5082f8c218481b14
Instruction Fuzzy Hash: B741383190021AEFDB119F98C981BB9FBE4FF05311F1581F6ED10AB260D371AE489B91

Function 00B73727 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 111COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B7378E

Strings

Failed to append property string part., xrefs: 00B73802
%s%="%s", xrefs: 00B737C1
feclient.dll, xrefs: 00B73769, 00B7378A
Failed to escape string., xrefs: 00B73810
Failed to format property value., xrefs: 00B73817
Failed to format property string part., xrefs: 00B73809

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open@16
String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.$feclient.dll
API String ID: 3613110473-656185529
Opcode ID: be19f720846059fa55946b33beb316814d7271ffe2c03690749fd0b724e9463b
Instruction ID: 4ee513534e88100b8a1fa543faaefd9998532f52c345f3e24f3c3a0e9453e5c7
Opcode Fuzzy Hash: be19f720846059fa55946b33beb316814d7271ffe2c03690749fd0b724e9463b
Instruction Fuzzy Hash: 28318EB1D05229ABDF159F94DC41EAEBBF8EF00B10F1081E9F82566251E771AF10EB91

Function 00B6A8DD Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110COMMON

Download Yara Rule

Strings

Failed to determine length of source path., xrefs: 00B6A90D
Failed to set last source., xrefs: 00B6A9CD
Failed to determine length of relative path., xrefs: 00B6A92A
WixBundleLastUsedSource, xrefs: 00B6A97C, 00B6A982, 00B6A9BE
Failed to trim source folder., xrefs: 00B6A972

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID:
String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
API String ID: 0-660234312
Opcode ID: 96a51281e11ad1414f0a853010308aef697d5540af932d87e31f5d421691e24d
Instruction ID: 1fe3c8e22cecb9dc19c70d7aad43b1a4aa80bc2589e78974ef0be3fb649534ad
Opcode Fuzzy Hash: 96a51281e11ad1414f0a853010308aef697d5540af932d87e31f5d421691e24d
Instruction Fuzzy Hash: A831EA32D05629BBCF21AA94CC41FAE7BF9EB41721F3142D2F910BB1D0DA359E409A91

Function 00B7D572 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00BB01A0,00000000,00000017,00BB01B0,?,?,00000000,00000000,?,?,?,?,?,00B7DB99,00000000,00000000), ref: 00B7D5AA

Strings

WixBurn, xrefs: 00B7D5D5
Failed to set progress timeout., xrefs: 00B7D614
Failed to create IBackgroundCopyManager., xrefs: 00B7D5B6
Failed to create BITS job., xrefs: 00B7D5E4
Failed to set notification flags for BITS job., xrefs: 00B7D5FC
Failed to set BITS job to foreground., xrefs: 00B7D62B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateInstance
String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
API String ID: 542301482-468763447
Opcode ID: bff9589921a9e5731c897d4f86d0e4689c147ff75d7224da3e1de475f01feb00
Instruction ID: a85a93110d536cba66adb4cb924de8d219b3871afd79c1f02448baa0880be34a
Opcode Fuzzy Hash: bff9589921a9e5731c897d4f86d0e4689c147ff75d7224da3e1de475f01feb00
Instruction Fuzzy Hash: 2F31B431A00616AFDB15DBA8C895EBFBBF4EF49750B108199F919EB350CA70EC05CB90

Function 00B9559F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,?,?,?,?,?,WiX\Burn,DownloadTimeout,00000078), ref: 00B955E9
GetLastError.KERNEL32 ref: 00B955F6
ReadFile.KERNEL32(00000000,00000008,00000008,?,00000000), ref: 00B9563D
GetLastError.KERNEL32 ref: 00B95671
CloseHandle.KERNEL32(00000000,c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp,000000C8,00000000), ref: 00B956A5

Strings

c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp, xrefs: 00B9561A, 00B95695
%ls.R, xrefs: 00B955BD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLast$CloseCreateHandleRead
String ID: %ls.R$c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp
API String ID: 3160720760-260802336
Opcode ID: 85cc622bc7c977128385e72980c6e5bcea7a81de4bc4d9ca3e1c49079391b3cd
Instruction ID: 44bab1cb075a39aabedd103839397dec233249b20716e762a372b44678ba2f75
Opcode Fuzzy Hash: 85cc622bc7c977128385e72980c6e5bcea7a81de4bc4d9ca3e1c49079391b3cd
Instruction Fuzzy Hash: C331D472981625ABEF328F54CD45BAE7BE4EF41721F1242A5FE01EB2D0D7749D008BA1

Function 00B5C8A5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B5CD19: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,00B5E3ED,000000FF,00000000,00000000,00B5E3ED,?,?,00B5DB97,?,?,?,?), ref: 00B5CD44

CreateFileW.KERNEL32(E900B9AA,80000000,00000005,00000000,00000003,08000000,00000000,00B55402,?,00000000,840F01E8,E0680A79,00000001,00B553FA,00000000,00B554C6), ref: 00B5C915
GetLastError.KERNEL32(?,?,?,00B676FC,00B556AA,00B554B6,00B554B6,00000000,?,00B554C6,FFF9E89D,00B554C6,00B554FA,00B55482,?,00B55482), ref: 00B5C95A

Strings

Failed to get catalog local file path, xrefs: 00B5C998
Failed to find payload for catalog file., xrefs: 00B5C99F
Failed to open catalog in working path: %ls, xrefs: 00B5C988
c:\agent\_work\66\s\src\burn\user\catalog.cpp, xrefs: 00B5C97B
Failed to verify catalog signature: %ls, xrefs: 00B5C953

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareCreateErrorFileLastString
String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$c:\agent\_work\66\s\src\burn\user\catalog.cpp
API String ID: 1774366664-749786727
Opcode ID: b372d34336c3757e1f421eac72f50cc5f0f508912db05b6aea0db414c0869e3e
Instruction ID: 632d9698eec66e63f2c3a2482e4db31cece2c920ce9f88fdbf80b2410eb0318b
Opcode Fuzzy Hash: b372d34336c3757e1f421eac72f50cc5f0f508912db05b6aea0db414c0869e3e
Instruction Fuzzy Hash: 4B31D132900722BFDB129B64CC42F5ABFE5EF04751F2081E6BD19BB290E671E9408BD4

Function 00B90201 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000), ref: 00B90271
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 00B9027B
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 00B902C4
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 00B902D1

Strings

D, xrefs: 00B90259
"%ls" %ls, xrefs: 00B9023A
c:\agent\_work\66\s\src\libs\dutil\procutil.cpp, xrefs: 00B9029F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle$CreateErrorLastProcess
String ID: "%ls" %ls$D$c:\agent\_work\66\s\src\libs\dutil\procutil.cpp
API String ID: 161867955-1799623275
Opcode ID: 5ecd778b5e748fe5619624e906857cae62afd1af6b2001bb68fdaa7677d9ef5f
Instruction ID: 79a6e414d53089d4aab49d80daac7f7473a76505182fe8c48c924579bb62fd1a
Opcode Fuzzy Hash: 5ecd778b5e748fe5619624e906857cae62afd1af6b2001bb68fdaa7677d9ef5f
Instruction Fuzzy Hash: 41216171D0121EAFDF11EFE4DE459AEBBF8EF04750F1040B6EA00B7251E6709E0496A1

Function 00B7D016 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 86synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,762330B0,00000000,?,?,?,00B7D312,?), ref: 00B7D035
ReleaseMutex.KERNEL32(?,?,?,00B7D312,?), ref: 00B7D049
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B7D08E
ReleaseMutex.KERNEL32(?), ref: 00B7D0A1
SetEvent.KERNEL32(?), ref: 00B7D0AA

Strings

Failed to get message from netfx chainer., xrefs: 00B7D0CB
Failed to send files in use message from netfx chainer., xrefs: 00B7D0EE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: MutexObjectReleaseSingleWait$Event
String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
API String ID: 2608678126-3424578679
Opcode ID: 42359208385bc0cacc9dafdfba674b3eecb3d634a53d9c9425246abf53f6aac4
Instruction ID: 64dc1363f5409e5d13681b9bb2e440ad03c01054d14a40cb6cb8fc19928081bc
Opcode Fuzzy Hash: 42359208385bc0cacc9dafdfba674b3eecb3d634a53d9c9425246abf53f6aac4
Instruction Fuzzy Hash: 7E31B63250061ABFCB019F64DC55FEDBBF8BF05320F1482A6F514A7251CB74D9559B90

Function 00B59B5C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59B75
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00B5A880,00000100,000002C0,000002C0,00000100), ref: 00B59B95
GetLastError.KERNEL32(?,00B5A880,00000100,000002C0,000002C0,00000100), ref: 00B59BA0

Strings

Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00B59C0C
Failed to set directory search path variable., xrefs: 00B59BD1
Failed to format variable string., xrefs: 00B59B80
Failed while searching directory search: %ls, for path: %ls, xrefs: 00B59BF6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-2966038646
Opcode ID: 9a8de0d21beaba45374a79154940fe2e135e9c98097060dad092a1bc5c66c288
Instruction ID: 3da50849147413c0baf7d28d1722c66116ac6aa2b2220c3792ec1428bba84496
Opcode Fuzzy Hash: 9a8de0d21beaba45374a79154940fe2e135e9c98097060dad092a1bc5c66c288
Instruction Fuzzy Hash: 2211F332940225FBEF122B99AE42F9DBAE5EF00722F2042E1FD00761A1D7259E54E6D1

Function 00B59D11 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59D2A
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,?,00B5A858,00000100,000002C0,000002C0,?,000002C0,00000100), ref: 00B59D4A
GetLastError.KERNEL32(?,00B5A858,00000100,000002C0,000002C0,?,000002C0,00000100,000002C0,000002C0,00000100), ref: 00B59D55

Strings

File search: %ls, did not find path: %ls, xrefs: 00B59DB9
Failed to format variable string., xrefs: 00B59D35
Failed to set variable to file search path., xrefs: 00B59DAD
Failed while searching file search: %ls, for path: %ls, xrefs: 00B59D83

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
API String ID: 1811509786-3425311760
Opcode ID: c36bd7c8fbb0175ec523287fb6b202353694d3566292dcd0a3ac39fec994bce1
Instruction ID: d54dd4beab0d03f89162554ef5aebb39d24879b3db3f261d3c711dab0ffd4087
Opcode Fuzzy Hash: c36bd7c8fbb0175ec523287fb6b202353694d3566292dcd0a3ac39fec994bce1
Instruction Fuzzy Hash: BD11DF32940125FACF226B94DD02BADBAB5EF11722F2042F1FD10B61E197659E14ABD1

Function 00B6CDC8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3), ref: 00B6CDDA
GetLastError.KERNEL32(?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3,?,?,?), ref: 00B6CDE4
GetExitCodeThread.KERNEL32(?,?,?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3,?), ref: 00B6CE20
GetLastError.KERNEL32(?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3,?,?,?), ref: 00B6CE2A

Strings

Failed to wait for cache thread to terminate., xrefs: 00B6CE12
Failed to get cache thread exit code., xrefs: 00B6CE58
c:\agent\_work\66\s\src\burn\user\elevation.cpp, xrefs: 00B6CE08, 00B6CE4E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\66\s\src\burn\user\elevation.cpp
API String ID: 3686190907-1009398494
Opcode ID: 0924c0265bbdc93ebcfc252214bc77324de77e4dee91abb0f514dcc340a93c2a
Instruction ID: 85a7db4f6ba635850a31dd8534d59f45a955bcfdadac979c863fb5fb214e5f82
Opcode Fuzzy Hash: 0924c0265bbdc93ebcfc252214bc77324de77e4dee91abb0f514dcc340a93c2a
Instruction Fuzzy Hash: E7014973A4063163962017949D06B6B7EE4AF01F91B0180E2FE40BB190EB6EED0082D5

Function 00B668AE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53synchronizationthreadCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000001,000000FF,00000000,?,00B66DE9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00B668BB
GetLastError.KERNEL32(?,00B66DE9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00B668C5
GetExitCodeThread.KERNEL32(00000001,00000000,?,00B66DE9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00B66904
GetLastError.KERNEL32(?,00B66DE9,?,?,00000000,crypt32.dll,00000000,00000001), ref: 00B6690E

Strings

c:\agent\_work\66\s\src\burn\user\core.cpp, xrefs: 00B668EC, 00B66935
Failed to wait for cache thread to terminate., xrefs: 00B668F6
Failed to get cache thread exit code., xrefs: 00B6693F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectSingleThreadWait
String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$c:\agent\_work\66\s\src\burn\user\core.cpp
API String ID: 3686190907-4004332966
Opcode ID: 90f2c95fab7ab09ca0b34538611b095c50d91909c729afb1fa6902fb2fb4d884
Instruction ID: 76795fc16fe3c9aa5d1514edad9e6fcb25bba56f9967e7e246998470e1ad2979
Opcode Fuzzy Hash: 90f2c95fab7ab09ca0b34538611b095c50d91909c729afb1fa6902fb2fb4d884
Instruction Fuzzy Hash: 1B118470744216BBEB009F719E12B6E7BE8EB00755F2040E6BD04EA1A0EB7ECF409764

Function 00B6AA79 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00B554C6,000000FF,00B55482,00B676FC,00B553FA,00000000,?), ref: 00B6AB6A
GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00B554C6,000000FF,00B55482,00B676FC,00B553FA,00000000,?), ref: 00B6ABAE

Part of subcall function 00B69158: _memcmp.LIBVCRUNTIME ref: 00B691E6
Part of subcall function 00B69158: _memcmp.LIBVCRUNTIME ref: 00B69220

Strings

0, xrefs: 00B6AAE6
Failed to get provider state from authenticode certificate., xrefs: 00B6AB98
Failed authenticode verification of payload: %ls, xrefs: 00B6AB4B
Failed to verify expected payload against actual certificate chain., xrefs: 00B6ABF2
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B6AB40, 00B6AB8E, 00B6ABD2
Failed to get signer chain from authenticode certificate., xrefs: 00B6ABDC

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast_memcmp
String ID: 0$Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to verify expected payload against actual certificate chain.$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 3428363238-3510382728
Opcode ID: 55345b5ab7937cefec3141491fca900482f3fa5372426fe2e56bcea0b1e7de9a
Instruction ID: 12ed68e9379d34771849181106c11f9cd66b1f813f15276bd22c912552390f42
Opcode Fuzzy Hash: 55345b5ab7937cefec3141491fca900482f3fa5372426fe2e56bcea0b1e7de9a
Instruction Fuzzy Hash: 9341C4B2C05229ABDB20DF94C845A9EBBF8EF05710F1501A9F915BB250D7789D048FE5

Function 00B6F618 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B6F62D
LeaveCriticalSection.KERNEL32(?), ref: 00B6F73A

Strings

Failed to set source path for container., xrefs: 00B6F71F
user is active, cannot change user state., xrefs: 00B6F647
UX requested unknown payload with id: %ls, xrefs: 00B6F699
Failed to set source path for payload., xrefs: 00B6F6C9
UX denied while trying to set source on embedded payload: %ls, xrefs: 00B6F6AF
UX requested unknown container with id: %ls, xrefs: 00B6F6F9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
API String ID: 3168844106-4121889706
Opcode ID: 2e801b86f9477d3fd07c02fe1b413f34aa228d5077f7c2021fa98763386da6d2
Instruction ID: 9e8f181be477e1209dae66098c04601686ae9017189e561b5e728e77c977fd94
Opcode Fuzzy Hash: 2e801b86f9477d3fd07c02fe1b413f34aa228d5077f7c2021fa98763386da6d2
Instruction Fuzzy Hash: B931E836A00216BBCB219B68EC46E7A77ECEF55760B1580E6FC04EB350DA78ED00D790

Function 00B5720A Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000), ref: 00B5721D

Strings

Failed to append characters., xrefs: 00B572A9
[\%c], xrefs: 00B5727C
Failed to format escape sequence., xrefs: 00B572B7
Failed to append escape sequence., xrefs: 00B572B0
Failed to allocate buffer for escaped string., xrefs: 00B57234
[]{}, xrefs: 00B57247
Failed to copy string., xrefs: 00B572D1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: lstrlen
String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
API String ID: 1659193697-3250950999
Opcode ID: f91e8808c5b87823361d044ec9588b1da77984459087ffdcb06299a1f8dbd0e6
Instruction ID: 70ff6f92a601d42e2377d9d4a5ee75ce6b148783676e3f3dbcff40df23b0d963
Opcode Fuzzy Hash: f91e8808c5b87823361d044ec9588b1da77984459087ffdcb06299a1f8dbd0e6
Instruction Fuzzy Hash: 2921FB32E49215FADF22A694AC42FAE77E8DB02756F2041E6FD00B6150DF759E09D290

Function 00B75954 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 206COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00B9A500,000000FF,feclient.dll,000000FF,00000000,00000000,?,?,?,00B76548,?,00000001,?,00000000), ref: 00B759BD

Strings

feclient.dll, xrefs: 00B759B3, 00B75ADB
Failed to insert execute action., xrefs: 00B75A12
Failed to copy target product code., xrefs: 00B75AEE
Failed grow array of ordered patches., xrefs: 00B75A56
Failed to plan action for target product., xrefs: 00B75A68

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.$feclient.dll
API String ID: 1825529933-3477540455
Opcode ID: 97382f2aa1d3f3ca7f4bfd20de9bf757588d076df807ad342a4380788af0946c
Instruction ID: da051675d99b7067be10d095baa152030dc71ed5f5933bff560d4a6b576df1bf
Opcode Fuzzy Hash: 97382f2aa1d3f3ca7f4bfd20de9bf757588d076df807ad342a4380788af0946c
Instruction Fuzzy Hash: 1A8113B560060ADFCB25CF58C880AAA77E5FB08324B1586AAED299B352D770EC11CB50

Function 00B8C3AD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00B8CB22,00000000,00000000,00000000,00000000,00000000,00B82718), ref: 00B8C3EF
__fassign.LIBCMT ref: 00B8C46A
__fassign.LIBCMT ref: 00B8C485
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00B8C4AB
WriteFile.KERNEL32(?,00000000,00000000,00B8CB22,00000000,?,?,?,?,?,?,?,?,?,00B8CB22,00000000), ref: 00B8C4CA
WriteFile.KERNEL32(?,00000000,00000001,00B8CB22,00000000,?,?,?,?,?,?,?,?,?,00B8CB22,00000000), ref: 00B8C503

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1514dbf7be024f4f784c7560b3966929d9ea24efdeca22cd3dcfa8c3153a6333
Instruction ID: ee6236a256ca8208f759be6f42a6ff0643522fe2266a88bdfa0ff5e92e4fd71d
Opcode Fuzzy Hash: 1514dbf7be024f4f784c7560b3966929d9ea24efdeca22cd3dcfa8c3153a6333
Instruction Fuzzy Hash: BF51A3B19002499FCF10DFA8D896AEEBBF4EF19300F14419AE555E7261E770A941CBA1

Function 00B78FA9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,00B6700A,000000B8,0000001C,00000100), ref: 00B78FD4
CompareStringW.KERNEL32(00000000,00000001,?,000000FF,00B9A4B8,000000FF,?,?,?,00B6700A,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 00B7905E

Strings

c:\agent\_work\66\s\src\burn\user\detect.cpp, xrefs: 00B790BE
Failed to initialize update bundle., xrefs: 00B79101
comres.dll, xrefs: 00B790E0
BA aborted detect forward compatible bundle., xrefs: 00B790C8

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$c:\agent\_work\66\s\src\burn\user\detect.cpp$comres.dll
API String ID: 1825529933-4215571375
Opcode ID: 8b054adc7387a5cdae7ccc79676cadcb30cb16e6c59bb5592642afa236d4ae8a
Instruction ID: 71f4af4129b9417502eb1a2dc441da4f9d63f24338fce1560a01d2dde8f1dec7
Opcode Fuzzy Hash: 8b054adc7387a5cdae7ccc79676cadcb30cb16e6c59bb5592642afa236d4ae8a
Instruction Fuzzy Hash: 09518171610211FFDF159F64CC85EAAB7E6FF05310F1482D8F928AA2A5C772E960DB90

Function 00B8FBC6 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 00B8FC0A
GetComputerNameW.KERNEL32(?,?), ref: 00B8FC62

Strings

=== Logging started: %ls ===, xrefs: 00B8FC8D
Computer : %ls, xrefs: 00B8FCD0
Executable: %ls v%d.%d.%d.%d, xrefs: 00B8FCBE
--- logging level: %hs ---, xrefs: 00B8FD22

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Name$ComputerFileModule
String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
API String ID: 2577110986-3153207428
Opcode ID: 936466a1dcd2d6814126e95c4064e5b7df386e170e2af09d705295e28be24216
Instruction ID: 0a86cb11591a664c872f634c826790bc633f6085a6384950766932717436b4a9
Opcode Fuzzy Hash: 936466a1dcd2d6814126e95c4064e5b7df386e170e2af09d705295e28be24216
Instruction Fuzzy Hash: B24130B290011DABCB21AF65DD85AFAB7FCEB44304F5041F5FA05A3151DA70AE84CF65

Function 00B6D2BA Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 119COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,00000001,00B9A500,?,00000001,000000FF,?,?,7694B390,00000000,00000001,00000000,?,00B673D9), ref: 00B6D3E3

Strings

Failed to create pipe and cache pipe., xrefs: 00B6D340
c:\agent\_work\66\s\src\burn\user\elevation.cpp, xrefs: 00B6D2EE
Failed to elevate., xrefs: 00B6D3C5
UX aborted elevation requirement., xrefs: 00B6D2F8
Failed to create pipe name and client token., xrefs: 00B6D324
Failed to connect to elevated child process., xrefs: 00B6D3CC

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle
String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\66\s\src\burn\user\elevation.cpp
API String ID: 2962429428-2367031576
Opcode ID: de6e3ac7643fb171e30964417383d7e03f30877519c2be942b8bb1e938681eba
Instruction ID: 7ec962733fb8d92ef9bdc1f9508d92442912ddb7e24824bd435654576f05bcb6
Opcode Fuzzy Hash: de6e3ac7643fb171e30964417383d7e03f30877519c2be942b8bb1e938681eba
Instruction Fuzzy Hash: 34318E72F45721BFEB256660DC82FAA63DCEB01720F1042D5F904A73D1DBA9AC0082DA

Function 00B98C74 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000001,00000001,crypt32.dll,00000000,00000001,00B9A500,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 00B98D4C
RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,crypt32.dll,00000000,00000001,00B9A500,00000000,00000001,00000000,00020019), ref: 00B98D87
RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00B98DA3
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00B98DB0
RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00B98DBD

Part of subcall function 00B90886: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00B98D39,00000001), ref: 00B9089E

Strings

crypt32.dll, xrefs: 00B98D30

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close$InfoOpenQuery
String ID: crypt32.dll
API String ID: 796878624-1661610138
Opcode ID: ba0dcd29b52cce77217f93749e47e85378b9370e67a851b3d0aa5b7b5b2ad1eb
Instruction ID: 45491f3685e1a0cf1a49b01d1327ab1dfb090a53e289102ae847001ce436d3da
Opcode Fuzzy Hash: ba0dcd29b52cce77217f93749e47e85378b9370e67a851b3d0aa5b7b5b2ad1eb
Instruction Fuzzy Hash: DA413972C0122DFFCF11AF949D819ADFAB9EF14750F1241BAEA0077161DB368E509AD0

Function 00B8FDEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BBB5D4,00000000,?,?,?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?), ref: 00B8FDFF
CreateFileW.KERNEL32(40000000,00000001,00000000,00000000,00000080,00000000,?,00000000,?,?,?,00BBB5CC,?,00B64192,00000000,Setup), ref: 00B8FEA3
GetLastError.KERNEL32(?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?,?,?), ref: 00B8FEB3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?), ref: 00B8FEED

Part of subcall function 00B52EBC: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 00B53006

LeaveCriticalSection.KERNEL32(00BBB5D4,?,?,00BBB5CC,?,00B64192,00000000,Setup,_Failed,txt,00000000,00000000,00000000,00000001,00B55537,?), ref: 00B8FF46

Strings

c:\agent\_work\66\s\src\libs\dutil\logutil.cpp, xrefs: 00B8FED2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
String ID: c:\agent\_work\66\s\src\libs\dutil\logutil.cpp
API String ID: 4111229724-727082060
Opcode ID: 02a1c6a2f0c974cbccaf8d382470b3ccaeb783d2b92d8f96fd56429253c08bd5
Instruction ID: 0623af409b2ed2c819b7fe46823d0938efe739a2dd2f29fd6167b1e74b291452
Opcode Fuzzy Hash: 02a1c6a2f0c974cbccaf8d382470b3ccaeb783d2b92d8f96fd56429253c08bd5
Instruction Fuzzy Hash: BD317F3190122BAFDB21AF609D95EBA3AE9EB11751F1042F5BA00A7171DBF1DD00DBA1

Function 00B90E2F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116stringregistryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,BundleUpgradeCode), ref: 00B90E6B
lstrlenW.KERNEL32(?,00000002,00000001,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00B90ECD
lstrlenW.KERNEL32(?), ref: 00B90ED9
RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,?,00000001,?,?,00000002,00000001,00000000,00000000,BundleUpgradeCode), ref: 00B90F1C

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B90F44
BundleUpgradeCode, xrefs: 00B90E38

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: lstrlen$Value
String ID: BundleUpgradeCode$c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 198323757-1890108899
Opcode ID: 447db7b5a6667c04cae435ade862334965c96717278a368eb43a1f29c77d12f0
Instruction ID: e2aaf661ee6295b9c570c78f4a8d3925c275d0fc8cecf7326345730e746f08cd
Opcode Fuzzy Hash: 447db7b5a6667c04cae435ade862334965c96717278a368eb43a1f29c77d12f0
Instruction Fuzzy Hash: 00316072D10629AFCF21AF989C85AAEBBF9EF44750F0145E5FD00A7210C770EE118BA0

Function 00B6D0E4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00B6AC12,00000001,00000000,00000000), ref: 00B6D170
GetLastError.KERNEL32(?,?,?,00B554A3,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B6D17C

Part of subcall function 00B6CDC8: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3), ref: 00B6CDDA
Part of subcall function 00B6CDC8: GetLastError.KERNEL32(?,?,00B6D1EC,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3,?,?,?), ref: 00B6CDE4

CloseHandle.KERNEL32(00000000,00000000,?,?,00B6C672,?,?,?,?,?,00B554A3,?,?,?,?), ref: 00B6D1FD

Strings

Failed to create elevated cache thread., xrefs: 00B6D1AA
c:\agent\_work\66\s\src\burn\user\elevation.cpp, xrefs: 00B6D1A0
Failed to pump messages in child process., xrefs: 00B6D1D4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$c:\agent\_work\66\s\src\burn\user\elevation.cpp
API String ID: 3606931770-2334070456
Opcode ID: 72ed429f57b728d4cd1cd7565a30ff66fb5a04b2864310fc694b219598c626e1
Instruction ID: eb114230bdbd4e6b92c9608357b743cb7a0b071f7103ceccf8e130a948010212
Opcode Fuzzy Hash: 72ed429f57b728d4cd1cd7565a30ff66fb5a04b2864310fc694b219598c626e1
Instruction Fuzzy Hash: E741C4B6E05219AF8B05DFA8D9819DEBBF4FF09710B1081AAF908F7310E77499418F90

Function 00B57337 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,00B55966,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00B57349
LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,00B55966,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 00B57428

Strings

Failed to format value '%ls' of variable: %ls, xrefs: 00B573F2
Failed to get value as string for variable: %ls, xrefs: 00B57417
Failed to get unformatted string., xrefs: 00B573B9
Failed to get variable: %ls, xrefs: 00B5738A
*****, xrefs: 00B573E4, 00B573F1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
API String ID: 3168844106-2873099529
Opcode ID: 20d373c0ff2200377646f52e5aea9bc92a7d045ac4fe15960fb2cd0227a2329f
Instruction ID: 681b7aa80cc7082051c9952785a825a636f6878a73200f0b5ff243c117660ea3
Opcode Fuzzy Hash: 20d373c0ff2200377646f52e5aea9bc92a7d045ac4fe15960fb2cd0227a2329f
Instruction Fuzzy Hash: DF31B332A84516FBCF226E50EC05F9EBAE5EF04326F1081E5FC0466260DB75AA55DBC0

Function 00B68CC3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

InitializeAcl.ADVAPI32(?,00000008,00000002,0000001A,?,?,00000000,00000000,?,?,?), ref: 00B68D0E
GetLastError.KERNEL32 ref: 00B68D18
SetFileAttributesW.KERNEL32(?,00000080,?,00000001,20000004,00000000,00000000,?,00000000,00000003,000007D0,?,00000000,00000000,?,?), ref: 00B68D78

Strings

Failed to allocate administrator SID., xrefs: 00B68CF4
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B68D3C
Failed to initialize ACL., xrefs: 00B68D46

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileInitializeLast
String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 669721577-4043978521
Opcode ID: 41fe1a9456e8a4d22b09addf722e2b09e8038c310eafcd5c3b18a75e5221f840
Instruction ID: 3ede764aee611c596bf00123254c21da8d6310f56ea3a7ed3cd2a3612640aca0
Opcode Fuzzy Hash: 41fe1a9456e8a4d22b09addf722e2b09e8038c310eafcd5c3b18a75e5221f840
Instruction Fuzzy Hash: EE21EB72E40214B7DB215AD59D45F9EB7E8AF11B50F1141BABE04FB2C0EA789E0486A0

Function 00B54263 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,00B63FAF,00000001,feclient.dll,?,00000000,?,?,?,00B54B57), ref: 00B5429E
GetLastError.KERNEL32(?,?,00B63FAF,00000001,feclient.dll,?,00000000,?,?,?,00B54B57,?,?,00B9A488,?,00000001), ref: 00B542AA
GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,00B63FAF,00000001,feclient.dll,?,00000000,?,?,?,00B54B57,?), ref: 00B542E5
GetLastError.KERNEL32(?,?,00B63FAF,00000001,feclient.dll,?,00000000,?,?,?,00B54B57,?,?,00B9A488,?,00000001), ref: 00B542EF

Strings

crypt32.dll, xrefs: 00B54267
c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp, xrefs: 00B54313

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CurrentDirectoryErrorLast
String ID: c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp$crypt32.dll
API String ID: 152501406-3173697099
Opcode ID: 3a623ed4b93bf9d02f4aca69eeff4d231ba56b6a5f432c6c57ddbb95922c8761
Instruction ID: 5cb3c38c94d91c72e88402e0d4687ff212d254eea90f781521249f6b8f8cd60c
Opcode Fuzzy Hash: 3a623ed4b93bf9d02f4aca69eeff4d231ba56b6a5f432c6c57ddbb95922c8761
Instruction Fuzzy Hash: 23110633E01636A7DB218AD94844B5FB6E8DF02B9AB1101F5FE04F7210EB21DC848AE4

Function 00B70937 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00B70987
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B709A6
GetLastError.KERNEL32 ref: 00B709B0

Strings

Failed to write during cabinet extraction., xrefs: 00B709DE
Unexpected call to CabWrite()., xrefs: 00B7096A
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B709D4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastWrite_memcpy_s
String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 1970631241-3210721340
Opcode ID: d258b466822850a6855a6dd519e5e1002d5c96dd3c56b29ce710c9696e70d0b7
Instruction ID: 004320d0ad4a7ac7ad88de54ce925c1077be6657bc23a28a8b32d5bcd452b2da
Opcode Fuzzy Hash: d258b466822850a6855a6dd519e5e1002d5c96dd3c56b29ce710c9696e70d0b7
Instruction Fuzzy Hash: 9121FD76610201EBDB00EF6DD981D5A7BE8EF85724B11819AFF18D7292E671D900CB60

Function 00B59A9F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59AB8
GetFileAttributesW.KERNEL32(00000000,000002C0,?,00000000,00000000,000002C0,00000100,00000000,?,00B5A889,00000100,000002C0,000002C0,00000100), ref: 00B59ACD
GetLastError.KERNEL32(?,00B5A889,00000100,000002C0,000002C0,00000100), ref: 00B59ADA

Strings

Failed to set variable., xrefs: 00B59B3F
Failed to format variable string., xrefs: 00B59AC3
Failed while searching directory search: %ls, for path: %ls, xrefs: 00B59B1A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesErrorFileLastOpen@16
String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
API String ID: 1811509786-402580132
Opcode ID: 98b3d040e21dd6ed7a63cc689a16e1574975b90b157e44a73afbb5f37e958ee5
Instruction ID: 4c98fbfbf7c2cdbe60f058437ad30a73f8bbe7d49ccf6974bffa8ec59511cbf4
Opcode Fuzzy Hash: 98b3d040e21dd6ed7a63cc689a16e1574975b90b157e44a73afbb5f37e958ee5
Instruction Fuzzy Hash: EF110632A40521FBEF126764ED42FAEBAD5EF01322F2142E5FC01A71A1E7719E04A6D1

Function 00B709FE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00B70A6B
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B70A7D
SetFileTime.KERNEL32(?,?,?,?), ref: 00B70A90
CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00B70660,?,?), ref: 00B70A9F

Strings

c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B70A3A
Invalid operation for this state., xrefs: 00B70A44

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Time$File$CloseDateHandleLocal
String ID: Invalid operation for this state.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 609741386-2444813713
Opcode ID: fc8bb2b5325ac7f3f15271e4de06935086f04cc31f67141dc8e73a95327b4e7b
Instruction ID: d65e85d9e44cfed5dc3cc00f7340ab944fc4541b356522f867879992b6a73b99
Opcode Fuzzy Hash: fc8bb2b5325ac7f3f15271e4de06935086f04cc31f67141dc8e73a95327b4e7b
Instruction Fuzzy Hash: F521C37292461AEE8710AFA8CD088AA7BECFE44710B108297F865D75D0D775D910DBD0

Function 00B889AF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B88973: _free.LIBCMT ref: 00B8899C

_free.LIBCMT ref: 00B889FD

Part of subcall function 00B85CE8: HeapFree.KERNEL32(00000000,00000000,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?), ref: 00B85CFE
Part of subcall function 00B85CE8: GetLastError.KERNEL32(?,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?,?), ref: 00B85D10

_free.LIBCMT ref: 00B88A08
_free.LIBCMT ref: 00B88A13
_free.LIBCMT ref: 00B88A67
_free.LIBCMT ref: 00B88A72
_free.LIBCMT ref: 00B88A7D
_free.LIBCMT ref: 00B88A88

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 48635352fcdb93915df3ba2fc5eddb2e5b53a02fac6a758a8558f49e26154fd7
Instruction ID: 7a8d0152fae1584e393b680f0e4f938e4bd6631b182ef8f2b9a814e986f89832
Opcode Fuzzy Hash: 48635352fcdb93915df3ba2fc5eddb2e5b53a02fac6a758a8558f49e26154fd7
Instruction Fuzzy Hash: 82112671940B04EBDA30BBB1CC06FDB77DCAF00700FC08896B29EA60A2DA65A554DB95

Function 00B645CE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

_memcpy_s.LIBCMT ref: 00B6461F
_memcpy_s.LIBCMT ref: 00B64632
_memcpy_s.LIBCMT ref: 00B6464D

Strings

crypt32.dll, xrefs: 00B64629, 00B64648
Failed to allocate memory for message., xrefs: 00B64608
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B645FE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _memcpy_s$Heap$AllocateProcess
String ID: Failed to allocate memory for message.$c:\agent\_work\66\s\src\burn\user\pipe.cpp$crypt32.dll
API String ID: 886498622-1118502555
Opcode ID: b185f35e81403989cf1768a74be346dfb346b0c02054fae78389b87dcd09efda
Instruction ID: 64dcf27815d5c8628bbf7bd8f6556277880443e670c83d418bf2a7d4f9642e75
Opcode Fuzzy Hash: b185f35e81403989cf1768a74be346dfb346b0c02054fae78389b87dcd09efda
Instruction Fuzzy Hash: 561142B254031ABBDB01EE94CC82DEB73DCEF15B15B00459ABE11DB251E775D61487E0

Function 00B59A0E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00B59A85

Strings

Failed to copy condition string from BSTR, xrefs: 00B59A6F
Condition, xrefs: 00B59A20
`Dv, xrefs: 00B59A85
Failed to select condition node., xrefs: 00B59A3C
Failed to get Condition inner text., xrefs: 00B59A55

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeString
String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`Dv
API String ID: 3341692771-1896785106
Opcode ID: cfc2cefb6be1606210726956363959e6c618435431826ca557a6f8562410c5e3
Instruction ID: bda7b18ec2c1819cbad05407b70bc26dcea7f51693d5df7cf38fc6538490aa7e
Opcode Fuzzy Hash: cfc2cefb6be1606210726956363959e6c618435431826ca557a6f8562410c5e3
Instruction Fuzzy Hash: 30115231941224FBDF15AB64DD46BAD7FE4DF01712F1041F5EC01B6160D7719E489BA0

Function 00B567C2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B567FB
GetLastError.KERNEL32 ref: 00B56805

Strings

Failed to set variant value., xrefs: 00B5684F
Failed to get temp path., xrefs: 00B56833
4#v, xrefs: 00B567FB
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B56829

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastPathTemp
String ID: 4#v$Failed to get temp path.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 1238063741-58216899
Opcode ID: 5266c776c0c2e2ef60934eca3b02c57548b1b714f0e849a68f1ece365c0b37b6
Instruction ID: ab6c7382bb4173d9bd3204d24dce37b8a9d2ccb398be7496ad32db9d61aa4974
Opcode Fuzzy Hash: 5266c776c0c2e2ef60934eca3b02c57548b1b714f0e849a68f1ece365c0b37b6
Instruction Fuzzy Hash: 8A01D672E4123967DB20B764AC06F9E77E89F00711F5141E6BE04F7281EA649D0886D5

Function 00B9038A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00B55EE0,00000000), ref: 00B9039E
GetProcAddress.KERNEL32(00000000), ref: 00B903A5
GetLastError.KERNEL32(?,?,?,00B55EE0,00000000), ref: 00B903BC

Strings

kernel32, xrefs: 00B90396
IsWow64Process, xrefs: 00B9038F
c:\agent\_work\66\s\src\libs\dutil\procutil.cpp, xrefs: 00B903DD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: IsWow64Process$c:\agent\_work\66\s\src\libs\dutil\procutil.cpp$kernel32
API String ID: 4275029093-3797636953
Opcode ID: 56dd8a1ea979c08afa0e5513b43071e48274e300252a650f191576df12d6d108
Instruction ID: d3be4e13f82933d8fa77d7bb5fbaed49381c07d8b5256c20e1a5898a57cf9d02
Opcode Fuzzy Hash: 56dd8a1ea979c08afa0e5513b43071e48274e300252a650f191576df12d6d108
Instruction Fuzzy Hash: DAF02832A10225AB8B20AB919D09E9F7ED8DB04750B1141A1BD04B7240EAB4DE00C7E5

Function 00B89A87 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B82C74,00B82C74,?,?,?,00B89CD8,00000001,00000001,BCE85006), ref: 00B89AE1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B89CD8,00000001,00000001,BCE85006,?,?,?), ref: 00B89B67
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,BCE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B89C61
__freea.LIBCMT ref: 00B89C6E

Part of subcall function 00B85D22: HeapAlloc.KERNEL32(00000000,?,?,?,00B81782,?,0000015D,?,?,?,?,00B82BDB,000000FF,00000000,?,?), ref: 00B85D54

__freea.LIBCMT ref: 00B89C77
__freea.LIBCMT ref: 00B89C9C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: e49aba2fe442748ce21d6932406a69f0cc5203fa8ecad4d0add829b0219a8da6
Instruction ID: f9fc2722fccf8ccd0a82448d2ff05f9c62ddf48e2f83a02d26e73c0c37819179
Opcode Fuzzy Hash: e49aba2fe442748ce21d6932406a69f0cc5203fa8ecad4d0add829b0219a8da6
Instruction Fuzzy Hash: 9351C172600216ABDF25AF68CC81EBB7BEAEB41750F1946A9FD05D6160EB35DC40CB90

Function 00B68B85 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 121sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,00000000,00000000), ref: 00B68BF1

Strings

Failed to calculate cache path., xrefs: 00B68BAE
per-user, xrefs: 00B68C4B, 00B68C50, 00B68C8B, 00B68C90
Failed to get old %hs package cache root directory., xrefs: 00B68C91
Failed to get %hs package cache root directory., xrefs: 00B68C51
per-machine, xrefs: 00B68C42, 00B68C82

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Sleep
String ID: Failed to calculate cache path.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
API String ID: 3472027048-398165853
Opcode ID: a6462a3bc9e5ae7061d4671add7aa1a8f55a44d5b3743ac951512f77d0b5be9a
Instruction ID: 234635569aa653ccd22d31766fe704b4f0959423441c5bb433fcfc524c4014d5
Opcode Fuzzy Hash: a6462a3bc9e5ae7061d4671add7aa1a8f55a44d5b3743ac951512f77d0b5be9a
Instruction Fuzzy Hash: 91310672A41225BBEB22AA548D86FBF66ECDB01B51F1102E0FD00FB151DE79DE4096B1

Function 00B6E7A7 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00B6E7D6
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00B6E7E5
SetWindowLongW.USER32(?,000000EB,?), ref: 00B6E7F9
DefWindowProcW.USER32(?,?,?,?), ref: 00B6E809
GetWindowLongW.USER32(?,000000EB), ref: 00B6E823
PostQuitMessage.USER32(00000000), ref: 00B6E882

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: 532bde76aabc40446f2dba52c03dfb0d2922b89c46a8ba16e0903d723080bd43
Instruction ID: 24b5c1b3f798d1c192ae3fbee479eefe2efbf6d8f6d2ad5020c15ad061776743
Opcode Fuzzy Hash: 532bde76aabc40446f2dba52c03dfb0d2922b89c46a8ba16e0903d723080bd43
Instruction Fuzzy Hash: 1821FF36104118BFDB055F68DC48E6B3FA9FF44720F1082A8FA1A9B1A1CB35DD10DBA0

Function 00B85929 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00B812E7,00000000,80004004,?,00B815EB,00000000,80004004,00000000,00000000), ref: 00B8592D
_free.LIBCMT ref: 00B85960
_free.LIBCMT ref: 00B85988
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 00B85995
SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 00B859A1
_abort.LIBCMT ref: 00B859A7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: acb63ebbbd3f28f5b9bff5e90cf04f06fdf9251b67aa01d9a207ca1df10a5e0e
Instruction ID: cb48c0d7fb4282e48fa3a6869a31f13ab25c1c8e30b202e0e5d22a18d6227669
Opcode Fuzzy Hash: acb63ebbbd3f28f5b9bff5e90cf04f06fdf9251b67aa01d9a207ca1df10a5e0e
Instruction Fuzzy Hash: 2AF0A435144E01A7C6323739AD4AF2A25D9DBC1B71BA501D5F418E31B1EE65C841C766

Function 00B6C672 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 164synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?), ref: 00B6C6BA
CloseHandle.KERNEL32(?), ref: 00B6C6C2

Strings

Unexpected elevated message sent to child process, msg: %u, xrefs: 00B6C86D
c:\agent\_work\66\s\src\burn\user\elevation.cpp, xrefs: 00B6C861
Failed to save state., xrefs: 00B6C73A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$c:\agent\_work\66\s\src\burn\user\elevation.cpp
API String ID: 4207627910-1654385460
Opcode ID: 96ed914625300b1897088b9a1beb4fa44c2242023f86ba99a4ef16c1d5f23854
Instruction ID: 796bb15e662246ed19791145c0c8b25b849a290440e08b65ce7c99007f6ae903
Opcode Fuzzy Hash: 96ed914625300b1897088b9a1beb4fa44c2242023f86ba99a4ef16c1d5f23854
Instruction Fuzzy Hash: D4618C7A100610EFCB225F84C941C65BFE2FF18710715C5A9FAAA9B632C736E961EB41

Function 00B972DE Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

SysFreeString.OLEAUT32(00000000), ref: 00B9743B
SysFreeString.OLEAUT32(00000000), ref: 00B97446
SysFreeString.OLEAUT32(00000000), ref: 00B97451

Strings

`Dv, xrefs: 00B97430
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B97311

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp
API String ID: 2724874077-3473096540
Opcode ID: db678c9e5d93d73bf47683eb2a7f3d7052f727b4579cfb2450d0ea375161c7d8
Instruction ID: c08da365864577753ce0c6522447e85109bc29bff1034c39a7fd95391bc4ba22
Opcode Fuzzy Hash: db678c9e5d93d73bf47683eb2a7f3d7052f727b4579cfb2450d0ea375161c7d8
Instruction Fuzzy Hash: 48515C31A5522AABDF11DF64C845EAEBBF8EF04754F1141E8E901AB351DB70EE05CBA0

Function 00B90AB4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 147registrystringCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00B90ADC
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00B66FDF,00000100,000000B0,00000088,00000410,000002C0), ref: 00B90B13
lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 00B90C05

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B90B56
BundleUpgradeCode, xrefs: 00B90ABB

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: QueryValue$lstrlen
String ID: BundleUpgradeCode$c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 3790715954-1890108899
Opcode ID: 02cdfd90d96b78936d399b68ed7e20bc8b0b10e2308e0dcb11d5bbe39eef3bbe
Instruction ID: 93ce3fc4dccc1470fe8ba52cf322ea170bf9c2c11091a42a3cb19c7cc2db4773
Opcode Fuzzy Hash: 02cdfd90d96b78936d399b68ed7e20bc8b0b10e2308e0dcb11d5bbe39eef3bbe
Instruction Fuzzy Hash: DD418235A1021AAFCF21EF58C885AAEB7F9EF04714F1581FAED01AB211D670DD01CBA0

Function 00B95B40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B9412E: SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,00B68651,00000000,00000000,00000000,00000000,00000000), ref: 00B94146
Part of subcall function 00B9412E: GetLastError.KERNEL32(?,?,?,00B68651,00000000,00000000,00000000,00000000,00000000), ref: 00B94150

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00B953FE,?,?,?,?,?,?,?,00010000,?), ref: 00B95BA9
WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,00B953FE,?,?,?,?), ref: 00B95BFB
GetLastError.KERNEL32(?,00B953FE,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00B95C41
GetLastError.KERNEL32(?,00B953FE,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 00B95C67

Strings

c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp, xrefs: 00B95C8B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLast$Write$Pointer
String ID: c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp
API String ID: 133221148-16760509
Opcode ID: a500bafa4f00e8ec67978776f3c285cb422056ead3f9876bdb8981e560dd3a57
Instruction ID: 7e143db2e02462ca4ac090b422ba537762bd12d19f2ca2ba1a7271da18d955b3
Opcode Fuzzy Hash: a500bafa4f00e8ec67978776f3c285cb422056ead3f9876bdb8981e560dd3a57
Instruction Fuzzy Hash: 94418C7298072ABFEF228E94CD44BAA7BB8EF04351F1441B5BD00A6190D774DD50DBA0

Function 00B5252E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,00B8F8C7,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B8F8C7,00B71074,?,00000000), ref: 00B52574
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B8F8C7,00B71074,?,00000000,0000FDE9,?,00B71074), ref: 00B52580

Part of subcall function 00B53C5F: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C67
Part of subcall function 00B53C5F: HeapSize.KERNEL32(00000000,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C6E

Strings

c:\agent\_work\66\s\src\libs\dutil\strutil.cpp, xrefs: 00B525A4

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: c:\agent\_work\66\s\src\libs\dutil\strutil.cpp
API String ID: 3662877508-792799584
Opcode ID: 348d4f30138eaf402435c61da7f475f0cb8a895f21976d4c28f76ff4347e0b46
Instruction ID: bf63ebacf31d53f164bc6cb60355ab963efeb947a7adf72eaac926e9dbf82526
Opcode Fuzzy Hash: 348d4f30138eaf402435c61da7f475f0cb8a895f21976d4c28f76ff4347e0b46
Instruction Fuzzy Hash: 2A315B70202216AFEB159F249CD0F7633D9EB677A6B1042E9FE119B290FB71DC089760

Function 00B93A14 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,00B93B62,00000003,00000001,00000001,000007D0,00000003,00000000,?,00B69F39,00000001), ref: 00B93A32
GetLastError.KERNEL32(00000002,?,00B93B62,00000003,00000001,00000001,000007D0,00000003,00000000,?,00B69F39,00000001,000007D0,00000001,00000001,00000003), ref: 00B93A41
MoveFileExW.KERNEL32(00000003,00000001,00000000,00000001,00000000,?,00B93B62,00000003,00000001,00000001,000007D0,00000003,00000000,?,00B69F39,00000001), ref: 00B93ADA
GetLastError.KERNEL32(?,00B93B62,00000003,00000001,00000001,000007D0,00000003,00000000,?,00B69F39,00000001,000007D0,00000001,00000001,00000003,000007D0), ref: 00B93AE4

Part of subcall function 00B93C72: FindFirstFileW.KERNEL32(00B78F6B,?,00000100,00000000,00000000), ref: 00B93CAD
Part of subcall function 00B93C72: FindClose.KERNEL32(00000000), ref: 00B93CB9

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B93B03

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: File$ErrorFindLastMove$CloseFirst
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 3479031965-1688708105
Opcode ID: 0f7808db149243a94491d5fa9bc57174c7a51dc8f4bad120eceec8e2358bda12
Instruction ID: 35335391349305439c9d08b02d9fc4e0f971f77ccb07f08b6ccc56083e96e9f4
Opcode Fuzzy Hash: 0f7808db149243a94491d5fa9bc57174c7a51dc8f4bad120eceec8e2358bda12
Instruction Fuzzy Hash: 4C313337A00226ABDF214E588C81B7F76D5EF90FA1F1641B6FD44AB290D7708E4283D0

Function 00B7AA41 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,?,00000000,?,?,?,00000000,00000000,?,?,00000000), ref: 00B7AAB0

Strings

Failed to extract all payloads from container: %ls, xrefs: 00B7AAF4
Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 00B7AB45
Failed to extract payload: %ls from container: %ls, xrefs: 00B7AB39
Failed to open container: %ls., xrefs: 00B7AA82

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
API String ID: 1825529933-3891707333
Opcode ID: 252494b45f7b24c8cb7a779901609b1ac5f474444fc78bc1cd5936714733eb04
Instruction ID: 92818cc16a2a2712a8e76940460f654bf2bd44029a9d38478d471160379f4487
Opcode Fuzzy Hash: 252494b45f7b24c8cb7a779901609b1ac5f474444fc78bc1cd5936714733eb04
Instruction Fuzzy Hash: 2A31B232C00216BBCF51AAE4CD82E9E77E9AF44711F108191F925B72A1E7309A19DB91

Function 00B971DB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

SysFreeString.OLEAUT32(00000000), ref: 00B972BE
SysFreeString.OLEAUT32(?), ref: 00B972C9
SysFreeString.OLEAUT32(00000000), ref: 00B972D4

Strings

`Dv, xrefs: 00B972B3
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B97208

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeString$Heap$AllocateProcess
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp
API String ID: 2724874077-3473096540
Opcode ID: 9ed3c22a325713188cf90dd4ba15b1ce054c3282b77694df5680b10ce3fcc0d2
Instruction ID: 2333d6d70a8b750a860715606d181c09a7ab0d104ce31a43e679df31f79728ca
Opcode Fuzzy Hash: 9ed3c22a325713188cf90dd4ba15b1ce054c3282b77694df5680b10ce3fcc0d2
Instruction Fuzzy Hash: C9319232D65629BBDF129B94C845F9EB7E8AF41B50F1141F5F900BB250DB709D058BA0

Function 00B93B71 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93C72: FindFirstFileW.KERNEL32(00B78F6B,?,00000100,00000000,00000000), ref: 00B93CAD
Part of subcall function 00B93C72: FindClose.KERNEL32(00000000), ref: 00B93CB9

RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll,?,crypt32.dll,?,?,?,00000000), ref: 00B93C64

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

Part of subcall function 00B90AB4: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 00B90ADC
Part of subcall function 00B90AB4: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00B66FDF,00000100,000000B0,00000088,00000410,000002C0), ref: 00B90B13

Strings

crypt32.dll, xrefs: 00B93B9C
\, xrefs: 00B93BED
SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00B93BA3
PendingFileRenameOperations, xrefs: 00B93BCF

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseFindQueryValue$FileFirstOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
API String ID: 3397690329-3978359083
Opcode ID: 09d4c7fd811f49ff1fe4390ac3ea1fb1d6124af891f9315ec05a5e4b09d8fe83
Instruction ID: cdd47034f7482165a86a59455607828de0be09e99b9406c3bf869971d74c2af6
Opcode Fuzzy Hash: 09d4c7fd811f49ff1fe4390ac3ea1fb1d6124af891f9315ec05a5e4b09d8fe83
Instruction Fuzzy Hash: 4C318931A00B19ABDF21AF94CD85AAEBBF9EB04F51F5480FAE901B6151D771DB80CB50

Function 00B5EFB7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94registryCOMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(0000007F,00000000,00000001,000000FF,?,000000FF,00000001,PackageVersion,00000001,?,00B605EB,00000001,00000001,00000001,00B605EB,00000000), ref: 00B5F02F
RegCloseKey.ADVAPI32(00000000,00000001,PackageVersion,00000001,?,00B605EB,00000001,00000001,00000001,00B605EB,00000000,00000001,00000000,?,00B605EB,00000001), ref: 00B5F04C

Strings

Failed to remove update registration key: %ls, xrefs: 00B5F077
Failed to format key for update registration., xrefs: 00B5EFE5
PackageVersion, xrefs: 00B5F010

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCompareString
String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
API String ID: 446873843-3222553582
Opcode ID: 508d0742bcda67c864d907b769f5b4c3d7fad72ee3ca767236d82f535ad31c10
Instruction ID: 7e389e79e8fa16021d1c7eaa2ae3ed35353795f1e9c67f8091c191b750ca7cc4
Opcode Fuzzy Hash: 508d0742bcda67c864d907b769f5b4c3d7fad72ee3ca767236d82f535ad31c10
Instruction Fuzzy Hash: BA21B431D00226BACF21AFA8CD49BBEBEF8DF45761F1841F1BC10A2191E7308E04CA90

Function 00B93843 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(00000000,00B54DFD,00000000,?,?,00000000,?,00B9395E,00000000,00B54DFD,00000000,00000000,?,00B684D1,?,?), ref: 00B9385D
GetLastError.KERNEL32(?,00B9395E,00000000,00B54DFD,00000000,00000000,?,00B684D1,?,?,00000001,00000003,000007D0,?,?,?), ref: 00B9386B
CopyFileW.KERNEL32(00000000,00B54DFD,00000000,00B54DFD,00000000,?,00B9395E,00000000,00B54DFD,00000000,00000000,?,00B684D1,?,?,00000001), ref: 00B938DD
GetLastError.KERNEL32(?,00B9395E,00000000,00B54DFD,00000000,00000000,?,00B684D1,?,?,00000001,00000003,000007D0,?,?,?), ref: 00B938E7

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B93906

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CopyErrorFileLast
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 374144340-1688708105
Opcode ID: 467ca0ea21aedef1431d7f38c81816a20b802b701f7db26dbb99ee362cd79fdd
Instruction ID: 4ff3041a5a70996aea52d817b91fe97285665b6422ab585fb61c5c8b365c5be2
Opcode Fuzzy Hash: 467ca0ea21aedef1431d7f38c81816a20b802b701f7db26dbb99ee362cd79fdd
Instruction Fuzzy Hash: 3321FB37B0063297DF201BA59CC0B7766D8EF54F60B1541B6FD09EB250EAA5CE4153D2

Function 00B5EECF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B5EF0A

Part of subcall function 00B93984: SetFileAttributesW.KERNEL32(00B78F6B,00000080,00000000,00B78F6B,000000FF,00000000,?,?,00B78F6B), ref: 00B939B3
Part of subcall function 00B93984: GetLastError.KERNEL32(?,?,00B78F6B), ref: 00B939BD

Part of subcall function 00B53CF7: RemoveDirectoryW.KERNEL32(00000001,00000000,00000000,00000000,?,?,00B5EF55,00000001,00000000,00000095,00000001,00B605FA,00000095,00000000,swidtag,00000001), ref: 00B53D14

Strings

swidtag, xrefs: 00B5EF19
Failed to format tag folder path., xrefs: 00B5EF77
Failed to allocate regid folder path., xrefs: 00B5EF70
Failed to allocate regid file path., xrefs: 00B5EF69

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AttributesDirectoryErrorFileLastOpen@16Remove
String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to format tag folder path.$swidtag
API String ID: 1428973842-4170906717
Opcode ID: 594d9f193cdd7576b8b899afea1c7d8b75ac77a0ba6016a3108de241e0442dd4
Instruction ID: 08ea74ce16b3ea1d370d24d412bf86e80e39761df3ced0e6f51e439c4493ce8d
Opcode Fuzzy Hash: 594d9f193cdd7576b8b899afea1c7d8b75ac77a0ba6016a3108de241e0442dd4
Instruction Fuzzy Hash: 89216731904218BBDB09EB98C842B9DBBF5EF48711F1080E5A824AA261DB71AE45DB90

Function 00B78AF2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,?,000000FF,00000000,00000000,00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4), ref: 00B78B76
RegCloseKey.ADVAPI32(00000000,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,00000000,00000100,00000100,000001B4,?,?,?,00B5F782,00000001,00000100,000001B4,00000000), ref: 00B78BC4

Strings

Failed to open uninstall registry key., xrefs: 00B78B39
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00B78B13
Failed to enumerate uninstall key for related bundles., xrefs: 00B78BD3

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCompareOpenString
String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 2817536665-2531018330
Opcode ID: 1edc86a7383a4c18e523ead63d384dcd2e48191488655cccfd75bee3953344c6
Instruction ID: 7aa959de8f7a195eefe25146010eaadfe505b485f4edc9c83a7ef405aa9cbde4
Opcode Fuzzy Hash: 1edc86a7383a4c18e523ead63d384dcd2e48191488655cccfd75bee3953344c6
Instruction Fuzzy Hash: 7921E772950118FFDF116B94CC89FEDBAF9EB01320F1482E4F424761A0CB364E90D690

Function 00B7CF33 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B7CFC8
ReleaseMutex.KERNEL32(?), ref: 00B7CFF6
SetEvent.KERNEL32(?), ref: 00B7CFFF

Strings

c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp, xrefs: 00B7CF6D
Failed to allocate buffer., xrefs: 00B7CF77

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate buffer.$c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp
API String ID: 944053411-3017045536
Opcode ID: 84b56e40a11fba9f22de1506e12716396d50480f6bcdcf29059d82892b59a5e2
Instruction ID: fb6a9f01d30aa37c886b5a76e394300344a15bc60a276d83d1e83647d5f893c8
Opcode Fuzzy Hash: 84b56e40a11fba9f22de1506e12716396d50480f6bcdcf29059d82892b59a5e2
Instruction Fuzzy Hash: 5221FEB0600206BFDB009F68D884A99BBF5FF48310F10C6A9F965AB361C771E954CBA0

Function 00B95100 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?,00000001,00000000,?,?,00B76879,00000000,?), ref: 00B95116
GetLastError.KERNEL32(?,?,00B76879,00000000,?,?,?,?,?,?,?,?,?,00B76C89,?,?), ref: 00B95124

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?,?,00000001,?,?,00B76879,00000000,?), ref: 00B9515E
GetLastError.KERNEL32(?,?,00B76879,00000000,?,?,?,?,?,?,?,?,?,00B76C89,?,?), ref: 00B95168

Strings

c:\agent\_work\66\s\src\libs\dutil\svcutil.cpp, xrefs: 00B95147, 00B95189

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ConfigErrorHeapLastQueryService$AllocateProcess
String ID: c:\agent\_work\66\s\src\libs\dutil\svcutil.cpp
API String ID: 355237494-2416947055
Opcode ID: 18bfe1e7771049e91a5f5763bd885cfeff82258665dada50d768e4008e93c8fe
Instruction ID: e44d0da3ad045fbaa59a83df39d2ae3a00093b1bf99db7dd725e3a1e338f2fd9
Opcode Fuzzy Hash: 18bfe1e7771049e91a5f5763bd885cfeff82258665dada50d768e4008e93c8fe
Instruction Fuzzy Hash: 78215B37981935B7DF325A558D05F9B6AE9DF40FA0F1100E5BD00BB250E6B4CD0097E0

Function 00B92AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B92AC4
VariantInit.OLEAUT32(?), ref: 00B92AD0
VariantClear.OLEAUT32(?), ref: 00B92B44
SysFreeString.OLEAUT32(00000000), ref: 00B92B4F

Part of subcall function 00B92CFC: SysAllocString.OLEAUT32(?), ref: 00B92D11

Strings

`Dv, xrefs: 00B92B4F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$AllocVariant$ClearFreeInit
String ID: `Dv
API String ID: 347726874-3059127152
Opcode ID: 567ad1dd5f5ff30fb5969380b210883f30d5455599082cff142ed891ae74e065
Instruction ID: 0c8c12e5aae020f597dc11fc7aa1bb296768ca99e25ac98e744b5841aa69e4a3
Opcode Fuzzy Hash: 567ad1dd5f5ff30fb5969380b210883f30d5455599082cff142ed891ae74e065
Instruction Fuzzy Hash: 79211A71E01219ABCF15DFA4D948EAEBBF8FF44715F1541A8E9019B220DB30DE05CB90

Function 00B597FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00B5988D

Strings

Failed to read next symbol., xrefs: 00B598A9
Failed to find variable., xrefs: 00B5987A
Failed to parse condition '%ls' at position: %u, xrefs: 00B5983F
c:\agent\_work\66\s\src\burn\user\condition.cpp, xrefs: 00B5982F, 00B59870

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _memcpy_s
String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$c:\agent\_work\66\s\src\burn\user\condition.cpp
API String ID: 2001391462-1451669575
Opcode ID: 3dc9f950d92bd3352c02d5a0e66ae7813d6ef30e986d1fce9c386851e6ba42bb
Instruction ID: 9b4fda5f136afb9159f274fec72c4c5efa30d90b584616d042d12fc946a1fbcb
Opcode Fuzzy Hash: 3dc9f950d92bd3352c02d5a0e66ae7813d6ef30e986d1fce9c386851e6ba42bb
Instruction Fuzzy Hash: E4112E33550310B7DF297E68DD46F573EC5EB56791F0001E0FD04692A2CA62E91883E0

Function 00B649FF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00B9A500,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,00B65322), ref: 00B64A4B

Strings

Failed to allocate message to write., xrefs: 00B64A2A
Failed to write message type to pipe., xrefs: 00B64A8D
c:\agent\_work\66\s\src\burn\user\pipe.cpp, xrefs: 00B64A83

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FileWrite
String ID: Failed to allocate message to write.$Failed to write message type to pipe.$c:\agent\_work\66\s\src\burn\user\pipe.cpp
API String ID: 3934441357-221464841
Opcode ID: 9fec857277131777b966bcef732fc16aa878cf5b73a0e8db522fa443768d10e5
Instruction ID: 4bc9339c1b6ad29299212900b771fd469ac6648d88722bf0ac629793224e5c7a
Opcode Fuzzy Hash: 9fec857277131777b966bcef732fc16aa878cf5b73a0e8db522fa443768d10e5
Instruction Fuzzy Hash: 7311AF7298062ABBCB21DF94DD05A9E7AE9EF40750F1100D5B900B6250EB349E40D7A4

Function 00B59DDA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00B59DFC

Strings

Failed to set variable., xrefs: 00B59E5B
Failed to format path string., xrefs: 00B59E07
File search: %ls, did not find path: %ls, xrefs: 00B59E67
Failed get file version., xrefs: 00B59E3C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Open@16
String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
API String ID: 3613110473-2458530209
Opcode ID: 22aa99ba4927dfccaf818622bda433764433cb6afc67939ed46afb3571add4bc
Instruction ID: 852db11931e7b7bfdbe02d64490ab5e07a50ae5ea6fbe9408276c62081ebc3cb
Opcode Fuzzy Hash: 22aa99ba4927dfccaf818622bda433764433cb6afc67939ed46afb3571add4bc
Instruction Fuzzy Hash: 14119332D00129FADF02AB94DC82EAEBBE8EF04351B1041E5FD00B6221D7719E18A7D0

Function 00B680F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,00B68CEE,0000001A,?,?,00000000,00000000), ref: 00B6813F
GetLastError.KERNEL32(?,?,00B68CEE,0000001A,?,?,00000000,00000000,?,?,?), ref: 00B68149

Strings

Failed to create well known SID., xrefs: 00B68177
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00B6811D, 00B6816D
Failed to allocate memory for well known SID., xrefs: 00B68127

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateCreateErrorKnownLastProcessWell
String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 2186923214-2807399336
Opcode ID: 440893f9da902d144ca3c3947e2f72c4c8dd8abd256344563529f3b6a0fcf0a1
Instruction ID: 54974c39846f7ccafe0e7500cb75db880e0efe6b2ef2ca1ecf79ea042aba8319
Opcode Fuzzy Hash: 440893f9da902d144ca3c3947e2f72c4c8dd8abd256344563529f3b6a0fcf0a1
Instruction Fuzzy Hash: 02014877501225BBD62066509C07F5F5AE8CF42FA1F2101E6BE00BB290ED688E4182E0

Function 00B7DA54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 00B7DA82
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B7DAAC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00B7DC7A,00000000,?,?,?,00000000,00000000), ref: 00B7DAB4

Strings

c:\agent\_work\66\s\src\burn\user\bitsuser.cpp, xrefs: 00B7DAD8
Failed while waiting for download., xrefs: 00B7DAE2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessageMultipleObjectsPeekWait
String ID: Failed while waiting for download.$c:\agent\_work\66\s\src\burn\user\bitsuser.cpp
API String ID: 435350009-842194682
Opcode ID: a3bfd45cc8886856d503b3dc30b2cdb908a64e748958dd8cac1ab7cb94c090e3
Instruction ID: b6eaba8308023e5210fab40509b758814c3e6ce71e237bf8bd298b6034926667
Opcode Fuzzy Hash: a3bfd45cc8886856d503b3dc30b2cdb908a64e748958dd8cac1ab7cb94c090e3
Instruction Fuzzy Hash: 0B01E573A4923577D7209AA89D49EEB7BF8EF057A0F0081A5FF09F7191DA64990082E4

Function 00B934C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00B9351B
GetLastError.KERNEL32 ref: 00B93525
CloseHandle.KERNEL32(?), ref: 00B93558

Strings

c:\agent\_work\66\s\src\libs\dutil\shelutil.cpp, xrefs: 00B93546
<, xrefs: 00B9350D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseErrorExecuteHandleLastShell
String ID: <$c:\agent\_work\66\s\src\libs\dutil\shelutil.cpp
API String ID: 3023784893-2029215639
Opcode ID: fa695ffcad1ae0103f06e6779f087f97ed36cfa19d2c83e6887a94164afde264
Instruction ID: 9366c5a44369359d6900da67b8a914de91b75551f2583076c342a7421472c3c2
Opcode Fuzzy Hash: fa695ffcad1ae0103f06e6779f087f97ed36cfa19d2c83e6887a94164afde264
Instruction Fuzzy Hash: 2321B7B5E11229ABCF10CF99D944ADEBBF8BF18B50F11816AF915E7340E7749A008F90

Function 00B55F5A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000010), ref: 00B55F88
GetLastError.KERNEL32 ref: 00B55F92

Strings

Failed to set variant value., xrefs: 00B55FD9
Failed to get computer name., xrefs: 00B55FC0
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B55FB6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: Failed to get computer name.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 3560734967-833936685
Opcode ID: 68260bd679e6f95f9bf6a87dd982de80f637adf760e38a01abfa47ab36c82c0f
Instruction ID: f289d503e077e766f993c335d3c97cb9e8ccaeaf468ff5aed67c79f739d03b2f
Opcode Fuzzy Hash: 68260bd679e6f95f9bf6a87dd982de80f637adf760e38a01abfa47ab36c82c0f
Instruction Fuzzy Hash: FC01E933A056286BDB20A6659D11FDE77E8AF08711F5100E6FD00F7280DA74ED0887E1

Function 00B55EC2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00B55ED4

Part of subcall function 00B9038A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00B55EE0,00000000), ref: 00B9039E
Part of subcall function 00B9038A: GetProcAddress.KERNEL32(00000000), ref: 00B903A5
Part of subcall function 00B9038A: GetLastError.KERNEL32(?,?,?,00B55EE0,00000000), ref: 00B903BC

Part of subcall function 00B93578: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B935A5

Strings

Failed to set variant value., xrefs: 00B55F38
Failed to get shell folder., xrefs: 00B55F08
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00B55EFE
Failed to get 64-bit folder., xrefs: 00B55F1E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 2084161155-2957518125
Opcode ID: babc6e8e7c891870be05581c0b241592b7cbc1a37566b8645ebe6a7caa3b1e86
Instruction ID: 76035e8835aa829f745c2037a9f32c605cfae214f3adbc3113b06e7115e8331e
Opcode Fuzzy Hash: babc6e8e7c891870be05581c0b241592b7cbc1a37566b8645ebe6a7caa3b1e86
Instruction Fuzzy Hash: B401A131914728BBDF22B7A0DC16F9E7AE8DB01753F1080E0BC00B61A0DB749A089794

Function 00B902EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00B54F5D,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00B902F8
GetLastError.KERNEL32(?,00B54F5D,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B90306
GetExitCodeProcess.KERNEL32(000000FF,?), ref: 00B9034B
GetLastError.KERNEL32(?,00B54F5D,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00B90355

Strings

c:\agent\_work\66\s\src\libs\dutil\procutil.cpp, xrefs: 00B9032A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$CodeExitObjectProcessSingleWait
String ID: c:\agent\_work\66\s\src\libs\dutil\procutil.cpp
API String ID: 590199018-2457365779
Opcode ID: 9b722aa6469a72afa8d6fc31d8f5a58563aa738ee3f37cc6fe1250f807c8efaa
Instruction ID: ee279c941314dad0e8589a820280a9c39b917d2d1c719982f7097736e14bf759
Opcode Fuzzy Hash: 9b722aa6469a72afa8d6fc31d8f5a58563aa738ee3f37cc6fe1250f807c8efaa
Instruction Fuzzy Hash: 9B01C437958136ABCF206B959D08A9E7AD5EF087B0F1281B1FD54AF250D6358C009AD9

Function 00B93984 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B93C72: FindFirstFileW.KERNEL32(00B78F6B,?,00000100,00000000,00000000), ref: 00B93CAD
Part of subcall function 00B93C72: FindClose.KERNEL32(00000000), ref: 00B93CB9

SetFileAttributesW.KERNEL32(00B78F6B,00000080,00000000,00B78F6B,000000FF,00000000,?,?,00B78F6B), ref: 00B939B3
GetLastError.KERNEL32(?,?,00B78F6B), ref: 00B939BD
DeleteFileW.KERNEL32(00B78F6B,00000000,00B78F6B,000000FF,00000000,?,?,00B78F6B), ref: 00B939DD
GetLastError.KERNEL32(?,?,00B78F6B), ref: 00B939E7

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B93A02

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 3967264933-1688708105
Opcode ID: 903bcf5c3bb7f8ca84753f014fb0e39fe100ccd28beeed3722e70b6b28a5177e
Instruction ID: 81407bc14a439f2aa1128d2987a83b62bfa4f4ecbfb76a0b13f29962f849debe
Opcode Fuzzy Hash: 903bcf5c3bb7f8ca84753f014fb0e39fe100ccd28beeed3722e70b6b28a5177e
Instruction Fuzzy Hash: BA01D632A01635A7CF2147658D05B5F7ED8EF02F91F0142A1FD46FA190D665CE0085E1

Function 00B7D6C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B7D6D8
LeaveCriticalSection.KERNEL32(?), ref: 00B7D71D
SetEvent.KERNEL32(?,?,?,?), ref: 00B7D731

Strings

Failed to get state during job modification., xrefs: 00B7D6F1
Failure while sending progress during BITS job modification., xrefs: 00B7D70C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
API String ID: 3094578987-1258544340
Opcode ID: 6b4ec7451734bb3bb8cd7bd6b50b71c54990d6d31681b7e0587a8db1202a2a37
Instruction ID: 5b6b608ec83c3f2781955253b73ea76a426ec017a091393708defcbbb2265578
Opcode Fuzzy Hash: 6b4ec7451734bb3bb8cd7bd6b50b71c54990d6d31681b7e0587a8db1202a2a37
Instruction Fuzzy Hash: 4301F132A00626BBCB01AF55D8899AEB7F8FF05364B008296F818E7210DB30ED04C7E1

Function 00B7D4AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,00B7DC04,?,?,?,?,?,00000000,00000000,?), ref: 00B7D4C4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00B7DC04,?,?,?,?,?,00000000,00000000,?), ref: 00B7D4CF
GetLastError.KERNEL32(?,00B7DC04,?,?,?,?,?,00000000,00000000,?), ref: 00B7D4DC

Strings

c:\agent\_work\66\s\src\burn\user\bitsuser.cpp, xrefs: 00B7D500
Failed to create BITS job complete event., xrefs: 00B7D50A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateCriticalErrorEventInitializeLastSection
String ID: Failed to create BITS job complete event.$c:\agent\_work\66\s\src\burn\user\bitsuser.cpp
API String ID: 3069647169-683598956
Opcode ID: d8b377c61fa993bbaa208a04ee44ce607b4b8ce1a07754d3251ebb3811178bbc
Instruction ID: 6a099af13d2239d3aec43e564a39ced5348b84727b7021cc945f8a1844a4826f
Opcode Fuzzy Hash: d8b377c61fa993bbaa208a04ee44ce607b4b8ce1a07754d3251ebb3811178bbc
Instruction Fuzzy Hash: B801B1B6541633ABC3109F59D905A86BFE8FF06760B008166FD08E7750EB74E800CBE4

Function 00B7D936 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,00B7DAA2), ref: 00B7D94A
LeaveCriticalSection.KERNEL32(00000008,?,00B7DAA2), ref: 00B7D98F
SetEvent.KERNEL32(?,?,00B7DAA2), ref: 00B7D9A3

Strings

Failure while sending progress., xrefs: 00B7D97E
Failed to get BITS job state., xrefs: 00B7D963

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterEventLeave
String ID: Failed to get BITS job state.$Failure while sending progress.
API String ID: 3094578987-2876445054
Opcode ID: fc07e429eb1c71ec2acbc5bf491f47356aa12651cb52b0906d2afcce515440c2
Instruction ID: 663363fc872ff82007a8ff20948307edd9314e6fd37530e841fb9d124df09e87
Opcode Fuzzy Hash: fc07e429eb1c71ec2acbc5bf491f47356aa12651cb52b0906d2afcce515440c2
Instruction Fuzzy Hash: F9012432601621BFCB02AB55D849DAEFBF8FF06760B0082A6F509E3250DB30E904C7D5

Function 00B5D461 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00B66F37,000000B8,00000000,?,00000000,7694B390), ref: 00B5D470
InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 00B5D47F
LeaveCriticalSection.KERNEL32(000000D0,?,00B66F37,000000B8,00000000,?,00000000,7694B390), ref: 00B5D494

Strings

user active cannot be changed because it was already in that state., xrefs: 00B5D4B7
c:\agent\_work\66\s\src\burn\user\userexperience.cpp, xrefs: 00B5D4AD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID: user active cannot be changed because it was already in that state.$c:\agent\_work\66\s\src\burn\user\userexperience.cpp
API String ID: 3376869089-1173769119
Opcode ID: 60a2266d045c64204d8441cceb75e578f814785918776f507e871c988b0c5592
Instruction ID: 76599faeb369e7c452a384e31e1873ded03f35f43fb13788f88c75ab4a35243d
Opcode Fuzzy Hash: 60a2266d045c64204d8441cceb75e578f814785918776f507e871c988b0c5592
Instruction Fuzzy Hash: 64F0AF763002056F9B20AFA6EC84EA773FCFB9676270044BAF905D3250DA74F80887A0

Function 00B91511 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00B9153C
GetLastError.KERNEL32(?,00B54A21,00000001,?,?,00B5459E,?,?,?,?,00B554A3,?,?,?,?), ref: 00B9154B

Strings

c:\agent\_work\66\s\src\libs\dutil\srputil.cpp, xrefs: 00B9156C
srclient.dll, xrefs: 00B9151A
SRSetRestorePointW, xrefs: 00B91531

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: SRSetRestorePointW$c:\agent\_work\66\s\src\libs\dutil\srputil.cpp$srclient.dll
API String ID: 199729137-2605395416
Opcode ID: ae6c559eb26838a52a3c012d089d552b3b2e29a2c168176c48dc5715db2d200c
Instruction ID: cf3ab043c30ac62b4bb4538c6bad0e35b173679e503de648cc3dc12ba731c8d4
Opcode Fuzzy Hash: ae6c559eb26838a52a3c012d089d552b3b2e29a2c168176c48dc5715db2d200c
Instruction Fuzzy Hash: 8C01DB7394063353CF31179C6809F6969D48BA0B60F0346F1FE03AB261EAD4CC44E6D2

Function 00B84189 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B8413A,00000000,?,00B840DA,00000000,00BB7908,0000000C,00B84231,00000000,00000002), ref: 00B841A9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B841BC
FreeLibrary.KERNEL32(00000000,?,?,?,00B8413A,00000000,?,00B840DA,00000000,00BB7908,0000000C,00B84231,00000000,00000002), ref: 00B841DF

Strings

CorExitProcess, xrefs: 00B841B4
mscoree.dll, xrefs: 00B841A2

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b0b746ee65d2fcdffd08c4f8353c4050274a670cf43ad958be91a2b17f28929b
Instruction ID: 3f2ef4911f5fd7833b78855f628c9a820c4cae495927d2f794b66ae98a980bf6
Opcode Fuzzy Hash: b0b746ee65d2fcdffd08c4f8353c4050274a670cf43ad958be91a2b17f28929b
Instruction Fuzzy Hash: E2F03C71A10219BBCB11ABA0DC09BAEBFB4EB04751F1041A9F806A3160DF718A84CB91

Function 00B84682 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B846F4
_free.LIBCMT ref: 00B84714

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 736dbf370e442669b02f5571870742a426ed4d5d0432ff479d807308f861425d
Instruction ID: 297633736ce3e1addec54004784e71a8924d95b275f09b083848f62769563317
Opcode Fuzzy Hash: 736dbf370e442669b02f5571870742a426ed4d5d0432ff479d807308f861425d
Instruction Fuzzy Hash: 5A41B236A002049FCB24EF79C881A5DB7E5EF89714F6545E9E515EB3A1EB31ED01CB80

Function 00B522B5 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B522FB
GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B52307

Part of subcall function 00B53C5F: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C67
Part of subcall function 00B53C5F: HeapSize.KERNEL32(00000000,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C6E

Strings

c:\agent\_work\66\s\src\libs\dutil\strutil.cpp, xrefs: 00B5232B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
String ID: c:\agent\_work\66\s\src\libs\dutil\strutil.cpp
API String ID: 3662877508-792799584
Opcode ID: 5ca8762b277f7d285c36e1fb5ab06bfc604e710c6975a5d9742f648e846ee3fe
Instruction ID: 1fa3613574ec37c3bd4a98994ce103bee2b8c5894e2df38aa6d90e0ff90c56f2
Opcode Fuzzy Hash: 5ca8762b277f7d285c36e1fb5ab06bfc604e710c6975a5d9742f648e846ee3fe
Instruction Fuzzy Hash: F8311C32502125AFDB209F65CC84B6A3BD5EF07766B1142E5FD15AB290E779CC08C7D4

Function 00B589E8 Relevance: 7.6, APIs: 5, Instructions: 117stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00B58BA7,00B596F4,?,00B596F4,?,?,00B596F4,?,?), ref: 00B58A08
lstrlenW.KERNEL32(?,?,00000000,00000000,?,?,00B58BA7,00B596F4,?,00B596F4,?,?,00B596F4,?,?), ref: 00B58A10
CompareStringW.KERNEL32(0000007F,?,?,?,?,00000000,?,00000000,00000000,?,?,00B58BA7,00B596F4,?,00B596F4,?), ref: 00B58A5F
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00B58BA7,00B596F4,?,00B596F4,?), ref: 00B58AC1
CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,00000000,00000000,?,?,00B58BA7,00B596F4,?,00B596F4,?), ref: 00B58AEE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString$lstrlen
String ID:
API String ID: 1657112622-0
Opcode ID: d02f09f6839578f7924cac5de2f5a771c6c71e944ff6b73a75a83aa28b78463c
Instruction ID: 966e5ee8148ec3b0fc0bb3739633d74b28f218313afe0cb9d3aecae04bf5ad90
Opcode Fuzzy Hash: d02f09f6839578f7924cac5de2f5a771c6c71e944ff6b73a75a83aa28b78463c
Instruction Fuzzy Hash: FE319772601118BFDF168F58CD84BAE3FAAEF49351F148496FD09A7110CA758D94DBA0

Function 00B859AD Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000100,00000000,00B8372D,00B53CE2,80004005,00000000,?,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7), ref: 00B859B2
_free.LIBCMT ref: 00B859E7
_free.LIBCMT ref: 00B85A0E
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00B85A1B
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 00B85A24

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 15aee1fd6632a99bf41367ed0109c75a1dbd1329f4bcb9e2d5516356c649af9b
Instruction ID: ed6de9c44c7ddf06240aed576c9fcbab9e99210509d577305cc6a354e593d1b1
Opcode Fuzzy Hash: 15aee1fd6632a99bf41367ed0109c75a1dbd1329f4bcb9e2d5516356c649af9b
Instruction Fuzzy Hash: E801F476240E01ABC636BB35ADC6D6B25D9EBC177077102A6F415A31B2EEB4CC41C7A1

Function 00B574BE Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00B553FA,WixBundleOriginalSource,?,?,00B6A50A,840F01E8,WixBundleOriginalSource,?,P-,?,00000000,00B55482,00000001,?,?,00B55482), ref: 00B574CA
LeaveCriticalSection.KERNEL32(00B553FA,00B553FA,00000000,00000000,?,?,00B6A50A,840F01E8,WixBundleOriginalSource,?,P-,?,00000000,00B55482,00000001,?), ref: 00B57531

Strings

Failed to get value as string for variable: %ls, xrefs: 00B57520
WixBundleOriginalSource, xrefs: 00B574C6
Failed to get value of variable: %ls, xrefs: 00B57504

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
API String ID: 3168844106-30613933
Opcode ID: 5339a8397c02a8ce939b425bc031dd92e4bf86d4d69887006aaec74de5cbb040
Instruction ID: b50f86e6d1de77c29998492a49da03db7a718dcf375b4ce40056bfa8798de8ff
Opcode Fuzzy Hash: 5339a8397c02a8ce939b425bc031dd92e4bf86d4d69887006aaec74de5cbb040
Instruction Fuzzy Hash: E6019E32A84128ABCF126F50EC09B8E7AA5EB10722F1080E0FD04AA220DA35DE1497D1

Function 00B7CE2C Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,?,00000000,?,00B7CE24,00000000), ref: 00B7CE47
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00B7CE24,00000000), ref: 00B7CE53
CloseHandle.KERNEL32(00B9A518,00000000,?,00000000,?,00B7CE24,00000000), ref: 00B7CE60
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00B7CE24,00000000), ref: 00B7CE6D
UnmapViewOfFile.KERNEL32(00B9A4E8,00000000,?,00B7CE24,00000000), ref: 00B7CE7C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID:
API String ID: 260491571-0
Opcode ID: 23beb44ca882f3edfc7130f4a744b936844394372ee885e136ae3d06994b5782
Instruction ID: 606ed6d6e1ad86ba332645e2959741e777c5a61298e1c7a6d0fefa1ac43b5eaf
Opcode Fuzzy Hash: 23beb44ca882f3edfc7130f4a744b936844394372ee885e136ae3d06994b5782
Instruction Fuzzy Hash: 9301F632401B15DFCB316F66D880817FBE9EF60711315C97EE5AA62920C771B850DF80

Function 00B8890A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B88922

Part of subcall function 00B85CE8: HeapFree.KERNEL32(00000000,00000000,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?), ref: 00B85CFE
Part of subcall function 00B85CE8: GetLastError.KERNEL32(?,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?,?), ref: 00B85D10

_free.LIBCMT ref: 00B88934
_free.LIBCMT ref: 00B88946
_free.LIBCMT ref: 00B88958
_free.LIBCMT ref: 00B8896A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 158be7eca0b20f7c5f8a28fe68886a374dfc1554a1b4d73f7c77fd5fc0451e8b
Instruction ID: 234f9e82a9630a9a2b340e3932d4e8cec92c2dd5a5a07c9fc265e2c47746287a
Opcode Fuzzy Hash: 158be7eca0b20f7c5f8a28fe68886a374dfc1554a1b4d73f7c77fd5fc0451e8b
Instruction Fuzzy Hash: 74F0E732948604ABC630FB6AE986C2A73EDFA007207E41885F048D7521CE70FC80CF66

Function 00B848D1 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B848EF

Part of subcall function 00B85CE8: HeapFree.KERNEL32(00000000,00000000,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?), ref: 00B85CFE
Part of subcall function 00B85CE8: GetLastError.KERNEL32(?,?,00B889A1,?,00000000,?,00000000,?,00B889C8,?,00000007,?,?,00B88E2A,?,?), ref: 00B85D10

_free.LIBCMT ref: 00B84901
_free.LIBCMT ref: 00B84914
_free.LIBCMT ref: 00B84925
_free.LIBCMT ref: 00B84936

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ecdb1c946f401689504f9d8e8985d9dc686678bad4b07302254063b686f7b62
Instruction ID: 4ec8d29b355484e3b6963d22102cb8b6c222f8dd49311348379c8bbf0b004a4e
Opcode Fuzzy Hash: 5ecdb1c946f401689504f9d8e8985d9dc686678bad4b07302254063b686f7b62
Instruction Fuzzy Hash: A6F012B0811A218FCA257B19FC128083BE4FB2472038503AAF021A3270CFE109A1CF85

Function 00B97ED3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00B97FE0
GetLastError.KERNEL32 ref: 00B97FEA

Strings

clbcatq.dll, xrefs: 00B97EF1, 00B97EFC
c:\agent\_work\66\s\src\libs\dutil\timeutil.cpp, xrefs: 00B9800E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Time$ErrorFileLastSystem
String ID: c:\agent\_work\66\s\src\libs\dutil\timeutil.cpp$clbcatq.dll
API String ID: 2781989572-2453645868
Opcode ID: bf3dcf4ca81193ade05f23f1d7264860230f2f4855b84c16ff45f70d8e9265df
Instruction ID: aa8b65faf252c96527c058be94d49871b535971fc5aca14a9e49b6ba110f798b
Opcode Fuzzy Hash: bf3dcf4ca81193ade05f23f1d7264860230f2f4855b84c16ff45f70d8e9265df
Instruction Fuzzy Hash: A7410936E9824666DF24ABB48C49BBE77F4EF41700F1440B9B901B7190DE75CE44C7A1

Function 00B92F2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(000002C0), ref: 00B92F46
SysAllocString.OLEAUT32(?), ref: 00B92F56
VariantClear.OLEAUT32(?), ref: 00B93035

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B92F6E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Variant$AllocClearInitString
String ID: c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 2213243845-3017383397
Opcode ID: ec12ec0000ae5370464e5a9b9f67105d05136b2c5a9454abdc358132d6ae12e3
Instruction ID: f2088e1d52ffa67c7253755f2495370bddd8438d74e3573ec15db0593884fec5
Opcode Fuzzy Hash: ec12ec0000ae5370464e5a9b9f67105d05136b2c5a9454abdc358132d6ae12e3
Instruction Fuzzy Hash: 59415E75D00265ABCF11AFA48888FAEBBE8AF05B50B0541F5FD05AB215DA35DE408BA1

Function 00B90708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00B78B57), ref: 00B90763
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B78B57,00000000), ref: 00B90781
RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00B78B57,00000000,00000000,00000000), ref: 00B907D7

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B907A7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 73471667-3237223240
Opcode ID: 786c944ad7b4bd130c284c995a30b295e4b7ddae4daeedafe9f241ecb5015c56
Instruction ID: f0d7b4f100a84879928c20aed724d1e2405101c2766e2b7522fafeddc5123e6d
Opcode Fuzzy Hash: 786c944ad7b4bd130c284c995a30b295e4b7ddae4daeedafe9f241ecb5015c56
Instruction Fuzzy Hash: 9D316176911129FFEF11AAD4CD85EAFB7ECEF047A4F1181F5BD01A7110D6749E009AA0

Function 00B839BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\adguard\setup.exe,00000104), ref: 00B839F8
_free.LIBCMT ref: 00B83AC3
_free.LIBCMT ref: 00B83ACD

Strings

C:\Users\user\AppData\Local\Temp\adguard\setup.exe, xrefs: 00B839EF, 00B839F6, 00B83A25, 00B83A5D

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\adguard\setup.exe
API String ID: 2506810119-2376143095
Opcode ID: d375dc29c6bafb2c0df9c168cffc727c87932ea43dc93e95c564dc7e50d49783
Instruction ID: 05baa89c8b15177e0d05cce32fa26ce6094186f4c84dafac60db5c178d41a492
Opcode Fuzzy Hash: d375dc29c6bafb2c0df9c168cffc727c87932ea43dc93e95c564dc7e50d49783
Instruction Fuzzy Hash: E3316271A00218AFDB25EF99DC85D9EBBFCEB85F10B1441A6E44597221DBB18F40CB50

Function 00B98B19 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B985F6: lstrlenW.KERNEL32(00000100,?,?,?,00B98996,000002C0,00000100,00000100,00000100,?,?,?,00B77AD3,?,?,000001BC), ref: 00B9861B

RegCloseKey.ADVAPI32(00000000,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00B98BFE
RegCloseKey.ADVAPI32(00000001,00000000,crypt32.dll,00000000,00000000,00000000,00000000,crypt32.dll), ref: 00B98C18

Part of subcall function 00B904A5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,00B605B1,?,00000000,00020006), ref: 00B904CA

Part of subcall function 00B90D87: RegSetValueExW.ADVAPI32(00020006,00B9FF38,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00B5F2DF,00000000,?,00020006), ref: 00B90DBA

Part of subcall function 00B90D87: RegDeleteValueW.ADVAPI32(00020006,00B9FF38,00000000,?,?,00B5F2DF,00000000,?,00020006,?,00B9FF38,00020006,00000000,?,?,?), ref: 00B90DEA

Part of subcall function 00B90D39: RegSetValueExW.ADVAPI32(?,00000005,00000000,00000004,?,00000004,00000001,?,00B5F237,00B9FF38,Resume,00000005,?,00000000,00000000,00000000), ref: 00B90D4E

Strings

crypt32.dll, xrefs: 00B98B27
%ls\%ls, xrefs: 00B98B7A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Value$Close$CreateDeletelstrlen
String ID: %ls\%ls$crypt32.dll
API String ID: 3924016894-1754266218
Opcode ID: f7630d8750eba852049d5aa790c2d7f35fbcbb9456799b5445657264f25c21ac
Instruction ID: 02daeec3416be73f2f1a18a3fbf44d9319c5f78f5a1eb785342c86ad679ff8b3
Opcode Fuzzy Hash: f7630d8750eba852049d5aa790c2d7f35fbcbb9456799b5445657264f25c21ac
Instruction Fuzzy Hash: 6D3119B2C0112AFFCF12AFD5DD8099EBBB9EF05750B1541B6E900B2121DB319E51EBA0

Function 00B78857 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00B78B93,00000000,00000000), ref: 00B78914

Strings

Failed to initialize package from related bundle id: %ls, xrefs: 00B788FA
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00B78883
Failed to ensure there is space for related bundles., xrefs: 00B788C7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: 1808568f615da0200cb1d48363759b6870307ffbeff173c91a7921091192f249
Instruction ID: 72c91dba52f8a9de3b9a3934a89016299f9e061bb20944a92576cf8024843a36
Opcode Fuzzy Hash: 1808568f615da0200cb1d48363759b6870307ffbeff173c91a7921091192f249
Instruction Fuzzy Hash: 5821867294021AFBDF129E44DC49BFE7BF4EF04750F1080A5F915A5160DB719A10EB91

Function 00B53BA1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00B5146A,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B513B0), ref: 00B53BBF
HeapReAlloc.KERNEL32(00000000,?,00B5146A,00000000,80004005,00000000,80004005,00000000,000001C7,?,00B513B0,000001C7,00000100,?,80004005,00000000), ref: 00B53BC6

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

Part of subcall function 00B53C5F: GetProcessHeap.KERNEL32(00000000,000001C7,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C67
Part of subcall function 00B53C5F: HeapSize.KERNEL32(00000000,?,00B522D5,000001C7,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B53C6E

_memcpy_s.LIBCMT ref: 00B53C12

Strings

c:\agent\_work\66\s\src\libs\dutil\memutil.cpp, xrefs: 00B53C53

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$Process$AllocAllocateSize_memcpy_s
String ID: c:\agent\_work\66\s\src\libs\dutil\memutil.cpp
API String ID: 3406509257-1758765531
Opcode ID: 650641902a97a5f04c111407dc2db1e3b262950e37142dc70ee54460f377b616
Instruction ID: e0d80da9d75ec7ba253ba8d658ac9d6429463171f7ec9ce89441561e50561043
Opcode Fuzzy Hash: 650641902a97a5f04c111407dc2db1e3b262950e37142dc70ee54460f377b616
Instruction Fuzzy Hash: B9112431500258ABCF126E689D85B6E3ACADF40FE2B0446D1FC14AB361C636CF2893A0

Function 00B98109 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69timeCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00B9814D
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00B98175
GetLastError.KERNEL32 ref: 00B9817F

Strings

c:\agent\_work\66\s\src\libs\dutil\inetutil.cpp, xrefs: 00B981A0

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastTime$FileSystem
String ID: c:\agent\_work\66\s\src\libs\dutil\inetutil.cpp
API String ID: 1528435940-2024166147
Opcode ID: 7bd87a4f6da5422627ee6e88a09b137648f67d1a317bbebc52cb11799e470dda
Instruction ID: 85f9868b79b765b133bc520873ea0008a18e5c362b00567b6080ce8bc32bd701
Opcode Fuzzy Hash: 7bd87a4f6da5422627ee6e88a09b137648f67d1a317bbebc52cb11799e470dda
Instruction Fuzzy Hash: 9511E973D01139ABDB20DBA5CD44BAFB7E8EF09790F120165AE01F7150EA24DD0486E1

Function 00B9002E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00B71074,00000000,00000000,?,?,?,00B8F8EB,00B71074,00B71074,?,00000000,0000FDE9,?,00B71074,8007139F,Invalid operation for this state.), ref: 00B90040
WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000,?,?,00B8F8EB,00B71074,00B71074,?,00000000,0000FDE9,?,00B71074,8007139F), ref: 00B9007C
GetLastError.KERNEL32(?,?,00B8F8EB,00B71074,00B71074,?,00000000,0000FDE9,?,00B71074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00B90086

Strings

c:\agent\_work\66\s\src\libs\dutil\logutil.cpp, xrefs: 00B900B7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: c:\agent\_work\66\s\src\libs\dutil\logutil.cpp
API String ID: 606256338-727082060
Opcode ID: 1b507dcb2e9bc243df0032ec82033ffbda5df74bd861db83ab9e4fc695c7b413
Instruction ID: 5a07560154f6d9bbb51fd5b41b75fa4636cfcb0e17fc78f9d8d7260e9f9365ce
Opcode Fuzzy Hash: 1b507dcb2e9bc243df0032ec82033ffbda5df74bd861db83ab9e4fc695c7b413
Instruction Fuzzy Hash: 7011C672A11238AFCB20AA759D44FEF7AEDEB417A0F1143A5FD01E7240DEA09D4086E1

Function 00B51206 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00B5527C,00000000,?), ref: 00B51244
GetLastError.KERNEL32(?,?,?,00B5527C,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00B5124E

Strings

c:\agent\_work\66\s\src\libs\dutil\apputil.cpp, xrefs: 00B5126F
ignored , xrefs: 00B51213

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ArgvCommandErrorLastLine
String ID: c:\agent\_work\66\s\src\libs\dutil\apputil.cpp$ignored
API String ID: 3459693003-1283515844
Opcode ID: f630351d56050b3b5700b1adbafffd83f6afec6dbfed69b6ab6a02539858d731
Instruction ID: a82167d831b799d05aba0762a213bd59daf74712b109549eebe53d7f29d87b31
Opcode Fuzzy Hash: f630351d56050b3b5700b1adbafffd83f6afec6dbfed69b6ab6a02539858d731
Instruction Fuzzy Hash: 8F119A76901229BB8B21DB99D945F9EBBE8EF44B51F0144E5BD04EB210EB71DE048AE0

Function 00B8F6FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00B8FDC0,?,?,?,?,00000001), ref: 00B8F71C
GetLastError.KERNEL32(?,00B8FDC0,?,?,?,?,00000001,?,00B55651,?,?,00000000,?,?,00B553D2,00000002), ref: 00B8F728
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00B8FDC0,?,?,?,?,00000001,?,00B55651,?,?), ref: 00B8F791

Strings

c:\agent\_work\66\s\src\libs\dutil\logutil.cpp, xrefs: 00B8F747

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: c:\agent\_work\66\s\src\libs\dutil\logutil.cpp
API String ID: 1365068426-727082060
Opcode ID: 3f65921ef2b2dafe10171b5eae4ad4cd9753a07381d9fb0bc859e3f60d828cc1
Instruction ID: 51f1a5f40c9e06ffe7709a95de0e84bc75c02609747a2c9801247fd4fb911327
Opcode Fuzzy Hash: 3f65921ef2b2dafe10171b5eae4ad4cd9753a07381d9fb0bc859e3f60d828cc1
Instruction Fuzzy Hash: 5B11C13A600126FBEF21AF90CD05EFE7AA9EF54750F1180A9FD00A6170DB308E50D7A1

Function 00B7CE8D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,762330D0,?,?,00B7D0C2,00000000,00000000,00000000,00000000), ref: 00B7CE9D
ReleaseMutex.KERNEL32(?,?,00B7D0C2,00000000,00000000,00000000,00000000), ref: 00B7CF24

Part of subcall function 00B539DF: GetProcessHeap.KERNEL32(?,000001C7,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F0
Part of subcall function 00B539DF: RtlAllocateHeap.NTDLL(00000000,?,00B5237C,?,00000001,80004005,8007139F,?,?,00B8FB39,8007139F,?,00000000,00000000,8007139F), ref: 00B539F7

Strings

c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp, xrefs: 00B7CEE2
Failed to allocate memory for message data, xrefs: 00B7CEEC

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait
String ID: Failed to allocate memory for message data$c:\agent\_work\66\s\src\burn\user\netfxchainer.cpp
API String ID: 2993511968-3819074818
Opcode ID: c4960059c240207bae9fe0d66e27166d153272ce15db533a1ebf5e5c45235be4
Instruction ID: aa98a376b7da884e26b1ee68faa884e7d70a3fa214bd495874eec95bc19bcefd
Opcode Fuzzy Hash: c4960059c240207bae9fe0d66e27166d153272ce15db533a1ebf5e5c45235be4
Instruction Fuzzy Hash: 7911E3B1300216AFC7059F68EC91E6ABBF5FF09720B1081B9F9199B361C731AC10CBA4

Function 00B945C9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00B60458,00000000,?,00B5F49C,00B9A500,00000080,002E0032,00000000), ref: 00B945E1
GetLastError.KERNEL32(?,00B5F49C,00B9A500,00000080,002E0032,00000000,?,00B60458,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 00B945EE
CloseHandle.KERNEL32(00000000,00000000,00B9A500,00B5F49C,?,00B5F49C,00B9A500,00000080,002E0032,00000000,?,00B60458,crypt32.dll,00000094), ref: 00B94642

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B94612

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 2528220319-1688708105
Opcode ID: f8516a02733cbefdad1f365fa71524259ddca4f02932ace5e256223c07d05d85
Instruction ID: d358bd7ee9c5cce78ce12eada5493b36342297aaee8f3e53b5365340e69f289c
Opcode Fuzzy Hash: f8516a02733cbefdad1f365fa71524259ddca4f02932ace5e256223c07d05d85
Instruction Fuzzy Hash: BA01D47364152567DF210E699C05F5A3AE49B42BB0F1242E1FF20BB2E0CB618C1296E5

Function 00B94199 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,00B789B4,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00B941CD
GetLastError.KERNEL32(?,00B789B4,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,userVersion,000002C0,000000B0), ref: 00B941DA

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B941AE, 00B941FE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 1214770103-1688708105
Opcode ID: e25aff7272e010b6344b8c7555fa8516769d7fed9be19727bd937a34bf0defab
Instruction ID: bd0eeba9456fc1a3583111a348013a6275c26eacf092ba2d753c46679824eaf1
Opcode Fuzzy Hash: e25aff7272e010b6344b8c7555fa8516769d7fed9be19727bd937a34bf0defab
Instruction Fuzzy Hash: 4901DB33690531B7DA3117949D19F7A3ED8EB11BA1F1141E1FF047B1D1C7A94D0152E5

Function 00B606B6 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000), ref: 00B60726

Strings

Failed to update name and publisher., xrefs: 00B60710
Failed to update resume mode., xrefs: 00B606F7
Failed to open registration key., xrefs: 00B606DD

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to open registration key.$Failed to update name and publisher.$Failed to update resume mode.
API String ID: 47109696-1865096027
Opcode ID: b8c6d3cd9ac719c70da6f3c65897c28a3f98410f83da573c3f2e6fc62a8187c7
Instruction ID: ba6656381b317c2864c4c06d353149c99ea2eaea9dc2c6ceddac2b0f5a9685c3
Opcode Fuzzy Hash: b8c6d3cd9ac719c70da6f3c65897c28a3f98410f83da573c3f2e6fc62a8187c7
Instruction Fuzzy Hash: C301D832964629F7CF127A95DC41FAFB7E5AB41754F1040D1F900B6191D774AE10ABD0

Function 00B93183 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B931C8
SysFreeString.OLEAUT32(00000000), ref: 00B931FB

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B93199, 00B931DF
`Dv, xrefs: 00B931FB

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 344208780-3615271265
Opcode ID: 26e6af01137ce26496c736715d2949cc8f4cace18b018eb4da261138bfec78fb
Instruction ID: 98fc6279b6610c814e8cda83190dcfa6d39a8382fb4f66ff88e4d0624903f70e
Opcode Fuzzy Hash: 26e6af01137ce26496c736715d2949cc8f4cace18b018eb4da261138bfec78fb
Instruction Fuzzy Hash: 4401D671244225ABEF201A654D08FBA36E9DF51FA1F1540F6FD04F7360CAB8CE049695

Function 00B93209 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B9324E
SysFreeString.OLEAUT32(00000000), ref: 00B93281

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B9321F, 00B93265
`Dv, xrefs: 00B93281

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 344208780-3615271265
Opcode ID: c06ebcf7313ba4916b25c91bb514964f05cf604d75d26307bbaa68fa17a36fcb
Instruction ID: 0545a0953c316efb177fe5188f1c951fea466c1688249da5f116ab83b0bc1fa3
Opcode Fuzzy Hash: c06ebcf7313ba4916b25c91bb514964f05cf604d75d26307bbaa68fa17a36fcb
Instruction Fuzzy Hash: 9D01AD31644216BBEF206BA89C08F7A36D8DF51FA1F1001F9FD08AB350CAB8CE004691

Function 00B76951 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48serviceCOMMON

Download Yara Rule

APIs

ControlService.ADVAPI32(00B76865,00000001,?,00000001,00000000,?,?,?,?,?,?,00B76865,00000000), ref: 00B76979
GetLastError.KERNEL32(?,?,?,?,?,?,00B76865,00000000), ref: 00B76983

Strings

c:\agent\_work\66\s\src\burn\user\msuuser.cpp, xrefs: 00B769A7
Failed to stop wusa service., xrefs: 00B769B1

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ControlErrorLastService
String ID: Failed to stop wusa service.$c:\agent\_work\66\s\src\burn\user\msuuser.cpp
API String ID: 4114567744-4214498911
Opcode ID: 989589d736f075f7fe2e9d6ee4440a2a743d1064405004234c2d75aeeb9047dc
Instruction ID: 58d287fa439526b0ef73e844c04f005647858e063809e7fc136ec7770239cda2
Opcode Fuzzy Hash: 989589d736f075f7fe2e9d6ee4440a2a743d1064405004234c2d75aeeb9047dc
Instruction Fuzzy Hash: 2001A733A4422567D72097659C05AAB7BE4EB49B50F114165FE04BB280E974990482D5

Function 00B9608D Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00B960EC

Part of subcall function 00B97ED3: SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 00B97FE0
Part of subcall function 00B97ED3: GetLastError.KERNEL32 ref: 00B97FEA

Strings

clbcatq.dll, xrefs: 00B960B9
`Dv, xrefs: 00B960EC
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B960DA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Time$ErrorFileFreeLastStringSystem
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp$clbcatq.dll
API String ID: 211557998-3152777288
Opcode ID: 8ca4bb61ba75d9d198dfc79098e299c0093a141c18877f92bea4b416ff7b64a8
Instruction ID: d58aee2ebc0bc0840dd49810351555b0b4af64bbeeb05431ba994aa7219ac3c4
Opcode Fuzzy Hash: 8ca4bb61ba75d9d198dfc79098e299c0093a141c18877f92bea4b416ff7b64a8
Instruction Fuzzy Hash: 44016D72900126FB8F21AF9589C189AFBE8FF147A0B6081FBE608A7111D7759E04D7A0

Function 00B6EB14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 00B6EB3C
GetLastError.KERNEL32 ref: 00B6EB46

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6EB6A
Failed to post elevate message., xrefs: 00B6EB74

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: Failed to post elevate message.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 2609174426-3565835173
Opcode ID: cc3b1317b938d4eb94d13a6c5b4877ad3b2517b6c31bc5af7a704dbf3b79f2f2
Instruction ID: d5ac0681b4b7a536ec0379940248c9266aa6c9c1e2e9915f3cf4cd607ffdd456
Opcode Fuzzy Hash: cc3b1317b938d4eb94d13a6c5b4877ad3b2517b6c31bc5af7a704dbf3b79f2f2
Instruction Fuzzy Hash: 5CF0223B600231A7C3201AA85C4AE8337C4AB05B70B1982A5BE35AB290E729CC0183D4

Function 00B5D88A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00B5D8B1
FreeLibrary.KERNEL32(?,?,00B54920,00000000,?,?,00B554CB,?,?), ref: 00B5D8C0
GetLastError.KERNEL32(?,00B54920,00000000,?,?,00B554CB,?,?), ref: 00B5D8CA

Strings

BootstrapperApplicationDestroy, xrefs: 00B5D8A9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressErrorFreeLastLibraryProc
String ID: BootstrapperApplicationDestroy
API String ID: 1144718084-3186005537
Opcode ID: 89a8218545fd638f6dcf8dee48afc6b94303dacf718c21ce991f0b1da5de5218
Instruction ID: 6fb1a4196f911d73433b9f282c01f5e30062a24bff473412e9af6cf67363a1cb
Opcode Fuzzy Hash: 89a8218545fd638f6dcf8dee48afc6b94303dacf718c21ce991f0b1da5de5218
Instruction Fuzzy Hash: 5FF06232600626ABD7205F66E804B26FBE4FF04B6371583AAEC15D7560C725EC54DBD0

Function 00B92A57 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B92A6C
SysFreeString.OLEAUT32(00000000), ref: 00B92A9C

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B92A80
`Dv, xrefs: 00B92A9C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 344208780-3615271265
Opcode ID: 19e63700a0ffcec20f8d5114a90379f27eaa0ad065d39318d5c29214d59058dc
Instruction ID: f3debe28cfbd81cf4c435877e89755df9522f113d981a4a4d6bf0708b76766f5
Opcode Fuzzy Hash: 19e63700a0ffcec20f8d5114a90379f27eaa0ad065d39318d5c29214d59058dc
Instruction Fuzzy Hash: D3F09032601555ABDB315B009C08F6B77E6DF80B61F1540A9FC0867210CB788D109AD5

Function 00B92CFC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00B92D11
SysFreeString.OLEAUT32(00000000), ref: 00B92D41

Strings

c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00B92D28
`Dv, xrefs: 00B92D41

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: String$AllocFree
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp
API String ID: 344208780-3615271265
Opcode ID: 492ecbff40cf22c2c66eb67012b48798cb480b235f2a64e28dd784e13a494597
Instruction ID: c2bffee93f434b5e5951b7f5c950657f200da4bb52df011c50354f4eea948dbc
Opcode Fuzzy Hash: 492ecbff40cf22c2c66eb67012b48798cb480b235f2a64e28dd784e13a494597
Instruction Fuzzy Hash: 35F0B431501154B7CF225F049C08E6A7BE9DF40761F1040B6FC085B260CB74CD009AE5

Function 00B6F11E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 00B6F133
GetLastError.KERNEL32 ref: 00B6F13D

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6F161
Failed to post plan message., xrefs: 00B6F16B

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: Failed to post plan message.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 2609174426-4270167399
Opcode ID: c0358467d7ebb85d7684fe2ec14dc44205c14b748fd8a4de658260fc0b69daac
Instruction ID: d799144f52ed3abc8f10e19ffda53438aa3c5b7dab4b5e0d41db0b13cdaafc95
Opcode Fuzzy Hash: c0358467d7ebb85d7684fe2ec14dc44205c14b748fd8a4de658260fc0b69daac
Instruction Fuzzy Hash: 6CF0A7336452327BD62066A9AC09E577ED4EF06BF1B1240A1BE08BB291E929DC0082D5

Function 00B6F22C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 00B6F241
GetLastError.KERNEL32 ref: 00B6F24B

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6F26F
Failed to post shutdown message., xrefs: 00B6F279

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: Failed to post shutdown message.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 2609174426-519151043
Opcode ID: adf061663e1fb10ecb4d341a9db497125bc85ddacb643939a98d6ff0b0398256
Instruction ID: 9001a126fbd8da969b19d938a9f8b22b39f87220927559f14f70c4f0484d3a97
Opcode Fuzzy Hash: adf061663e1fb10ecb4d341a9db497125bc85ddacb643939a98d6ff0b0398256
Instruction Fuzzy Hash: 7DF0A73764523667972016EA6C19E577AD4AF06FA1B0240B1BE04BB290E918DC0086D4

Function 00B70564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00B9A478,00000000,?,00B714B9,?,00000000,?,00B5C24A,?,00B55442,?,00B67498,?,?,00B55442,?), ref: 00B7056E
GetLastError.KERNEL32(?,00B714B9,?,00000000,?,00B5C24A,?,00B55442,?,00B67498,?,?,00B55442,?,00B55482,00000001), ref: 00B70578

Strings

Failed to set begin operation event., xrefs: 00B705A6
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00B7059C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 3848097054-3321223842
Opcode ID: 420a06584d310816176c688ae262e06d2adf4ae288c3c3bd373a60659defdf66
Instruction ID: ec2148524bba89e63bf03589c861e97afea28205d25de53682cab557b16ddd73
Opcode Fuzzy Hash: 420a06584d310816176c688ae262e06d2adf4ae288c3c3bd373a60659defdf66
Instruction Fuzzy Hash: C1F05533922231A7832032A96D06A8B77D89F19BA170180E6FE08FB240FA18EC0047E4

Function 00B6EAAB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009000,00000000,?), ref: 00B6EAC0
GetLastError.KERNEL32 ref: 00B6EACA

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6EAEE
Failed to post detect message., xrefs: 00B6EAF8

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: Failed to post detect message.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 2609174426-2517332631
Opcode ID: 5ae93905b07bc6ba47216f55c4f362937ba5e7c2b22ac1e0467bc0ed300ef73e
Instruction ID: 69d82b1e38ff719a47b2b66385ad8a1d2b08aef0c9aa1b3256312ca31b89b77f
Opcode Fuzzy Hash: 5ae93905b07bc6ba47216f55c4f362937ba5e7c2b22ac1e0467bc0ed300ef73e
Instruction Fuzzy Hash: D2F0A7376452316BD22016A95C09F477ED4EF05BA1B124091BE14BF290D518EC00D3E5

Function 00B6EA1A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 00B6EA2F
GetLastError.KERNEL32 ref: 00B6EA39

Strings

c:\agent\_work\66\s\src\burn\user\userforapplication.cpp, xrefs: 00B6EA5D
Failed to post apply message., xrefs: 00B6EA67

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastMessagePostThread
String ID: Failed to post apply message.$c:\agent\_work\66\s\src\burn\user\userforapplication.cpp
API String ID: 2609174426-1324423724
Opcode ID: c5d2b6b030ebbee00f93fc1356f5f81758cf2e55f7ee51e8ff9c8738efc7db91
Instruction ID: 5dcf03f360a438e964ac2d22f196891f92acd16d38ad3ad85222eb707f3efec6
Opcode Fuzzy Hash: c5d2b6b030ebbee00f93fc1356f5f81758cf2e55f7ee51e8ff9c8738efc7db91
Instruction Fuzzy Hash: D4F0A7376452356BD62116E96C09E47BED4FF05BA1B0240A1BE18BB291E518DC00C7D5

Function 00B863C9 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B86454
__alldvrm.LIBCMT ref: 00B86655
__alldvrm.LIBCMT ref: 00B86677

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: ad949144aaf5d9b16d0cabd91b61aa8499d9bd64d722724cfcb4a13481783838
Instruction ID: 273703143e7292d66419842cd4a394a2719620ad6f46a9e9acd0f1fc99f7b03e
Opcode Fuzzy Hash: ad949144aaf5d9b16d0cabd91b61aa8499d9bd64d722724cfcb4a13481783838
Instruction Fuzzy Hash: A5A148719003869FDB25EF28C891BEEBBE4EF21310F1841EDD5859B3A1D6348D41C750

Function 00B956B4 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 162stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 00B95781
lstrlenW.KERNEL32(00000000), ref: 00B95799

Strings

c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp, xrefs: 00B95822

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: lstrlen
String ID: c:\agent\_work\66\s\src\libs\dutil\dlutil.cpp
API String ID: 1659193697-16760509
Opcode ID: 05fd12ec09d1b2c087a68d41f6f1ccc3a81e6c2a6b7a81a6799f638cea99efe3
Instruction ID: ca700e6575a4728a6907b647526b5552c171de19065cac69f144528d572dcd8e
Opcode Fuzzy Hash: 05fd12ec09d1b2c087a68d41f6f1ccc3a81e6c2a6b7a81a6799f638cea99efe3
Instruction Fuzzy Hash: 0B518372D40629EBDF229FE49C849AE7BF9EF88750B1541A4ED00B7210DA74DD409BA0

Function 00B88AD8 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,BCE85006,00B81C3F,00000000,00000000,00B82C74,?,00B82C74,?,00000001,00B81C3F,BCE85006,00000001,00B82C74,00B82C74), ref: 00B88B25
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B88BAE
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B88BC0
__freea.LIBCMT ref: 00B88BC9

Part of subcall function 00B85D22: HeapAlloc.KERNEL32(00000000,?,?,?,00B81782,?,0000015D,?,?,?,?,00B82BDB,000000FF,00000000,?,?), ref: 00B85D54

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: d928aaa1722eef7dbc7926aced9ab63339c7e2e2e7d005ff5793ba661a62156c
Instruction ID: 35af649c36acc67ec1e3be4f00533a9b65b90edb6d07b916317b90251a46412e
Opcode Fuzzy Hash: d928aaa1722eef7dbc7926aced9ab63339c7e2e2e7d005ff5793ba661a62156c
Instruction Fuzzy Hash: 9831F4B2A0021AABDF25AF64DC45DAE7BE5EF80310F5441A9FC04D7160EB36DC50CB90

Function 00B54FE1 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,?,00B5558F,?,?,?,?,?,?), ref: 00B5503B
DeleteCriticalSection.KERNEL32(?,?,?,00000000,?,00B5558F,?,?,?,?,?,?), ref: 00B5504F
TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B5558F,?,?), ref: 00B5513E
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B5558F,?,?), ref: 00B55145

Part of subcall function 00B5115F: LocalFree.KERNEL32(?,?,00B54FF8,?,00000000,?,00B5558F,?,?,?,?,?,?), ref: 00B51169

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalDeleteFreeSection$CloseHandleLocal
String ID:
API String ID: 3671900028-0
Opcode ID: 7ad44c9f9d4c9b9d8c269dca1652924e2fa26e50a09021bda1bfaff40257b928
Instruction ID: 045ec08d11621401377f8f991efd947ed94ed4e4f1e91a2a1aa267ee783a0110
Opcode Fuzzy Hash: 7ad44c9f9d4c9b9d8c269dca1652924e2fa26e50a09021bda1bfaff40257b928
Instruction Fuzzy Hash: CA410CB1500B05ABDA71EBB0C949F9B73ECAF05302F4448D9BAA9D3051DB34F949C764

Function 00B54CC9 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B5F90C: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,00B54CE8,?,?,00000001), ref: 00B5F95C

CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 00B54D4F

Strings

Failed to get current process path., xrefs: 00B54D0D
Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00B54D39
Unable to get resume command line from the registry, xrefs: 00B54CEE

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close$Handle
String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
API String ID: 187904097-642631345
Opcode ID: aea3fa66fbb86d315ee9052079a7d3d868283f43a5ddf68f24ee50eb606dc00b
Instruction ID: 1272b3d7a420b02010a7a8e0fb422297ab2e8ddfbaa8a74702b8644e9418be6d
Opcode Fuzzy Hash: aea3fa66fbb86d315ee9052079a7d3d868283f43a5ddf68f24ee50eb606dc00b
Instruction Fuzzy Hash: 08116031D01618FACF12AB94D901AAEBBF8EE91706B1081F5EC10A6260E7719E489B80

Function 00B8815F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B88303,00000000,00000000,?,00B88106,00B88303,00000000,00000000,00000000,?,00B88303,00000006,FlsSetValue), ref: 00B88191
GetLastError.KERNEL32(?,00B88106,00B88303,00000000,00000000,00000000,?,00B88303,00000006,FlsSetValue,00BB1A28,FlsSetValue,00000000,00000364,?,00B859FB), ref: 00B8819D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B88106,00B88303,00000000,00000000,00000000,?,00B88303,00000006,FlsSetValue,00BB1A28,FlsSetValue,00000000), ref: 00B881AB

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 8004429fb530d5b0722e9485150d2627099e478ef648276663a6a485445292c6
Instruction ID: 3d7d5b83495f8af68c75ea471df76500206fdce3716db7a7e272c0f147df300c
Opcode Fuzzy Hash: 8004429fb530d5b0722e9485150d2627099e478ef648276663a6a485445292c6
Instruction Fuzzy Hash: 9D01FC36645223ABC7217B799C88E5777D9EF09BA17600660FD05F3260DF20D802C7E0

Function 00B5743E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B5744A
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00B574B1

Strings

Failed to get value as numeric for variable: %ls, xrefs: 00B574A0
Failed to get value of variable: %ls, xrefs: 00B57484

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-4270472870
Opcode ID: 9b678e2705608812e64190661b9c6d793913e67e62ccadac69ed31131df4c999
Instruction ID: ae4de064d7891b7ca222cea34439ff219be36d6f4e45eac18cfe55ac5bf1e031
Opcode Fuzzy Hash: 9b678e2705608812e64190661b9c6d793913e67e62ccadac69ed31131df4c999
Instruction Fuzzy Hash: 6801BC32A84128FFCF116F51ED05B9E7EAAAF00722F1181E0FD14AA220CB359E14D7D0

Function 00B575AD Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B575B9
LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00B57620

Strings

Failed to get value as version for variable: %ls, xrefs: 00B5760F
Failed to get value of variable: %ls, xrefs: 00B575F3

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-1851729331
Opcode ID: fd4585f99fb50dbc93ec9204800a0df4938326fd9954c3468abd8d9b24fa1ee9
Instruction ID: 38bf5440e072c77721e975ac49950f6473b3b0daee2d5df06c62597b99158711
Opcode Fuzzy Hash: fd4585f99fb50dbc93ec9204800a0df4938326fd9954c3468abd8d9b24fa1ee9
Instruction Fuzzy Hash: 08017172A94528BBCF125B44EC09F9E7BA4EB11726F0080E1FD04A6121DB359E14DBD5

Function 00B5753E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,00B5985C,00000000,?,00000000,00000000,00000000,?,00B5969D,00000000,?,00000000,00000000), ref: 00B5754A
LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,00B5985C,00000000,?,00000000,00000000,00000000,?,00B5969D,00000000,?,00000000), ref: 00B575A0

Strings

Failed to get value of variable: %ls, xrefs: 00B57570
Failed to copy value of variable: %ls, xrefs: 00B5758F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
API String ID: 3168844106-2936390398
Opcode ID: 8b7b64f0aa2becaaea66b967bb8e3502ccd26d92bd402e6a53917b5d4397c0bd
Instruction ID: c2335874409e7cd33629daabf0c2e34e93d4410ad2ca58124f39b8821d2e1383
Opcode Fuzzy Hash: 8b7b64f0aa2becaaea66b967bb8e3502ccd26d92bd402e6a53917b5d4397c0bd
Instruction Fuzzy Hash: 00F0A472940229BBCF026F50ED05EAE3BA5EF14356F0080E0FC04A6220D735DE10DBD0

Function 00B90517 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 00B90692

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B9067F

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close
String ID: c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 3535843008-3237223240
Opcode ID: ccbb21d6af68a083c739e1ccda34361f56a17588633bf98ffb39eec8ff600216
Instruction ID: 885405617facf085102fd4b7f08bb12e5e90fec636e99ce6a9890db64eb49f1b
Opcode Fuzzy Hash: ccbb21d6af68a083c739e1ccda34361f56a17588633bf98ffb39eec8ff600216
Instruction Fuzzy Hash: 0041E132D21125EFDF21AA98CC44BAD7AE1EB90720F1A81F5ED04AB160D775CD60DB90

Function 00B93FBE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,?,00000000,00000101), ref: 00B9411F

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00B93FCF
PendingFileRenameOperations, xrefs: 00B9400F, 00B940F7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-3023217399
Opcode ID: 0d4065a8e095f85db88d373a2ea05de40341b19ef658160f32102fb3470b6317
Instruction ID: e9126e60883f2b99953295b7423346e4fcc6008a3a458e8d050e9d35201e9785
Opcode Fuzzy Hash: 0d4065a8e095f85db88d373a2ea05de40341b19ef658160f32102fb3470b6317
Instruction Fuzzy Hash: E7416B71E00214EBCF20EF98C981EAEBBF5EB55B51F2140F9E601A7211D7719E42CB50

Function 00B9095E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B909D4
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00B90A0C

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B90A48

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: QueryValue
String ID: c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 3660427363-3237223240
Opcode ID: 8c33e5ae489dc00885b925403f02fab21d817a2641c7099866a6cbe1486a5c35
Instruction ID: ada7aa29cb6134c8d4315bc8a840f2867ade990605e1b62b8509569c73872171
Opcode Fuzzy Hash: 8c33e5ae489dc00885b925403f02fab21d817a2641c7099866a6cbe1486a5c35
Instruction Fuzzy Hash: 21413131D1022AEFDF11EA98C881AAEB7F9EF04750F2185F9E910A7152D7709E51DB90

Function 00B808B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B808E3
__IsNonwritableInCurrentImage.LIBCMT ref: 00B8099C

Strings

csm, xrefs: 00B80986

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 78441ee4040abd5b6053d1169dde7748ffd60240df49924f68a63580d3769634
Instruction ID: 21f824371c1fb153659035b983da7e7aa1728420305a2f6f612a14e2d39172f3
Opcode Fuzzy Hash: 78441ee4040abd5b6053d1169dde7748ffd60240df49924f68a63580d3769634
Instruction Fuzzy Hash: E341B334E20209DBCB50FF68C890A9E7BE4FF45364F1482D5E8185B272D771D909CB90

Function 00B85F23 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00B9A518,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 00B85FF6
GetLastError.KERNEL32 ref: 00B86012

Strings

comres.dll, xrefs: 00B85F9D, 00B85FEB, 00B86027

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: comres.dll
API String ID: 203985260-246242247
Opcode ID: 0ef9d51ae22b18809bb4e03787ea85e7fc1cafb2702710b32ff74f63e1a63f0d
Instruction ID: dbda614f968390544fd7922d4fbad5b4e0adc91d7d7645f1a599b135fdaafbe3
Opcode Fuzzy Hash: 0ef9d51ae22b18809bb4e03787ea85e7fc1cafb2702710b32ff74f63e1a63f0d
Instruction Fuzzy Hash: 0A31C271600A12ABDB31BF59C985FAB7BE8DF51B51F1400E9FA155B2B0EA30CD40C7A1

Function 00B98705 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B985F6: lstrlenW.KERNEL32(00000100,?,?,?,00B98996,000002C0,00000100,00000100,00000100,?,?,?,00B77AD3,?,?,000001BC), ref: 00B9861B

RegCloseKey.ADVAPI32(00000000,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00B9A500,wininet.dll,?), ref: 00B98805
RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,?,?,?,00000000,wininet.dll,?,00B9A500,wininet.dll,?), ref: 00B98812

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

Part of subcall function 00B90708: RegEnumKeyExW.ADVAPI32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00B78B57), ref: 00B90763
Part of subcall function 00B90708: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B78B57,00000000), ref: 00B90781

Strings

wininet.dll, xrefs: 00B9877A, 00B987C7

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Close$EnumInfoOpenQuerylstrlen
String ID: wininet.dll
API String ID: 2680864210-3354682871
Opcode ID: b98fded45b720c6eb0a6115f5fcd66f210dc68cece2d150861c1840047375b90
Instruction ID: 49ee378447f936fe17ad0546a29a2cab0548fbb5b8d751c06975ec4f1a5d39da
Opcode Fuzzy Hash: b98fded45b720c6eb0a6115f5fcd66f210dc68cece2d150861c1840047375b90
Instruction Fuzzy Hash: 3C312836C01129EFCF12AFE4C9809AEBBF9EF05750F2141BAE90176121CB359E50DBA0

Function 00B53ADB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00B53B3E

Strings

crypt32.dll, xrefs: 00B53AFB, 00B53B3A, 00B53B3C
wininet.dll, xrefs: 00B53AFC

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: _memcpy_s
String ID: crypt32.dll$wininet.dll
API String ID: 2001391462-82500532
Opcode ID: 4ae1699a8e0cffef73e401e02ee7f8f13826bdea54519662f1ff0bf1fc8a425b
Instruction ID: 28da144707a73274db90d9200c23aa99a87ce6619a156f4a3c487aefec252a78
Opcode Fuzzy Hash: 4ae1699a8e0cffef73e401e02ee7f8f13826bdea54519662f1ff0bf1fc8a425b
Instruction Fuzzy Hash: D4116371600219AFCF08DF19CCD5A9F7FA9EF85794B148069FD058B311D271EA148BE0

Function 00B63A2C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000000,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,00000000,?,?,?,?,00B63F3C,feclient.dll,?,00000000,?,?,?,00B54B57), ref: 00B63ACD

Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B909D4
Part of subcall function 00B9095E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00B90A0C

Strings

Logging, xrefs: 00B63A5A
SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 00B63A43

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: QueryValue$CloseOpen
String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
API String ID: 1586453840-387823766
Opcode ID: 79bb46d2545799c4b745b2c7a2230495b746cda0ec7b790996a79eb77b4f23db
Instruction ID: c753277b465c5131a0206b515327daf57c8276205d0f7aa583b5385847f40427
Opcode Fuzzy Hash: 79bb46d2545799c4b745b2c7a2230495b746cda0ec7b790996a79eb77b4f23db
Instruction Fuzzy Hash: 30113836600215BBEB24DAC4DD46FBEB7E4EB00F50F5400D5E982A7190C77C9F41AB50

Function 00B90D87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00020006,00B9FF38,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00B5F2DF,00000000,?,00020006), ref: 00B90DBA
RegDeleteValueW.ADVAPI32(00020006,00B9FF38,00000000,?,?,00B5F2DF,00000000,?,00020006,?,00B9FF38,00020006,00000000,?,?,?), ref: 00B90DEA

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00B90E1E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Value$Delete
String ID: c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 1738766685-3237223240
Opcode ID: d4ee098ce2833a806b50461cf29900159840a2c96d40703b5eb9d1ec7440ced0
Instruction ID: 60a3199999e7bdc8b9cb447d79d46a3e195c8287612ec0f24b35f9b57cb92d65
Opcode Fuzzy Hash: d4ee098ce2833a806b50461cf29900159840a2c96d40703b5eb9d1ec7440ced0
Instruction Fuzzy Hash: 9711C433D6153ABFDF216A948D05BAEBAE1EF04760F1146B0FE00BA150D6709D1097E0

Function 00B5DD59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,00B773ED,00000000,IGNOREDEPENDENCIES,00000000,?,00B9A518), ref: 00B5DDAA

Strings

Failed to copy the property value., xrefs: 00B5DDDE
IGNOREDEPENDENCIES, xrefs: 00B5DD61

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareString
String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
API String ID: 1825529933-1412343224
Opcode ID: ac9ccf369e3d5d655a00223081fd1ed2f05dab6858f331ee7f6cd056f74543fe
Instruction ID: f76ac2b9d4cb55b016c1a48f0004b1e267b7651ed6c35e342dfe981072f5603d
Opcode Fuzzy Hash: ac9ccf369e3d5d655a00223081fd1ed2f05dab6858f331ee7f6cd056f74543fe
Instruction Fuzzy Hash: B911A332200215AFDB208F54CC85F69B7F5EF08362F2542F5EE189B2E1CB709854CB80

Function 00B51578 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(0000007F,00000000,00000000,00B66FDF,00000000,00B66FDF,00000000,00000000,00B66FDF,00000000,00000000,00000000,?,00B52420,00000000,00000000), ref: 00B515BC
GetLastError.KERNEL32(?,00B52420,00000000,00000000,00B66FDF,00000200,?,00B94ABC,00000000,00B66FDF,00000000,00B66FDF,00000000,00000000,00000000), ref: 00B515C6

Strings

c:\agent\_work\66\s\src\libs\dutil\strutil.cpp, xrefs: 00B515EA

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorLastString
String ID: c:\agent\_work\66\s\src\libs\dutil\strutil.cpp
API String ID: 3728238275-792799584
Opcode ID: 57bfe1a444683a2d3e140b71d6e5af1ca20ecf43baedee606311da7488755683
Instruction ID: f2e5bcca913d4e4873c5c90df7512153b650fcf84c3f8f2a2e525f5231174ca1
Opcode Fuzzy Hash: 57bfe1a444683a2d3e140b71d6e5af1ca20ecf43baedee606311da7488755683
Instruction Fuzzy Hash: 6901F53390127667CF229A99AC00F977BE8EF95B61B0146E1FE10AB250E631DC1487E1

Function 00B6573C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00B65759
CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 00B657B2

Strings

Failed to initialize COM on cache thread., xrefs: 00B6576E

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: InitializeUninitialize
String ID: Failed to initialize COM on cache thread.
API String ID: 3442037557-3629645316
Opcode ID: 426d9afd97ea8d834bf5bf38196d05747f04598015ab2f3a9e8c3cd70a67a23c
Instruction ID: 0b9d57c3205d5aaf3383589887945b7c77978953e1ceb96a9f2f6d9957c77546
Opcode Fuzzy Hash: 426d9afd97ea8d834bf5bf38196d05747f04598015ab2f3a9e8c3cd70a67a23c
Instruction Fuzzy Hash: DB016172600619BFDB159FA4EC84DEABBEDFF09354B108169F50997220EB70AD50CB94

Function 00B94E42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,00B68D6E,?,00000001,20000004,00000000,00000000,?,00000000), ref: 00B94E71
SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00B68D6E,?), ref: 00B94E8C

Strings

c:\agent\_work\66\s\src\libs\dutil\aclutil.cpp, xrefs: 00B94EB0

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: InfoNamedSecuritySleep
String ID: c:\agent\_work\66\s\src\libs\dutil\aclutil.cpp
API String ID: 2352087905-2024494872
Opcode ID: dddefe1a3316e322bd44268a5ce8be951f23905bf179fe1329a1292ac49e135d
Instruction ID: 575967eea2a14871fad7e10171399c98fe328b816bfc95af9a7431ae711091a3
Opcode Fuzzy Hash: dddefe1a3316e322bd44268a5ce8be951f23905bf179fe1329a1292ac49e135d
Instruction Fuzzy Hash: CA017933801529EBCF269E999D05E8E7EA6FB84B61F0242A5BD0476120C7759D219BD0

Function 00B55160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00B51104,?,?,00000000), ref: 00B5517F
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00B51104,?,?,00000000), ref: 00B551AF

Strings

burn.clean.room, xrefs: 00B5516C, 00B55179, 00B551A6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: cb8c698777a48441397668ff08295c663f0080d1c7a68e6f1d08442379f837fe
Instruction ID: 25038203dda9899972f3cb1a697f81840da0d8b5455ebf1c15c8617053d74dba
Opcode Fuzzy Hash: cb8c698777a48441397668ff08295c663f0080d1c7a68e6f1d08442379f837fe
Instruction Fuzzy Hash: 70016272910E20AB96304B49AEA4F73BFECEB1975271002A6F905E3610C6A59C54C7E1

Function 00B93448 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90823: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,Pi,00000000,?,00B94FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00B90837

RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,00B932E8,?), ref: 00B934B9

Strings

EnableLUA, xrefs: 00B9348B
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00B93463

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CloseOpen
String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 47109696-3551287084
Opcode ID: 892a5990804bae3da445c328f90509ecbb1fb8f198b27203a1cba280a9f00c0a
Instruction ID: 56269db8f0e638527de2fe8074849994ddf7558f5cff3a4e9376ccbeef4e852d
Opcode Fuzzy Hash: 892a5990804bae3da445c328f90509ecbb1fb8f198b27203a1cba280a9f00c0a
Instruction Fuzzy Hash: E5017132D10128EFDB12AAA4C946BEDF6F8DB00B25F2141B5A901B7250D3B85F40D6D0

Function 00B960FB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00B96160

Strings

`Dv, xrefs: 00B96160
c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp, xrefs: 00B9611C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: FreeString
String ID: `Dv$c:\agent\_work\66\s\src\libs\dutil\atomutil.cpp
API String ID: 3341692771-3473096540
Opcode ID: d42fd77fd35c08fb5ea23fff357148d180274ac29e969719017d8bf9fdc09d27
Instruction ID: ca80b1a9e4dc793eb65fd91996fbb8206d981f7f9e9eab0f8050ce092a733428
Opcode Fuzzy Hash: d42fd77fd35c08fb5ea23fff357148d180274ac29e969719017d8bf9fdc09d27
Instruction Fuzzy Hash: AE01D136800125F7CF21A7448E02FAEFBE8DF41B61F2051F6B90077252D7788E0496A4

Function 00B534C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00B510DD,?,00000000), ref: 00B534E5
GetLastError.KERNEL32(?,?,?,?,00B510DD,?,00000000), ref: 00B534FC

Strings

c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp, xrefs: 00B53520

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: c:\agent\_work\66\s\src\libs\dutil\pathutil.cpp
API String ID: 2776309574-4168559387
Opcode ID: 83de1a152f302b4d8273fac33816b087711505c4c44cc4ea22dc05ec6e76b2e4
Instruction ID: 31cc91f999beda232dfb850dabe9e67b5913503d721d10d1ebcad0645ceb170a
Opcode Fuzzy Hash: 83de1a152f302b4d8273fac33816b087711505c4c44cc4ea22dc05ec6e76b2e4
Instruction Fuzzy Hash: 50F0C873A0013167972256956C45F47BAD8EB51FE2B1641E1FE44BB310E675DD0482E1

Function 00B56540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00B56552

Part of subcall function 00B9038A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00B55EE0,00000000), ref: 00B9039E
Part of subcall function 00B9038A: GetProcAddress.KERNEL32(00000000), ref: 00B903A5
Part of subcall function 00B9038A: GetLastError.KERNEL32(?,?,?,00B55EE0,00000000), ref: 00B903BC

Part of subcall function 00B55D14: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00B55D9A

Strings

Failed to set variant value., xrefs: 00B5658F
Failed to get 64-bit folder., xrefs: 00B56575

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
String ID: Failed to get 64-bit folder.$Failed to set variant value.
API String ID: 3109562764-2681622189
Opcode ID: e8e50fa90515a58275f1a7d20596ece547865e277c2103c0ca556a0ca80857e7
Instruction ID: 396f723a320a31374ae5aaaa4c6b9ecf0d31bc7d9d4f29219d345e7ef7f818c9
Opcode Fuzzy Hash: e8e50fa90515a58275f1a7d20596ece547865e277c2103c0ca556a0ca80857e7
Instruction Fuzzy Hash: 4C016232950628FBCF11B7A0ED05F9EBBB8DB14722F6041E1BC00A7155EA71AF44DA90

Function 00B7DFDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B7E902

Part of subcall function 00B80AD1: RaiseException.KERNEL32(?,?,?,00B7E924,?,00000000,00000000,?,?,?,?,?,00B7E924,?,00BB78A8), ref: 00B80B31

__CxxThrowException@8.LIBVCRUNTIME ref: 00B7E91F

Strings

Unknown exception, xrefs: 00B7E92C

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: ea5d20e80252cbe3eb17db471b4ced6a9df402da6d14badc3d5cc6a3ae5f884d
Instruction ID: 4295d2f4f79328cc40c9cecca69cd0a63719363002fef61f8d93a701746a490d
Opcode Fuzzy Hash: ea5d20e80252cbe3eb17db471b4ced6a9df402da6d14badc3d5cc6a3ae5f884d
Instruction Fuzzy Hash: 02F0C83490420D77CB14BA65DC5A9AD73EC9E04350B50C5F4F93C950E1EFB0E919C291

Function 00B94224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(00000000,00000000,00000000,762334C0,?,?,?,00B5B9EC,?,?,?,00000000,00000000), ref: 00B9423C
GetLastError.KERNEL32(?,?,?,00B5B9EC,?,?,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00B94246

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00B9426A

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: ErrorFileLastSize
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 464720113-1688708105
Opcode ID: 02ddee87f91ee1970e504eb8b1b1b42e07d327db414c7702f9ad938ed2eaee3d
Instruction ID: a7850a1c99433645927bb7945c300957dcec5276e306e2c17bd67943673a5a72
Opcode Fuzzy Hash: 02ddee87f91ee1970e504eb8b1b1b42e07d327db414c7702f9ad938ed2eaee3d
Instruction Fuzzy Hash: CDF0C8B2910236ABDB108B85C905D5AFBECFF54B60B0141A6BD44B7340D774AD00C7D0

Function 00B935D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35comCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(Microsoft.Update.AutoUpdate,00B554A3,?,00000000,00B554A3,?,?,?), ref: 00B935FE
CoCreateInstance.OLE32(00000000,00000000,00000001,00BB6B4C,?), ref: 00B93616

Strings

Microsoft.Update.AutoUpdate, xrefs: 00B935F9

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID: Microsoft.Update.AutoUpdate
API String ID: 2151042543-675569418
Opcode ID: e57671029348d52f3ecb1f738cfa2ccf03846d5d139de3792fcae9d86831fed1
Instruction ID: ddeec85caa0ae56cb89abf3a07c8aaad057c16d671a815841b4357e608d1f07b
Opcode Fuzzy Hash: e57671029348d52f3ecb1f738cfa2ccf03846d5d139de3792fcae9d86831fed1
Instruction Fuzzy Hash: 41F05471604108BFDB10EBB8DD469EFB7F8DB48750F504065AA01F7150DAB4AE0486A6

Function 00B906C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00B906E1

Strings

AdvApi32.dll, xrefs: 00B906C6
RegDeleteKeyExW, xrefs: 00B906D6

Memory Dump Source

Source File: 00000005.00000002.3353542509.0000000000B51000.00000020.00000001.01000000.00000009.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000005.00000002.3353467451.0000000000B50000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353658193.0000000000B9A000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353739596.0000000000BBA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BBD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000BDD000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C12000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000005.00000002.3353812315.0000000000C1D000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_b50000_setup.jbxd

Similarity

API ID: AddressProc
String ID: AdvApi32.dll$RegDeleteKeyExW
API String ID: 190572456-850864035
Opcode ID: 2b2ee642fdc428494b81292f79c477ccd81a0ddeab9dbdc9e2e62bba99880336
Instruction ID: fdaa3919392f448e3791f6bf88eaf6774f38b63c7d05fdc0471959b369117003
Opcode Fuzzy Hash: 2b2ee642fdc428494b81292f79c477ccd81a0ddeab9dbdc9e2e62bba99880336
Instruction Fuzzy Hash: 47E08C71A12A219FDB106F58BC45FA1BFE0EB00B64F0003A0E402A7270DBF54C48CB84

Analysis Process: setup.exePID: 4364, Parent PID: 2264COMMON

Executed Functions

Function 00CE1070 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE34C4: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,00CE10DD,?,00000000), ref: 00CE34E5

CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00CE10F6

Part of subcall function 00CE1173: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,00CE111A,cabinet.dll,00000009,?,?,00000000), ref: 00CE1184
Part of subcall function 00CE1173: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,00CE111A,cabinet.dll,00000009,?,?,00000000), ref: 00CE118F
Part of subcall function 00CE1173: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00CE119D
Part of subcall function 00CE1173: GetLastError.KERNEL32(?,?,?,?,?,00CE111A,cabinet.dll,00000009,?,?,00000000), ref: 00CE11B8
Part of subcall function 00CE1173: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00CE11C0
Part of subcall function 00CE1173: GetLastError.KERNEL32(?,?,?,?,?,00CE111A,cabinet.dll,00000009,?,?,00000000), ref: 00CE11D5

CloseHandle.KERNEL32(?,?,?,?,00D2A4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 00CE1131

Strings

comres.dll, xrefs: 00CE10B5
version.dll, xrefs: 00CE10A7
msi.dll, xrefs: 00CE10A0
cabinet.dll, xrefs: 00CE1099, 00CE1114
clbcatq.dll, xrefs: 00CE10BC
feclient.dll, xrefs: 00CE10D1
crypt32.dll, xrefs: 00CE10CA
msasn1.dll, xrefs: 00CE10C3
wininet.dll, xrefs: 00CE10AE

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
API String ID: 3687706282-3151496603
Opcode ID: 153cf0d683b4d0f6f576d63fe13599535255302b0301ec90d51ae41a1fb388f9
Instruction ID: 9624e35daed55b4b6277de6158ca687f8647f000881ffabe37c828330cb18a8f
Opcode Fuzzy Hash: 153cf0d683b4d0f6f576d63fe13599535255302b0301ec90d51ae41a1fb388f9
Instruction Fuzzy Hash: 9121D671900268ABCB10AFAADD09BDFBBB8EF48718F144115FA11B7380D7B099158BB1

Function 00D1F79E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00D4B5D4,00000000,?,?,?,?,00D01074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00D1F7CC
GetCurrentProcessId.KERNEL32(00000000,?,00D01074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00D1F7DC
GetCurrentThreadId.KERNEL32 ref: 00D1F7E5
GetLocalTime.KERNEL32(8007139F,?,00D01074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00D1F7FB
LeaveCriticalSection.KERNEL32(00D4B5D4,00D01074,?,00000000,0000FDE9,?,00D01074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00D1F8F2

Strings

%ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00D1F898

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
API String ID: 296830338-59366893
Opcode ID: f2423542cd2f8aefa34507ba557349f237b4074945ad2ab71dbd983bcc17677d
Instruction ID: 5af79c45e59d9744dd4aec810df0d649b01f89d48512d4c287ffe8fe8089fd96
Opcode Fuzzy Hash: f2423542cd2f8aefa34507ba557349f237b4074945ad2ab71dbd983bcc17677d
Instruction Fuzzy Hash: 6C4190B6D00219BBDB219FA9E804BFEB6B9EB18711F140035F501E62A1DB34CD81DBB1

Function 00CEB45A Relevance: 91.6, APIs: 24, Strings: 28, Instructions: 577
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00CEB4D1
SetFilePointerEx.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB51F
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00CEB525
ReadFile.KERNEL32(00000000,00CE44B0,00000040,?,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB56D
GetLastError.KERNEL32(?,?,?,00000000,7736C3F0,00000000), ref: 00CEB573
SetFilePointerEx.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB5D0
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB5D6
ReadFile.KERNEL32(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB61F
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB625
SetFilePointerEx.KERNEL32(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB696
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB69C
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB6E5
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB6EB
ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB734
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB73A
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB786
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB78C

Part of subcall function 00CE39DF: GetProcessHeap.KERNEL32(?,000001C7,?,00CE237C,?,00000001,80004005,8007139F,?,?,00D1FB39,8007139F,?,00000000,00000000,8007139F), ref: 00CE39F0
Part of subcall function 00CE39DF: RtlAllocateHeap.NTDLL(00000000,?,00CE237C,?,00000001,80004005,8007139F,?,?,00D1FB39,8007139F,?,00000000,00000000,8007139F), ref: 00CE39F7

ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB7DF
ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB841
SetFilePointerEx.KERNEL32(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB8CB
GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,7736C3F0,00000000), ref: 00CEB8D5

Strings

4, xrefs: 00CEB853
Failed to allocate buffer for section info., xrefs: 00CEB8B3
Failed to seek to NT header., xrefs: 00CEB601
Failed to get total size of bundle., xrefs: 00CEB9F2
Failed to find Burn section., xrefs: 00CEBB01
Failed to seek to start of file., xrefs: 00CEB550
Failed to read image section header, index: %u, xrefs: 00CEBB7B
c:\agent\_work\66\s\src\burn\user\section.cpp, xrefs: 00CEB4F2, 00CEB546, 00CEB594, 00CEB5F7, 00CEB646, 00CEB6BD, 00CEB70C, 00CEB75B, 00CEB7B0, 00CEB867, 00CEB8A7, 00CEB8F9, 00CEB95E, 00CEB988, 00CEB9AF, 00CEBA96, 00CEBAD6, 00CEBAF5, 00CEBB32, 00CEBB70, 00CEBB93, 00CEBBAE
Failed to read signature size., xrefs: 00CEB765
Failed to read section info, data to short: %u, xrefs: 00CEB879
burn, xrefs: 00CEB807
Failed to read section info., xrefs: 00CEB968
Failed to allocate memory for container sizes., xrefs: 00CEBAA2
Failed to find valid DOS image header in buffer., xrefs: 00CEBBBA
.wix, xrefs: 00CEB7FF
PE Header from file didn't match PE Header in memory., xrefs: 00CEBAE0
Failed to read NT header., xrefs: 00CEB650
Failed to read complete section info., xrefs: 00CEB994
Failed to seek past optional headers., xrefs: 00CEB7BA
Failed to find valid NT image header in buffer., xrefs: 00CEBB9F
Failed to read complete image section header, index: %u, xrefs: 00CEBB44
Failed to read section info, unsupported version: %08x, xrefs: 00CEB9C4
(, xrefs: 00CEB7EC
Failed to read DOS header., xrefs: 00CEB59E
Failed to open handle to user process path., xrefs: 00CEB4FC
Failed to read signature offset., xrefs: 00CEB716
Failed to seek to section info., xrefs: 00CEB6C7, 00CEB903
PE, xrefs: 00CEB667

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\66\s\src\burn\user\section.cpp
API String ID: 3411815225-1671293494
Opcode ID: 9c927f15d1326f033434bfe99d094b5c96e1dbb1f7c0f5f9defcec7eba65dd18
Instruction ID: abedcb61f9a3f7fb10d5d3587748069467098b0c0e4988fa960a51b2dbacb3fe
Opcode Fuzzy Hash: 9c927f15d1326f033434bfe99d094b5c96e1dbb1f7c0f5f9defcec7eba65dd18
Instruction Fuzzy Hash: 771215769402B6ABDB309B168D4AFBB7668EF00710F0101A5FE09BB280D7749E44CBF5

Function 00CEA3D4 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_MREFOpen@16.MSPDB140-MSVCRT ref: 00CEA418
_MREFOpen@16.MSPDB140-MSVCRT ref: 00CEA440
RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 00CEA73F

Strings

Failed to change value type., xrefs: 00CEA6E3, 00CEA706
Failed to allocate string buffer., xrefs: 00CEA633
Failed to read registry value., xrefs: 00CEA6C8
Unsupported registry key value type. Type = '%u', xrefs: 00CEA5D2
c:\agent\_work\66\s\src\burn\user\search.cpp, xrefs: 00CEA510, 00CEA545, 00CEA598, 00CEA6A1
Failed to format key string., xrefs: 00CEA425
Failed to get expand environment string., xrefs: 00CEA6AD
Failed to format value string., xrefs: 00CEA44D
Failed to set variable., xrefs: 00CEA701
Failed to query registry key value size., xrefs: 00CEA51C
Registry key not found. Key = '%ls', xrefs: 00CEA478
Failed to query registry key value., xrefs: 00CEA5A4
Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00CEA4E2
Failed to open registry key., xrefs: 00CEA4B3
RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00CEA717
Failed to clear variable., xrefs: 00CEA49E
Failed to allocate memory registry value., xrefs: 00CEA54F

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Open@16$Close
String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\66\s\src\burn\user\search.cpp
API String ID: 2348241696-2754605460
Opcode ID: 821696598ac4d02f1bf9734556ba737f94197ef5bb9981a02a1adb42c4f36f15
Instruction ID: b34a8f81aa4472ffd7c72ab5f273832bb704d3b3f1298337fe4a85e56b3b923e
Opcode Fuzzy Hash: 821696598ac4d02f1bf9734556ba737f94197ef5bb9981a02a1adb42c4f36f15
Instruction Fuzzy Hash: 20A1F572D00565BFCF219AA6DC49AAEBA79EF18710F108121F915F7290D770EE4097F2

Function 00CE57A7 Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 477
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00000100,00000100,00000100,00000000,00000100,00000000,?,00CEA889,00000100,000002C0,000002C0,00000100), ref: 00CE57CC
lstrlenW.KERNEL32(000002C0,?,00CEA889,00000100,000002C0,000002C0,00000100), ref: 00CE57D6
_wcschr.LIBVCRUNTIME ref: 00CE59DB
LeaveCriticalSection.KERNEL32(00000100,00000000,000002C0,000002C0,00000000,000002C0,00000001,?,00CEA889,00000100,000002C0,000002C0,00000100), ref: 00CE5C7E

Strings

Failed to set record format string., xrefs: 00CE5B08
Failed to get formatted length., xrefs: 00CE5BC6
[%d], xrefs: 00CE5996
Failed to reallocate variable array., xrefs: 00CE5A60
Failed to append placeholder., xrefs: 00CE5A81
Failed to append string., xrefs: 00CE5852
Failed to allocate variable array., xrefs: 00CE5AB9
Failed to allocate buffer for format string., xrefs: 00CE57F4
Failed to get variable name., xrefs: 00CE5AC0
Failed to allocate record., xrefs: 00CE5A3F
Failed to determine variable visibility: '%ls'., xrefs: 00CE5A6E
Failed to format placeholder string., xrefs: 00CE5A8B
Failed to allocate string., xrefs: 00CE5BF5
c:\agent\_work\66\s\src\burn\user\variable.cpp, xrefs: 00CE5A32, 00CE5A53, 00CE5AAC, 00CE5AFE, 00CE5B8A, 00CE5BBC, 00CE5C38
Failed to format record., xrefs: 00CE5C42
Failed to set variable value., xrefs: 00CE5A95
Failed to set record string., xrefs: 00CE5B94
Failed to copy string., xrefs: 00CE5C62
*****, xrefs: 00CE594D

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CriticalSection$EnterLeave_wcschrlstrlen
String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$c:\agent\_work\66\s\src\burn\user\variable.cpp
API String ID: 1026845265-1173883696
Opcode ID: 37f117e9939659bb6828bbd9ffd9c5c5999c3a87b34bce8f2843c785f45eef14
Instruction ID: 40fc07b2fe7852cb9a564c7191ba840ca37f93fed355fdedde6b29c2584aef9d
Opcode Fuzzy Hash: 37f117e9939659bb6828bbd9ffd9c5c5999c3a87b34bce8f2843c785f45eef14
Instruction Fuzzy Hash: 4BF1D672D007A5AFCB209F668845EBF7B74EB04B64F148129FD15AB280D7749E41DBB0

Function 00CE51D2 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CE5254

Part of subcall function 00D1FDC4: InitializeCriticalSection.KERNEL32(00D4B5D4,?,00CE5260,00000000,?,?,?,?,?,?), ref: 00D1FDDB

Part of subcall function 00CE1206: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00CE527C,00000000,?), ref: 00CE1244
Part of subcall function 00CE1206: GetLastError.KERNEL32(?,?,?,00CE527C,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00CE124E

CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00CE52C2

Part of subcall function 00D206C0: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 00D206E1

GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00CE5354
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00CE535E
CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE55CB

Strings

Failed to run untrusted mode., xrefs: 00CE54F3
Failed to initialize Regutil., xrefs: 00CE5306
Failed to run per-machine mode., xrefs: 00CE54A9
Failed to initialize core., xrefs: 00CE5400
Invalid run mode., xrefs: 00CE5436
Failed to initialize COM., xrefs: 00CE52CE
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00CE5382
Failed to run embedded mode., xrefs: 00CE5481
Failed to initialize user state., xrefs: 00CE52A9
@, xrefs: 00CE5532
Failed to initialize Cryputil., xrefs: 00CE52E3
Failed to initialize Wiutil., xrefs: 00CE531E
Failed to run RunOnce mode., xrefs: 00CE5459
Failed to get OS info., xrefs: 00CE538C
Failed to initialize XML util., xrefs: 00CE5336
Failed to parse command line., xrefs: 00CE5282
Failed to run per-user mode., xrefs: 00CE54D1
3.11.2.4516, xrefs: 00CE53C1

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
String ID: 3.11.2.4516$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\66\s\src\burn\user\user.cpp$@
API String ID: 3262001429-4222581132
Opcode ID: 4fdd5ec0e2f7de410f5847fa19f3a2d7f1fc44386b59df84119ae2508a9ed4e8
Instruction ID: 8a08bacfd5f7b2c31f4c7f63e8515b938a07432bd8371c2107c711831c38b01c
Opcode Fuzzy Hash: 4fdd5ec0e2f7de410f5847fa19f3a2d7f1fc44386b59df84119ae2508a9ed4e8
Instruction Fuzzy Hash: A5B1D671D01AB95BDB32AF669D45BED76B8EF14308F0001E5F908B6251DA309F84CFA1

Function 00CF741D Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to open manifest stream., xrefs: 00CF749E
Failed to initialize variables., xrefs: 00CF7464
Failed to initialize internal cache functionality., xrefs: 00CF7692
WixBundleSourceProcessPath, xrefs: 00CF75EB
Failed to load catalog files., xrefs: 00CF7702
Failed to get source process folder from path., xrefs: 00CF7618
Failed to load manifest., xrefs: 00CF74DB
Failed to get unique temporary folder for bootstrapper application., xrefs: 00CF76C1
WixBundleUILevel, xrefs: 00CF75C9, 00CF75DA
Failed to extract bootstrapper application payloads., xrefs: 00CF76E2
Failed to get manifest stream from container., xrefs: 00CF74BF
Failed to set original source variable., xrefs: 00CF765D
Failed to set source process folder variable., xrefs: 00CF7638
WixBundleSourceProcessFolder, xrefs: 00CF7627
Failed to overwrite the %ls built-in variable., xrefs: 00CF75AE
Failed to parse command line., xrefs: 00CF755A
Failed to open attached UX container., xrefs: 00CF7481
WixBundleOriginalSource, xrefs: 00CF764C
Failed to set source process path variable., xrefs: 00CF75FC
WixBundleElevated, xrefs: 00CF7598, 00CF75A9

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
API String ID: 32694325-1564579409
Opcode ID: d6bdac09130e9bc3a978c8cd2d31c0752a761dd28735a333b3e2fac733d37eae
Instruction ID: da9a87fa83d6d698274252e4b06de7f1a2a07573728729fea73bd857d44f74c5
Opcode Fuzzy Hash: d6bdac09130e9bc3a978c8cd2d31c0752a761dd28735a333b3e2fac733d37eae
Instruction Fuzzy Hash: 36A19272E44A5ABBCB53ABA5CC85EFEB76CBB14700F000326F615E7141D770AA449BE1

Function 00CE762D Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00CF745E,00CE53FA,00000000,00CE5482), ref: 00CE764D

Strings

LogonUser, xrefs: 00CE7883
WixBundleAction, xrefs: 00CE7D77
InstallerName, xrefs: 00CE7813
WixBundleSourceProcessPath, xrefs: 00CE7E8F
WixBundleExecutePackageCacheFolder, xrefs: 00CE7D99
Failed to add built-in variable: %ls., xrefs: 00CE7F1A
WixBundleVersion, xrefs: 00CE7ECF
Date, xrefs: 00CE7771
WixBundleForcedRestartPackage, xrefs: 00CE7E15
WixBundleUILevel, xrefs: 00CE7EBF
WixBundleSourceProcessFolder, xrefs: 00CE7E9F
', xrefs: 00CE78EC
#, xrefs: 00CE76CC
WixBundleActiveParent, xrefs: 00CE7E63
$, xrefs: 00CE7D4A
WixBundleExecutePackageAction, xrefs: 00CE7DF9
WixBundleTag, xrefs: 00CE7EAF
WixBundleProviderKey, xrefs: 00CE7E7F
0, xrefs: 00CE7664
InstallerVersion, xrefs: 00CE7834
WixBundleInstalled, xrefs: 00CE7E2B
WixBundleElevated, xrefs: 00CE7E47

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
API String ID: 32694325-3635313340
Opcode ID: 984e1a7987b5a95a65847389636e84a28c67c6ab5ae878a375b20c5672dadc15
Instruction ID: 7e5d9ab7478670b50bcb24af270cdc52b0efe326f67893cfec375ee1183e90b1
Opcode Fuzzy Hash: 984e1a7987b5a95a65847389636e84a28c67c6ab5ae878a375b20c5672dadc15
Instruction Fuzzy Hash: BF3246B0D116699BDB65CF5AD88838DFBB4BB58318F5081EED20CAA310C7B01A888F55

Function 00CF819F Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00CE54C6), ref: 00CF81F5

Part of subcall function 00D20141: OpenProcessToken.ADVAPI32(?,00000008,?,00CE53FA,00000000,?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D2015F
Part of subcall function 00D20141: GetLastError.KERNEL32(?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D20169
Part of subcall function 00D20141: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D201F3

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00CF821B
GetLastError.KERNEL32 ref: 00CF8225
GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00CF82A2
GetLastError.KERNEL32 ref: 00CF82AC
UuidCreate.RPCRT4(?), ref: 00CF82EB

Strings

Temp\, xrefs: 00CF827A
Failed to ensure windows path for working folder ended in backslash., xrefs: 00CF8270
Failed to concat Temp directory on windows path for working folder., xrefs: 00CF8292
%ls%ls\, xrefs: 00CF833D
c:\agent\_work\66\s\src\burn\user\cache.cpp, xrefs: 00CF8249, 00CF82D0, 00CF8321
Failed to get temp path for working folder., xrefs: 00CF82DA
4#v, xrefs: 00CF82A2
Failed to copy working folder path., xrefs: 00CF8370
Failed to get windows path for working folder., xrefs: 00CF8253
Failed to convert working folder guid into string., xrefs: 00CF832B
Failed to append bundle id on to temp path for working folder., xrefs: 00CF8355
Failed to create working folder guid., xrefs: 00CF82F8

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLast$Process$CloseCreateCurrentDirectoryHandleOpenPathTempTokenUuidWindows
String ID: 4#v$%ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\66\s\src\burn\user\cache.cpp
API String ID: 266130487-2538238480
Opcode ID: 26784a9f6735419a0c6d88c783bdb61ec62b95a0d2c575fb2c3b78504ff8e2a2
Instruction ID: 90e3bc34c26a3c90bbe0a8772f4869735d4c31bcd64f053c8fe30f3bc0382a28
Opcode Fuzzy Hash: 26784a9f6735419a0c6d88c783bdb61ec62b95a0d2c575fb2c3b78504ff8e2a2
Instruction Fuzzy Hash: D0411A76A44728BBDB3096E58C0EFAB7368AB01B10F114161BB05F7190EA74ED4C86B2

Function 00D03845 Relevance: 28.6, APIs: 1, Strings: 15, Instructions: 577COMMON

Download Yara Rule

Strings

UX aborted detect., xrefs: 00D03F13
UX aborted detect compatible MSI package., xrefs: 00D03ACB
Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00D038E5
Failed to get version for product in machine context: %ls, xrefs: 00D03E79
Failed to copy the installed ProductCode to the package., xrefs: 00D03AEB
c:\agent\_work\66\s\src\burn\user\msiuser.cpp, xrefs: 00D039BD, 00D03AC1, 00D03EF2, 00D03F09
Failed to query feature state., xrefs: 00D03EE0
UX aborted detect related MSI package., xrefs: 00D039C7
Failed to get version for product in user unmanaged context: %ls, xrefs: 00D03E57
Invalid state value., xrefs: 00D03EFC
VersionString, xrefs: 00D038A0, 00D03A1C, 00D03B77, 00D03BAE
msasn1.dll, xrefs: 00D0399E, 00D03AA8, 00D03D76, 00D03EB1
Language, xrefs: 00D03C83
Failed to get product information for ProductCode: %ls, xrefs: 00D039E7
Failed to enum related products., xrefs: 00D03E83

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: lstrlen
String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to copy the installed ProductCode to the package.$Failed to enum related products.$Failed to get product information for ProductCode: %ls$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$Failed to query feature state.$Invalid state value.$Language$UX aborted detect compatible MSI package.$UX aborted detect related MSI package.$UX aborted detect.$VersionString$c:\agent\_work\66\s\src\burn\user\msiuser.cpp$msasn1.dll
API String ID: 1659193697-341873357
Opcode ID: e72dddd31a8411ce60cafbfda30f76fa772adf9f7dd7ca871410cd6c7750e516
Instruction ID: 04a19e47e00d761c8da0590fe5330f047512da92f1a448d7d5fd684b4e6d464d
Opcode Fuzzy Hash: e72dddd31a8411ce60cafbfda30f76fa772adf9f7dd7ca871410cd6c7750e516
Instruction Fuzzy Hash: 58229A71900219AFDF20DFA4C885FAEBBB9FF44300F24426AF949AB195D7719A44DB70

Function 00CE4326 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE4352
InitializeCriticalSection.KERNEL32(000000D0,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE435B
lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE43A1
lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE43AB
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE43BF
lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE43CF
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE441F
lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE4429
CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE443D
lstrlenW.KERNEL32(burn.filehandle.self,?,?,00CE52A3,?,?,00000000,?,?), ref: 00CE444D

Strings

burn.filehandle.self, xrefs: 00CE441A, 00CE4422, 00CE4427, 00CE4428, 00CE4448, 00CE4518
burn.filehandle.attached, xrefs: 00CE439C, 00CE43A4, 00CE43A9, 00CE43AA, 00CE43CA, 00CE44EC
Missing required parameter for switch: %ls, xrefs: 00CE44F1
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00CE44E2, 00CE450E
Failed to initialize user section., xrefs: 00CE44B6
Failed to parse file handle: '%ls', xrefs: 00CE44CF

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: lstrlen$CompareCriticalInitializeSectionString
String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\66\s\src\burn\user\user.cpp
API String ID: 3039292287-2540856168
Opcode ID: bea98d2209bf229791ba3569a4b564c484088e2cadd06333b95571459186194a
Instruction ID: 3297257c1c5517a9bbc6701121ba8c1393579ac65df8e0a5806f6ad494df45d9
Opcode Fuzzy Hash: bea98d2209bf229791ba3569a4b564c484088e2cadd06333b95571459186194a
Instruction Fuzzy Hash: DD511471B40265BFC7249F6EDC46F9A7768EF14720F004115F618D7290DB74A950CBB1

Function 00CFE60C Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 134
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsSetValue.KERNEL32(?,?), ref: 00CFE652
RegisterClassW.USER32(?), ref: 00CFE67E
GetLastError.KERNEL32 ref: 00CFE689
CreateWindowExW.USER32(00000080,00D391B4,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 00CFE6F0
GetLastError.KERNEL32 ref: 00CFE6FA
UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 00CFE798

Strings

Unexpected return value from message pump., xrefs: 00CFE783
Failed to create window., xrefs: 00CFE728
WixBurnMessageWindow, xrefs: 00CFE677, 00CFE793
c:\agent\_work\66\s\src\burn\user\uithread.cpp, xrefs: 00CFE6AD, 00CFE71E
Failed to register window., xrefs: 00CFE6B7

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$c:\agent\_work\66\s\src\burn\user\uithread.cpp
API String ID: 213125376-1202977178
Opcode ID: 0437177b7092028af7a1f9ad23c2a027450f074fced314d5afe31e04f41eea49
Instruction ID: b55618f01d6226632760111a5a198bff870dc7dd0ddb1273d0c2effa2c5e6132
Opcode Fuzzy Hash: 0437177b7092028af7a1f9ad23c2a027450f074fced314d5afe31e04f41eea49
Instruction Fuzzy Hash: BE41C676900329ABDB609B94DC48AEEBFB8EF14750F104166FA05FA260D7709945CBB2

Function 00CEC252 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,00CEC442,00CE5442,?,?,00CE5482), ref: 00CEC299
GetLastError.KERNEL32(?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC2AA
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?), ref: 00CEC2F9
GetCurrentProcess.KERNEL32(000000FF,00000000,?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC2FF
DuplicateHandle.KERNELBASE(00000000,?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC302
GetLastError.KERNEL32(?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC30C
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC35E
GetLastError.KERNEL32(?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00CEC368

Strings

Failed to open container., xrefs: 00CEC3B4
Failed to open file: %ls, xrefs: 00CEC2DB
Failed to duplicate handle to container: %ls, xrefs: 00CEC33D
feclient.dll, xrefs: 00CEC35B
c:\agent\_work\66\s\src\burn\user\container.cpp, xrefs: 00CEC2CE, 00CEC330, 00CEC38C
crypt32.dll, xrefs: 00CEC35A
Failed to move file pointer to container offset., xrefs: 00CEC396

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\66\s\src\burn\user\container.cpp$crypt32.dll$feclient.dll
API String ID: 2619879409-1064011499
Opcode ID: d8cd8fcd95c778b6d58b2356e5cc46f53d05d7565d0e1849fd12163e5ffd144f
Instruction ID: 8ae50e4fe99d8d59df905da8e1a99438834f2c5561a986c522d7d2c347c4a458
Opcode Fuzzy Hash: d8cd8fcd95c778b6d58b2356e5cc46f53d05d7565d0e1849fd12163e5ffd144f
Instruction Fuzzy Hash: 8A410636140251ABD7208F1BAD89E5B3BB6EBE0720B218019FD14EB391EA35D802DB71

Function 00D22368 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00CE38D1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CE3910
Part of subcall function 00CE38D1: GetLastError.KERNEL32 ref: 00CE391A

Part of subcall function 00D24289: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D242BA

GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 00D223B2
GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 00D223D2
GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 00D223F2
GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00D22412
GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00D22432
GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00D22452
GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00D22472

Strings

MsiGetProductInfoExW, xrefs: 00D22427
MsiGetPatchInfoExW, xrefs: 00D22407
MsiDeterminePatchSequenceW, xrefs: 00D223A7
MsiDetermineApplicablePatchesW, xrefs: 00D223C7
Msi.dll, xrefs: 00D2237A
MsiEnumProductsExW, xrefs: 00D223E7
MsiSourceListAddSourceExW, xrefs: 00D22467
MsiSetExternalUIRecord, xrefs: 00D22447

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: AddressProc$ErrorLast$DirectorySystem
String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
API String ID: 2510051996-1735120554
Opcode ID: 9d27f2f6a6b873921e9f33348167b1bf7563fba374db8b06f8e3555de5a9aa56
Instruction ID: cfa1f4098a50327ea5dbc77e673f75863760f390e79a668e325eece6ff8e9184
Opcode Fuzzy Hash: 9d27f2f6a6b873921e9f33348167b1bf7563fba374db8b06f8e3555de5a9aa56
Instruction Fuzzy Hash: 9231E0B8901B64EFDB11AF60FC05B693BA0E732728F12422BE400EA771D7758959DB74

Function 00D228BD Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00D22E6B,00000000,?,00000000), ref: 00D228D7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00D0BD14,?,00CE5442,?,00000000,?), ref: 00D228E3
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00D22923
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D2292F
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 00D2293A
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D22944
CoCreateInstance.OLE32(00D4B688,00000000,00000001,00D2A878,?,?,?,?,?,?,?,?,?,?,?,00D0BD14), ref: 00D2297F
ExitProcess.KERNEL32 ref: 00D22A2E

Strings

IsWow64Process, xrefs: 00D2291D
kernel32.dll, xrefs: 00D228C7
Wow64DisableWow64FsRedirection, xrefs: 00D22929
c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp, xrefs: 00D22907
Wow64EnableWow64FsRedirection, xrefs: 00D22931
Wow64RevertWow64FsRedirection, xrefs: 00D2293C

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\66\s\src\libs\dutil\xmlutil.cpp$kernel32.dll
API String ID: 2124981135-3734847636
Opcode ID: 24603e96c717dfe29bbe6c5b0821d03ab6cbd53d386c148f3360e384edd9ac8c
Instruction ID: d545ef7c9d07a88ae0c2b29de17135376cac1b8d4d0d06a9182afc9d3fcf9658
Opcode Fuzzy Hash: 24603e96c717dfe29bbe6c5b0821d03ab6cbd53d386c148f3360e384edd9ac8c
Instruction Fuzzy Hash: D741D131A41325BFCB20DBA8A884B7EB7A4EF64714F150069F901EB341D771DE418BB0

Function 00D014E3 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,00CEC3AE,?,00000000,?,00CEC442), ref: 00D0151A
GetLastError.KERNEL32(?,00CEC3AE,?,00000000,?,00CEC442,00CE5442,?,?,00CE5482,00CE5482,00000000,?,00000000), ref: 00D01523

Strings

Failed to create operation complete event., xrefs: 00D01597
Failed to wait for operation complete., xrefs: 00D015F6
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D01547, 00D0158D, 00D015D9
Failed to copy file name., xrefs: 00D01505
Failed to create begin operation event., xrefs: 00D01551
Failed to create extraction thread., xrefs: 00D015E3
wininet.dll, xrefs: 00D014F9

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp$wininet.dll
API String ID: 545576003-1014644744
Opcode ID: bf35990ac6e49e9a189ee13c7680d7e1d8cb8ec8233ea4991c61e1382ba2b79a
Instruction ID: 462a18c4e77f5bc9b0c0c7262115536035bc6e05f29ec8943d74bdcc70b64ad4
Opcode Fuzzy Hash: bf35990ac6e49e9a189ee13c7680d7e1d8cb8ec8233ea4991c61e1382ba2b79a
Instruction Fuzzy Hash: CD21C2BB9416377BE23112699D5AB67AAACEF407A0B010111BD4AFF2C0EA94DC0046F1

Function 00D1F58A Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(SystemFunction040,AdvApi32.dll), ref: 00D1F5B2
GetProcAddress.KERNEL32(SystemFunction041), ref: 00D1F5C4
GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00D1F607
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D1F61B
GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00D1F653
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00D1F667

Strings

SystemFunction040, xrefs: 00D1F5A7
CryptProtectMemory, xrefs: 00D1F5FC
AdvApi32.dll, xrefs: 00D1F591
Crypt32.dll, xrefs: 00D1F5E8
SystemFunction041, xrefs: 00D1F5B4
CryptUnprotectMemory, xrefs: 00D1F648
c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp, xrefs: 00D1F63C

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: AddressProc$ErrorLast
String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\66\s\src\libs\dutil\cryputil.cpp
API String ID: 4214558900-686287438
Opcode ID: 670ed1931e2130a6d9cf644f89e169bd12e3e980abbffc3c20637853a06c8434
Instruction ID: 5cca3dcca7dfd19c794ebb8dded65f69b27acfbf762bdc740b18137547fa6299
Opcode Fuzzy Hash: 670ed1931e2130a6d9cf644f89e169bd12e3e980abbffc3c20637853a06c8434
Instruction Fuzzy Hash: 0921A13A941721BBD3215F65BC05786B9A0AB25760F06013AEC01F63B1EB60DC849FB0

Function 00D00671 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000000,00000000,<the>.cab,?,?), ref: 00D006A1
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 00D006B9
GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 00D006BE
DuplicateHandle.KERNELBASE(00000000,?,?), ref: 00D006C1
GetLastError.KERNEL32(?,?), ref: 00D006CB
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00D0073A
GetLastError.KERNEL32(?,?), ref: 00D00747

Strings

c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D006EF, 00D0076B
Failed to open cabinet file: %hs, xrefs: 00D00778
Failed to duplicate handle to cab container., xrefs: 00D006F9
Failed to add virtual file pointer for cab container., xrefs: 00D00720
<the>.cab, xrefs: 00D0069A

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 3030546534-886985619
Opcode ID: 1725e02330478f0ee80782cb56bf4a07a2d296bdbf7a451cc1a80e64387991d0
Instruction ID: e5c0c583855a2717740f5d2914132d4c22a8902100e4a44545df098bebedc1fb
Opcode Fuzzy Hash: 1725e02330478f0ee80782cb56bf4a07a2d296bdbf7a451cc1a80e64387991d0
Instruction Fuzzy Hash: F031EF76941236BBD7315B989D09F9B7E68EF04B60F110121FE08B7280DA69AD00CAF0

Function 00CFE8CE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,?,?,00CE54CB,?,?), ref: 00CFE8EE
GetLastError.KERNEL32(?,00CE54CB,?,?), ref: 00CFE8FB
CreateThread.KERNEL32(00000000,00000000,Function_0001E60C,?,00000000,00000000), ref: 00CFE954
GetLastError.KERNEL32(?,00CE54CB,?,?), ref: 00CFE961
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,00CE54CB,?,?), ref: 00CFE99C
CloseHandle.KERNEL32(00000000,?,00CE54CB,?,?), ref: 00CFE9BB
CloseHandle.KERNEL32(?,?,00CE54CB,?,?), ref: 00CFE9C8

Strings

Failed to create the UI thread., xrefs: 00CFE98C
c:\agent\_work\66\s\src\burn\user\uithread.cpp, xrefs: 00CFE91C, 00CFE982
Failed to create initialization event., xrefs: 00CFE926

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
String ID: Failed to create initialization event.$Failed to create the UI thread.$c:\agent\_work\66\s\src\burn\user\uithread.cpp
API String ID: 2351989216-1290259148
Opcode ID: 1271961a0a39938e0c48d988cbd7ff7d797fa8a9f26b5ffa8edcedb68360dd27
Instruction ID: b74f5eed92b1dc7bd5b6430f5984c7e675e334dbc7657670465dddc0bc4fbd67
Opcode Fuzzy Hash: 1271961a0a39938e0c48d988cbd7ff7d797fa8a9f26b5ffa8edcedb68360dd27
Instruction Fuzzy Hash: 91318476D0022ABBD7609F9D8D44AEEBAB8FF14750F110065BA05F7290E6B49F0086B2

Function 00D01286 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,76232F60,?,?), ref: 00D012AA
GetLastError.KERNEL32 ref: 00D012BD
GetExitCodeThread.KERNEL32(00D2A488,00000000), ref: 00D012FF
GetLastError.KERNEL32 ref: 00D0130D
ResetEvent.KERNEL32(00D2A460), ref: 00D01348
GetLastError.KERNEL32 ref: 00D01352

Strings

Failed to reset operation complete event., xrefs: 00D01383
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D012E4, 00D01334, 00D01379
Failed to get extraction thread exit code., xrefs: 00D0133E
Failed to wait for operation complete event., xrefs: 00D012EE

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2979751695-3513947302
Opcode ID: dae22cb02797026d5e7bdaa1d6def89b61239b6add0e7fdef0ffbd508e352b87
Instruction ID: 545ad2e748ec32d1be0f54ab92ab8054f0555f773ec8de8200f317e1c3096643
Opcode Fuzzy Hash: dae22cb02797026d5e7bdaa1d6def89b61239b6add0e7fdef0ffbd508e352b87
Instruction Fuzzy Hash: DC319574A40306EFE720DB698D06BAEB7E8FF10701F104169F949EA2E0E775DA009B35

Function 00CE47DF Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127windowthreadCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00CE4804
GetCurrentThreadId.KERNEL32 ref: 00CE480A
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CE4898

Strings

Unexpected return value from message pump., xrefs: 00CE48EE
Failed to create user for UX., xrefs: 00CE4824
Failed to start bootstrapper application., xrefs: 00CE4866
Failed to load UX., xrefs: 00CE484D
c:\agent\_work\66\s\src\burn\user\user.cpp, xrefs: 00CE48E4
wininet.dll, xrefs: 00CE4837

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Message$CurrentPeekThread
String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$c:\agent\_work\66\s\src\burn\user\user.cpp$wininet.dll
API String ID: 673430819-1140212773
Opcode ID: d0411c9b296fadab46b48a64591f000001d975d9288828df6753254b1b989136
Instruction ID: 5819dbaf21d65a2021983de0c08c9b790b4ea0ddf296230d9785aae2977df7f7
Opcode Fuzzy Hash: d0411c9b296fadab46b48a64591f000001d975d9288828df6753254b1b989136
Instruction Fuzzy Hash: 5041E372600295BFE7299BA6DC85EBB73ACEF04318F100126F515E7280DB34ED4597B1

Function 00CED679 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000008,00000000,?,00CE4847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00CE54CB,?), ref: 00CED68A
GetLastError.KERNEL32(?,00CE4847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00CE54CB,?,?), ref: 00CED697
GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00CED6CF
GetLastError.KERNEL32(?,00CE4847,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,00CE54CB,?,?), ref: 00CED6DB

Strings

Failed to get BootstrapperApplicationCreate entry-point, xrefs: 00CED706
Failed to create UX., xrefs: 00CED71F
BootstrapperApplicationCreate, xrefs: 00CED6C9
Failed to load UX DLL., xrefs: 00CED6C2
c:\agent\_work\66\s\src\burn\user\userexperience.cpp, xrefs: 00CED6B8, 00CED6FC

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$c:\agent\_work\66\s\src\burn\user\userexperience.cpp
API String ID: 1866314245-3967977479
Opcode ID: c616fd993b3bbf7a9321f6efa0ef994f6c11e7cfcd75b9c961bb50daee7e2872
Instruction ID: 61987677a05698b6e749aa27a1f44eeb2efd14001aab172f15e5129469ad0781
Opcode Fuzzy Hash: c616fd993b3bbf7a9321f6efa0ef994f6c11e7cfcd75b9c961bb50daee7e2872
Instruction Fuzzy Hash: 8B112B37980772ABD7311B5AAD09F5B27A4AF20B61F014435FE16FB380DA14DC0046F1

Function 00CEF7B4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00CEF8E4
RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 00CEF8F1

Strings

Failed to open registration key., xrefs: 00CEF84D
Resume, xrefs: 00CEF858
%ls.RebootRequired, xrefs: 00CEF7D1
Failed to read Resume value., xrefs: 00CEF87A
Failed to format pending restart registry key to read., xrefs: 00CEF7E8

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Close
String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
API String ID: 3535843008-3890505273
Opcode ID: 2a78619b9537cb6e5a783706271de3afacab6b2074c24b198be84277fda74187
Instruction ID: fbe40c57e75eb1b937f1175f611b865d870940fd6f58c859e4bc942d4bc0bd78
Opcode Fuzzy Hash: 2a78619b9537cb6e5a783706271de3afacab6b2074c24b198be84277fda74187
Instruction Fuzzy Hash: AD419732D0025DFFDB219F9AC941AADBBB4FF11314F15817AE810AB291D3729E41DBA1

Function 00D20141 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

OpenProcessToken.ADVAPI32(?,00000008,?,00CE53FA,00000000,?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D2015F
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D20169
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D2019B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D201B4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00CF7590,00000000), ref: 00D201F3

Strings

c:\agent\_work\66\s\src\libs\dutil\procutil.cpp, xrefs: 00D201E1

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLastToken$CloseHandleInformationOpenProcess
String ID: c:\agent\_work\66\s\src\libs\dutil\procutil.cpp
API String ID: 4040495316-2457365779
Opcode ID: f3d74fe088c7fd3c2afb1b00ec98b2ff50dbf3d7d62a2cbe9b26d894632b5fcb
Instruction ID: 364c3d3aa3bf5deda40067f9a6949c3005dcc79e22fa6cc081f03a0f23c4f7cb
Opcode Fuzzy Hash: f3d74fe088c7fd3c2afb1b00ec98b2ff50dbf3d7d62a2cbe9b26d894632b5fcb
Instruction Fuzzy Hash: F621CF36D40335EBDB228B99AD08A9EBFB8EF20710F014052EE05FB251D2708E10DAF0

Function 00D24289 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00D242BA
GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 00D242E7
GetLastError.KERNEL32(?,00000000,?,00000000), ref: 00D24313
GetLastError.KERNEL32(00000000,00D2A800,?,00000000,?,00000000,?,00000000), ref: 00D24351
GlobalFree.KERNEL32(00000000), ref: 00D24382

Strings

c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp, xrefs: 00D242D5, 00D2432E

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorLast$Global$AllocFree
String ID: c:\agent\_work\66\s\src\libs\dutil\fileutil.cpp
API String ID: 1145190524-1688708105
Opcode ID: 50671fadab1bc32509f9b12d6a5698fbb766fa9df024f06d03502613f505df9c
Instruction ID: f1d6e4ca0c6ea8033671d18828523a3fe2a5f401c39d7e69a61fadee9ad76729
Opcode Fuzzy Hash: 50671fadab1bc32509f9b12d6a5698fbb766fa9df024f06d03502613f505df9c
Instruction Fuzzy Hash: 8231C036D80239EBC722DB99EC01AAFBAA8EF64768F154156FD04E7240E630DC0096F4

Function 00CFE7A7 Relevance: 9.1, APIs: 6, Instructions: 85windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000082,?,?), ref: 00CFE7D6
SetWindowLongW.USER32(?,000000EB,00000000), ref: 00CFE7E5
SetWindowLongW.USER32(?,000000EB,?), ref: 00CFE7F9
DefWindowProcW.USER32(?,?,?,?), ref: 00CFE809
GetWindowLongW.USER32(?,000000EB), ref: 00CFE823
PostQuitMessage.USER32(00000000), ref: 00CFE882

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Window$Long$Proc$MessagePostQuit
String ID:
API String ID: 3812958022-0
Opcode ID: c4d226aca1f015b0bfa774f633ccc866930499b3cda55f4f757b63a754552020
Instruction ID: ee16502ab61ec436f4512d875ab1b1301f7da7d6da5f485d793e8ac2a53bcadc
Opcode Fuzzy Hash: c4d226aca1f015b0bfa774f633ccc866930499b3cda55f4f757b63a754552020
Instruction Fuzzy Hash: E521B271104219BFDB55AFA8DC48E7A3F65FF45360F148624FA169A2F0C631DE10DB62

Function 00CE415F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,840F01E8,00000000,00000000,?,00CF9FBC,00000000,00000000,?,00000000,00CE53FA,00000000,?,?,00CED567,?), ref: 00CE416D
GetLastError.KERNEL32(?,00CF9FBC,00000000,00000000,?,00000000,00CE53FA,00000000,?,?,00CED567,?,00000000,00000000), ref: 00CE417B
CreateDirectoryW.KERNEL32(?,840F01E8,00CE54C6,?,00CF9FBC,00000000,00000000,?,00000000,00CE53FA,00000000,?,?,00CED567,?,00000000), ref: 00CE41EB
GetLastError.KERNEL32(?,00CF9FBC,00000000,00000000,?,00000000,00CE53FA,00000000,?,?,00CED567,?,00000000,00000000), ref: 00CE41F5

Strings

c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp, xrefs: 00CE4225

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: c:\agent\_work\66\s\src\libs\dutil\dirutil.cpp
API String ID: 1375471231-2061300336
Opcode ID: dcd3ddf4dba5d75bfa715982d9b8071299b67d82a4d0b388928473238ec4e436
Instruction ID: ed54fb2c77aa9df11ac2ebf6928ac8378038b74fb102e93df99b12cb05605bd5
Opcode Fuzzy Hash: dcd3ddf4dba5d75bfa715982d9b8071299b67d82a4d0b388928473238ec4e436
Instruction Fuzzy Hash: 012168366403B1E7DB391EA75C04B3FB6A5EF65B60F124025FF54EB340D6248D41A2E5

Function 00D20708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.KERNEL32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000002,00000100,00000000,00000000,?,?,00D08B57), ref: 00D20763
RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00D08B57,00000000), ref: 00D20781
RegEnumKeyExW.KERNEL32(00000000,000002C0,00000410,00000002,00000000,00000000,00000000,00000000,00000410,00000003,?,?,00D08B57,00000000,00000000,00000000), ref: 00D207D7

Strings

c:\agent\_work\66\s\src\libs\dutil\regutil.cpp, xrefs: 00D207A7

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Enum$InfoQuery
String ID: c:\agent\_work\66\s\src\libs\dutil\regutil.cpp
API String ID: 73471667-3237223240
Opcode ID: d11eddeb962e9cbcffcd5efd391ca997de2bdab10c9a0b39c487ee4bf772dcbf
Instruction ID: b78ba7562156b6e65f7b485dfe428c5a566e7fe595e5e27d8cd7c2674dc2fa82
Opcode Fuzzy Hash: d11eddeb962e9cbcffcd5efd391ca997de2bdab10c9a0b39c487ee4bf772dcbf
Instruction Fuzzy Hash: 9031A07A901139FBEB218A94DC84EAFFA6CEF24768F154065BD00AB111D3309E009AF0

Function 00D08857 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D20823: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00D4AA7C,00000000,?,00D24FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D20837

RegCloseKey.ADVAPI32(00000000,00000000,00000088,00000000,000002C0,00000410,00020019,00000000,000002C0,00000000,?,?,?,00D08B93,00000000,00000000), ref: 00D08914

Strings

Failed to initialize package from related bundle id: %ls, xrefs: 00D088FA
Failed to ensure there is space for related bundles., xrefs: 00D088C7
Failed to open uninstall key for potential related bundle: %ls, xrefs: 00D08883

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CloseOpen
String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
API String ID: 47109696-1717420724
Opcode ID: ecd67e0598fb5d613181c14f62ffe833299961be4583145c9b2980b5a85bfeab
Instruction ID: e0d3bc6d0f92f556d884ff2a1ffbae5691d9586ff1555ade5ca6e32a09720763
Opcode Fuzzy Hash: ecd67e0598fb5d613181c14f62ffe833299961be4583145c9b2980b5a85bfeab
Instruction Fuzzy Hash: C2216D72900259BFDB129E80ED06BBEBA79EB04710F144065F984A6190DB71AA60FFB1

Function 00D2002E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62filestringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenA.KERNEL32(00D01074,00000000,00000000,?,?,?,00D1F8EB,00D01074,00D01074,?,00000000,0000FDE9,?,00D01074,8007139F,Invalid operation for this state.), ref: 00D20040
WriteFile.KERNEL32(000002D8,00000000,00000000,?,00000000,?,?,00D1F8EB,00D01074,00D01074,?,00000000,0000FDE9,?,00D01074,8007139F), ref: 00D2007C
GetLastError.KERNEL32(?,?,00D1F8EB,00D01074,00D01074,?,00000000,0000FDE9,?,00D01074,8007139F,Invalid operation for this state.,c:\agent\_work\66\s\src\burn\user\cabextract.cpp,000001C7,8007139F), ref: 00D20086

Strings

c:\agent\_work\66\s\src\libs\dutil\logutil.cpp, xrefs: 00D200B7

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorFileLastWritelstrlen
String ID: c:\agent\_work\66\s\src\libs\dutil\logutil.cpp
API String ID: 606256338-727082060
Opcode ID: 568fa8b8c9769d2d1dd8f44de2cd4b7ac038ab012db7a41d86c719b4a2389808
Instruction ID: 4e9334e8c20a12970d6ddd8419db16ce67e59c62c5104dc65f7000c5241737c5
Opcode Fuzzy Hash: 568fa8b8c9769d2d1dd8f44de2cd4b7ac038ab012db7a41d86c719b4a2389808
Instruction Fuzzy Hash: 8A11CA765013346BE7308A79AE45BAF7E6CEB61764B010215FD01E7281D660ED4086F0

Function 00D1F6FD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00000900,?,?,00000000,00000000,00000000,?,00000000,?,?,00D1FDC0,?,?,?,?,00000001), ref: 00D1F71C
GetLastError.KERNEL32(?,00D1FDC0,?,?,?,?,00000001,?,00CE5651,?,?,00000000,?,?,00CE53D2,00000002), ref: 00D1F728
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,00D1FDC0,?,?,?,?,00000001,?,00CE5651,?,?), ref: 00D1F791

Strings

c:\agent\_work\66\s\src\libs\dutil\logutil.cpp, xrefs: 00D1F747

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: c:\agent\_work\66\s\src\libs\dutil\logutil.cpp
API String ID: 1365068426-727082060
Opcode ID: 9007710677f581f1209c731e9594d6c767da47103448b57457eabb9486e30d3e
Instruction ID: c02a9f879c4f18a622c280a981c08e7bd5d35c67bfc9b3d7f37938b3cfa0023e
Opcode Fuzzy Hash: 9007710677f581f1209c731e9594d6c767da47103448b57457eabb9486e30d3e
Instruction Fuzzy Hash: 1E11E336600225FBDF219F94EE09EEE7B69EF54750F018029FD01E61A4DB708E91E6B0

Function 00D00797 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D011B1: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00D007C6,?,?,?), ref: 00D011D9
Part of subcall function 00D011B1: GetLastError.KERNEL32(?,00D007C6,?,?,?), ref: 00D011E3

ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?), ref: 00D007D4
GetLastError.KERNEL32 ref: 00D007DE

Strings

c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D00802
Failed to read during cabinet extraction., xrefs: 00D0080C

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorFileLast$PointerRead
String ID: Failed to read during cabinet extraction.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2170121939-3499834177
Opcode ID: 25e7f4faf7ce1241228f2a4bacef2aa03d09719c7e88343142ded11b967cacb3
Instruction ID: 26af3561188a3d85730b725dec6c0d4bf8c714bd7ffe5a3a46c322c07bce75e8
Opcode Fuzzy Hash: 25e7f4faf7ce1241228f2a4bacef2aa03d09719c7e88343142ded11b967cacb3
Instruction Fuzzy Hash: 4F01E536A40269BBCB219F99DD05E8A7FA8FF04764F010114FD08E7290D734E900CAF0

Function 00D011B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,00000000,?,00D007C6,?,?,?), ref: 00D011D9
GetLastError.KERNEL32(?,00D007C6,?,?,?), ref: 00D011E3

Strings

Failed to move to virtual file pointer., xrefs: 00D01211
c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D01207

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID: Failed to move to virtual file pointer.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 2976181284-1387633737
Opcode ID: dd47703280b566d23c665bed50d99108c1bf6147b764f44ffe6ac625676e9e2c
Instruction ID: 3d5d729b51c783ce77b130039cfdae058f26e56abcba1e6f36ef9d4769e1c274
Opcode Fuzzy Hash: dd47703280b566d23c665bed50d99108c1bf6147b764f44ffe6ac625676e9e2c
Instruction Fuzzy Hash: 7501A73B900636BBC7211A9AAC09E8BFF25FF417B1B118125FD1CA7290D625DC1086F4

Function 00D00564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00D2A478,00000000,?,00D014B9,?,00000000,?,00CEC24A,?,00CE5442,?,00CF7498,?,?,00CE5442,?), ref: 00D0056E
GetLastError.KERNEL32(?,00D014B9,?,00000000,?,00CEC24A,?,00CE5442,?,00CF7498,?,?,00CE5442,?,00CE5482,00000001), ref: 00D00578

Strings

c:\agent\_work\66\s\src\burn\user\cabextract.cpp, xrefs: 00D0059C
Failed to set begin operation event., xrefs: 00D005A6

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: ErrorEventLast
String ID: Failed to set begin operation event.$c:\agent\_work\66\s\src\burn\user\cabextract.cpp
API String ID: 3848097054-3321223842
Opcode ID: e2ea4123831d6a397f43df731423cfde3eff974f2b413aacbc7b433e97c39f51
Instruction ID: fab4ef3738fac29a2786329855791a1a09cd690440c3ade2a12bdb63529b3069
Opcode Fuzzy Hash: e2ea4123831d6a397f43df731423cfde3eff974f2b413aacbc7b433e97c39f51
Instruction Fuzzy Hash: 8FF0A73794263177C32022A96D0AB8B7A98DF05BA1F010025FE48FB280FA55AC0046F5

Function 00CE5160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00CE1104,?,?,00000000), ref: 00CE517F
CompareStringW.KERNEL32(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00CE1104,?,?,00000000), ref: 00CE51AF

Strings

burn.clean.room, xrefs: 00CE516C, 00CE5179, 00CE51A6

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CompareStringlstrlen
String ID: burn.clean.room
API String ID: 1433953587-3055529264
Opcode ID: 6224845aace4ad22a6ee7b8ccec110ea6867e616cb8177b815dc5dd03b8247f0
Instruction ID: 9df9cd6700f13a3d2a6056b469cbd96d4be4da3fa582796930a35073f3f3c0bb
Opcode Fuzzy Hash: 6224845aace4ad22a6ee7b8ccec110ea6867e616cb8177b815dc5dd03b8247f0
Instruction Fuzzy Hash: B201F977550B606B83244F4EAD85E7BBBACEB1D7687100115F914D3710C3759C50C7B2

Function 00CE38D1 Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00CE3910
GetLastError.KERNEL32 ref: 00CE391A
LoadLibraryW.KERNEL32(?,?,00000104,?), ref: 00CE3983

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: DirectoryErrorLastLibraryLoadSystem
String ID:
API String ID: 1230559179-0
Opcode ID: 720ee467eb37769c48b684a6d2be824bd0fd349969b55309ba9103a31f111f51
Instruction ID: 5a87f4abeebbc469e7be0b3eabcd299ac287b31556069188cb1803c01114014b
Opcode Fuzzy Hash: 720ee467eb37769c48b684a6d2be824bd0fd349969b55309ba9103a31f111f51
Instruction Fuzzy Hash: 3221DAB6D013B967DB309BA99C4DF9A77A8DF40760F110161BD14FB242E770EF4486A1

Function 00CEF6F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D20823: RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00D4AA7C,00000000,?,00D24FE0,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00D20837

RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,00000000,?,?,?,00CF7C46,?,?,?), ref: 00CEF75D

Part of subcall function 00D208D7: RegQueryValueExW.ADVAPI32(00000004,?,00000000,00000000,?,00000000,?,00000000,?,?,?,00CEF732,00000000,Installed,00000000,?), ref: 00D208FC

Strings

Installed, xrefs: 00CEF725

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Installed
API String ID: 3677997916-3662710971
Opcode ID: 8310b709c67b7bca1824092368b0c979c375f0061e4aab48bb01676ecbe754f8
Instruction ID: 2140c9e310f3c753eef047a150bdf2b41d9475acb498251147449d013e8fb7a9
Opcode Fuzzy Hash: 8310b709c67b7bca1824092368b0c979c375f0061e4aab48bb01676ecbe754f8
Instruction Fuzzy Hash: 45018B32910268FFCB11AB94D946BDEBAB8EF00725F1181A8E800AB150D2758F84DBE0

Function 00D2506B Relevance: 1.6, APIs: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(80070490,00000000,80070490,00D4AA7C,00000000,80070490,?,?,00CF89F4,WiX\Burn,PackageCache,00000000,00D4AA7C,00000000,00000000,80070490), ref: 00D250C5

Part of subcall function 00D2095E: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00D209D4
Part of subcall function 00D2095E: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00D20A0C

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: QueryValue$Close
String ID:
API String ID: 1979452859-0
Opcode ID: 8f72dbb6dfd9b2de08c5ea1658e3937a49a847a82ea60b69831a6325df3580d6
Instruction ID: 7e49281fafdccb8c16e3d867b81ec1d6ba1d585d7bb801e7c9a955bb5b70010b
Opcode Fuzzy Hash: 8f72dbb6dfd9b2de08c5ea1658e3937a49a847a82ea60b69831a6325df3580d6
Instruction Fuzzy Hash: C8110636801636EBCF326E94FE80DAEB668DB20328B184039FD4163114C7314D50DAF1

Function 00CE35A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,00CF8AAE,0000001C,80070490,00000000,00000000,80070490), ref: 00CE35C8

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: bf576f8af213b6fbc3fe38283406ff98b84af524fbc560966c85973cb7424cc5
Instruction ID: 10d64dae8cadbf354b8e0928e3e1f4950bd8800b7e8ec794eb17b5ec8c434971
Opcode Fuzzy Hash: bf576f8af213b6fbc3fe38283406ff98b84af524fbc560966c85973cb7424cc5
Instruction Fuzzy Hash: 5CE012723412647BA6016BA65C09DBB7B5CDF153A17004011FE40D7100DA71E65057B1

Function 00CE4238 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000000,00000000,?,00CFA318,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,80070490), ref: 00CE4241

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 74abe2857751d1a4308f57dded43a46dcd4f7d0ac3a11c3aa8fd89022da180da
Instruction ID: 22f09e1ff49553539767808b5cef364e18aadfacb07cfcff88e1349b38c9bd98
Opcode Fuzzy Hash: 74abe2857751d1a4308f57dded43a46dcd4f7d0ac3a11c3aa8fd89022da180da
Instruction Fuzzy Hash: C2D02B3120122457472C4EFF98045667B04DF417707404215FE38C61D0D3304D1283C1

Function 00CE14AC Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,00CE22B1,?,00000000,?,00000000,?,00CE39A5,00000000,?,00000104), ref: 00CE14DC

Part of subcall function 00CE3C5F: GetProcessHeap.KERNEL32(00000000,000001C7,?,00CE22D5,000001C7,80004005,8007139F,?,?,00D1FB39,8007139F,?,00000000,00000000,8007139F), ref: 00CE3C67
Part of subcall function 00CE3C5F: HeapSize.KERNEL32(00000000,?,00CE22D5,000001C7,80004005,8007139F,?,?,00D1FB39,8007139F,?,00000000,00000000,8007139F), ref: 00CE3C6E

Memory Dump Source

Source File: 00000006.00000002.3353237445.0000000000CE1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000006.00000002.3353194651.0000000000CE0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353343524.0000000000D2A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353461966.0000000000D4A000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D4D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000D6D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DA2000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000006.00000002.3353530039.0000000000DAD000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ce0000_setup.jbxd

Similarity

API ID: Heap$ProcessSizelstrlen
String ID:
API String ID: 3492610842-0
Opcode ID: dd12a173950a881861f4799bee2c4a4f2fdb1018bcd0f7f2a3933218676ccaf6
Instruction ID: 59b55ce1a785d687bf72d61a324c43cc1671f2257a754f2052f721d76be6b606
Opcode Fuzzy Hash: dd12a173950a881861f4799bee2c4a4f2fdb1018bcd0f7f2a3933218676ccaf6
Instruction Fuzzy Hash: A601D8331012A4BBCF216E57DC85FDA7B6AAF45770F184111FE15AB291C670ED60A6A0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report adguardInstaller.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\setup[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\setup[1].exe

C:\Users\user\AppData\Local\Temp\adguard\Adguard_20250103083939.log

C:\Users\user\AppData\Local\Temp\adguard\setup.exe

C:\Windows\Temp\{23F326A7-4A2F-48BD-8B4B-DF2AE4AD6C24}\.cr\setup.exe

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1028\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1029\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1030\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1031\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1032\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1035\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1036\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1038\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1040\mbapreq.wxl

C:\Windows\Temp\{49F306D2-4AB7-4258-BD15-FE2975581B5F}\.ba\1041\mbapreq.wxl

Windows Analysis Report
adguardInstaller.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre